rsmudge/unhook-bof rsmudge/unhook-bof

  • Stars
    star
    263
  • Rank 155,624 (Top 4 %)
  • Language
    C
  • License
    BSD 3-Clause "New...
  • Created almost 4 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
rsmudge/unhook-bof
github

rsmudge

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Remove API hooks from a Beacon process. 
This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:

https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software

To use:

Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager

Run 'unhook' from Beacon

To build:

x86: Open Visual Studio x86 Native Tools Command Prompt and type 'make'
x64: Open Visual Studio x64 Croos Tools Command Prompt and type 'make'

This project derived from:

Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection

ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook

More Repositories

1

Malleable-C2-Profiles

Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. This repository is a collection of Malleable C2 profiles that you may use. These profiles work with Cobalt Strike 3.x.
1,474
star
2

ElevateKit

The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload.
PowerShell
880
star
3

armitage

Automatically exported from code.google.com/p/armitage
Java
521
star
4

cortana-scripts

A collection of Cortana scripts that you may use with Armitage and Cobalt Strike 2.x. Cortana Scripts are not compatible with Cobalt Strike 3.x. Cobalt Strike 3.x uses a variant of Cortana called Aggressor Script.
Java
446
star
5

metasploit-loader

A client compatible with Metasploit's staging protocol
C
250
star
6

vncdll

Stand-alone VNC server compiled as a Reflective DLL
C
182
star
7

ZeroLogon-BOF

C
152
star
8

Layer2-Pivoting-Client

A simple client to demonstrate Layer-2 pivoting. Compatible with the simpletun.c server written by Davide Brini.
C
72
star
9

CVE-2020-0796-BOF

C
68
star