├── Makefile
├── README.md
├── beacon.h
├── images
    └── timestamp.png
├── timestamp.c
├── timestamp.cna
├── timestamp.h
└── timestamp.x64.o


/Makefile:
--------------------------------------------------------------------------------
1 | BOFNAME := timestamp
2 | CC_x64 := x86_64-w64-mingw32-gcc
3 | 
4 | all:
5 | 	$(CC_x64) -o $(BOFNAME).x64.o -Os -c timestamp.c -masm=intel
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Timestamp_BOF
 2 | 
 3 | Cobalt Strike Beacon Object File (BOF) that changes the time and date of a file. This can be useful when you need to drop files to disk for persistence and want to blend in with other files in the same folder. 
 4 | 
 5 | ## Compile
 6 | 
 7 | ```
 8 | git clone https://github.com/carlnykvist/Timestamp_BOF
 9 | cd Timestamp_BOF
10 | make
11 | ```
12 | 
13 | ## Usage
14 | 
15 | Load the provided aggressor script and run the command:
16 | 
17 | ```
18 | timestamp C:\Users\joker\Downloads\phase4.txt "2007-09-02 16:05:01"
19 | ```
20 | 
21 | ![](/images/timestamp.png)
22 | 
23 | 
24 | ### Credits / References
25 | ##### Cobalt Strike - Beacon Object Files
26 | + https://www.cobaltstrike.com/help-beacon-object-files
27 | ##### BOF Code References
28 | ###### trustedsec/CS-Situational-Awareness-BOF
29 | + https://github.com/trustedsec/CS-Situational-Awareness-BOF
30 | 


--------------------------------------------------------------------------------
/beacon.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Beacon Object Files (BOF)
 3 |  * -------------------------
 4 |  * A Beacon Object File is a light-weight post exploitation tool that runs
 5 |  * with Beacon's inline-execute command.
 6 |  *
 7 |  * Cobalt Strike 4.1.
 8 |  */
 9 | 
10 | /* data API */
11 | typedef struct {
12 | 	char * original; /* the original buffer [so we can free it] */
13 | 	char * buffer;   /* current pointer into our buffer */
14 | 	int    length;   /* remaining length of data */
15 | 	int    size;     /* total size of this buffer */
16 | } datap;
17 | 
18 | DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
19 | DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
20 | DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
21 | DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
22 | DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
23 | 
24 | /* format API */
25 | typedef struct {
26 | 	char * original; /* the original buffer [so we can free it] */
27 | 	char * buffer;   /* current pointer into our buffer */
28 | 	int    length;   /* remaining length of data */
29 | 	int    size;     /* total size of this buffer */
30 | } formatp;
31 | 
32 | DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
33 | DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
34 | DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
35 | DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
36 | DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
37 | DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
38 | DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
39 | 
40 | /* Output Functions */
41 | #define CALLBACK_OUTPUT      0x0
42 | #define CALLBACK_OUTPUT_OEM  0x1e
43 | #define CALLBACK_ERROR       0x0d
44 | #define CALLBACK_OUTPUT_UTF8 0x20
45 | 
46 | DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
47 | DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
48 | 
49 | /* Token Functions */
50 | DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
51 | DECLSPEC_IMPORT void   BeaconRevertToken();
52 | DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
53 | 
54 | /* Spawn+Inject Functions */
55 | DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
56 | DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
57 | DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
58 | DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
59 | DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess (BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo);
60 | 
61 | /* Utility Functions */
62 | DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);


--------------------------------------------------------------------------------
/images/timestamp.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/carlnykvist/Timestamp_BOF/0a489d7fc4d27ed1e2d9c66c0bd4178a99488477/images/timestamp.png


