• Stars
    star
    147
  • Rank 251,347 (Top 5 %)
  • Language
    C
  • Created over 1 year ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cobalt Strike + Brute Ratel C4 Beacon Object File (BOF) Conversion of the Mockingjay Process Injection Technique

WIP Mockingjay BOF Conversion (lets be real it's just module stomping)

EDIT: Now compatible with Brute Ratel C4.

Learning how to write Cobalt Strike Beacon Object Files, converting my Mockingjay POC to BOF starting with WINAPI usage and incrementally adding layers of evasion for in-depth testing. Now you don't need a standalone program to perform the technique, it can all be done from your Cobalt Strike beacon.

As of now it's very much a POC, the operator needs to manually enter details they've found of their target (module, section offset, and process ID). I plan to implement quality of life features to make the tool easier to use.

The idea is to find a loaded module in a remote process with a naturally allocated RWX region (and the region be big enough to store your shellcode), calculate the offset to the RWX region and write your shellcode to it without calling the traditional API chain heavily signatured to process injection. This will allow you to exist in a (ideally) signed module loaded into a (ideally) trusted process.

Credits to Namazso (Original Unknown Cheats forum post), Security Joes (Recent infosec article), and Kyle Avery (POC that was recently brought to my attention, helped me improve my original POC).

BOF Execution

cs_notepad_exec

x64dbg Memory Dump

x64dbg_notepad_exec_in_rwx

TO-DO