HOLLOW BOF
Last updated
Last updated
Bobby Cooke ()
Justin Hamilton ()
Octavio Paguaga ()
Matt Kingstone ()
Beacon Object File (BOF) that spawns an arbitrary process from beacons memory in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode; using the Early Bird injection method taught by @SEKTOR7net in RED TEAM Operator: Malware Development Intermediate.
After compile import the hollow.cna script into Cobalt Strikes Script Manager
Refactor code to make it more modular/clean
Implement this into github.com/boku7/SPAWN
Combine this with the PPID spoofing and blockdll features of SPAWN
Credit/shoutout to: @SEKTOR7net + Raphael Mudge
https://institute.sektor7.net/red-team-operator-malware-development-essentials
https://www.youtube.com/watch?v=gfYswA_Ronw
https://www.cobaltstrike.com/help-beacon-object-files
https://github.com/odzhan/injection/blob/master/syscalls/inject_dll.c
https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/entry.c
https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/syscalls_inject.cna