--------------------------------------------------------------------------------
/timestamp.c:
--------------------------------------------------------------------------------
 1 | #include "timestamp.h"
 2 | 
 3 | void go(char *args, int length) {
 4 | 
 5 |     datap parser;
 6 |     BeaconDataParse(&parser, args, length);
 7 |     CHAR *file = BeaconDataExtract(&parser, NULL);
 8 |     CHAR *date = BeaconDataExtract(&parser, NULL);
 9 |     SYSTEMTIME st;
10 |     FILETIME ft;
11 | 
12 |     if(!MSVCRT$_access(file, F_OK) == 0) {
13 |         printf("[-] File %s does not exist", file);
14 |         return;
15 |     } 
16 | 
17 |     
18 |     MSVCRT$sscanf_s(date, "%d-%d-%d %d:%d:%d", &st.wYear, &st.wMonth, &st.wDay, &st.wHour, &st.wMinute, &st.wSecond);
19 | 
20 |     if (!KERNEL32$SystemTimeToFileTime(&st, &ft)) {
21 |         printf("[-] Error: %d\n", KERNEL32$GetLastError());
22 |     }
23 | 
24 |     HANDLE hFile = KERNEL32$CreateFileA((LPCSTR)file, GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, 4, FILE_ATTRIBUTE_NORMAL, NULL);
25 |     if (hFile != INVALID_HANDLE_VALUE)
26 |     {
27 |         KERNEL32$SetFileTime(hFile, NULL, NULL, &ft);
28 |         printf("[+] Date has been modified")
29 |     }
30 | 
31 |     else
32 |     {
33 |         printf("[-] Error: %d\n", KERNEL32$GetLastError());
34 |     }
35 | 
36 |     KERNEL32$CloseHandle(hFile);
37 | 
38 | }


--------------------------------------------------------------------------------
/timestamp.cna:
--------------------------------------------------------------------------------
 1 | beacon_command_register(
 2 | "timestamp",
 3 | "Modify timestamp of a file on disk.",
 4 | "Usage: timestamp C:\\path\\to\\file.txt \"2006-02-15 21:01:01\"");
 5 | 
 6 | alias timestamp {
 7 | 	local('$handle $data $args');
 8 | 	
 9 | 	$bid = $1;
10 | 
11 | 	# figure out the arch of this session
12 | 	$barch  = barch($1);
13 | 	
14 | 
15 | 	# read in the right BOF file
16 | 	$handle = openf(script_resource("timestamp.".$barch.".o"));
17 | 	$data = readb($handle, -1);
18 | 	closef($handle);
19 | 
20 | 	if(size(@_) < 3)
21 | 	{
22 | 		berror($bid, "Incorrect usage!");
23 | 		berror($bid, beacon_command_detail("timestamp"));
24 | 		return;
25 | 	}
26 | 
27 | 	$args = bof_pack($bid, "zz", $2, $3);   # pack our arguments 	  
28 | 	btask($bid, "Timestamp (by Carl Nykvist)");	
29 | 	beacon_inline_execute($bid, $data, "go", $args);  # execute it.
30 | 
31 | }
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/timestamp.h:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <unistd.h>
 3 | #include "beacon.h"
 4 | 
 5 | #define printf(format, args...) { BeaconPrintf(CALLBACK_OUTPUT, format, ## args); }
 6 | 
 7 | WINBASEAPI DWORD WINAPI KERNEL32$GetLastError();
 8 | WINBASEAPI HANDLE WINAPI KERNEL32$CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
 9 | WINBASEAPI BOOL WINAPI KERNEL32$SetFileTime(HANDLE hFile, FILETIME *lpCreationTime, FILETIME *lpLastAccessTime, FILETIME *lpLastWriteTime);
10 | WINBASEAPI WINBOOL WINAPI KERNEL32$SystemTimeToFileTime(CONST SYSTEMTIME *lpSystemTime, LPFILETIME lpFileTime);
11 | WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject);
12 | WINBASEAPI _CRTIMP int __cdecl MSVCRT$sscanf_s(const char *_Src,const char *_Format,...);
13 | WINBASEAPI _CRTIMP int __cdecl MSVCRT$_access(const char *_Filename,int _AccessMode);
14 | 
15 | 
16 | 


--------------------------------------------------------------------------------
/timestamp.x64.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/carlnykvist/Timestamp_BOF/0a489d7fc4d27ed1e2d9c66c0bd4178a99488477/timestamp.x64.o


--------------------------------------------------------------------------------