search
Page cover

DLL_Version_Enumeration_BOF

hashtag
What is this?

  • This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3'sarrow-up-right existing PoC , meant to use ascertain information regarded imported DLLs (via the ENTRY_RESOURCE) within current process that your beacon associated with.

hashtag
What problem are you trying to solve?

  1. Given my current projects regarding DLLs, this is yet another blindspot I wanted to address after seeing @N4k3dTurtl3'sarrow-up-right work.

  2. I wanted to support both 32-bit AND 64-bit Beacon sessions.

  3. I wanted to have verbose or minified output, given an operator's desire

  4. I wanted to keep the original design of @N4k3dTurtl3'sarrow-up-right intact; minimal API calls.

    1. This is solved this by rolling our own from groked or cribbed implementations elsewhere.

hashtag
How do I build this?

  1. In this case, you have two options:

    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)

    2. Compile from source via the Makefile

      1. cd src

      2. make clean

      3. make

  2. Load the Aggressor file, in the Script Manager, located in the dist directory

hashtag
How do I use this?

  • From a given Beacon:

hashtag
Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk", though this is limited to a single comparison function (stricmp).

  • You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

hashtag
What does the output look like?

hashtag
All known DLLs associated with the process

hashtag
Verbose output of the aforementioned

hashtag
Verbose output of the aforementioned with needle

PreviousHOLLOW BOFNextInlineExecute-Assembly BOF

Last updated