Skip to content

Instantly share code, notes, and snippets.

@G0ldenGunSec
Last active February 23, 2024 10:37
Show Gist options
  • Save G0ldenGunSec/8ca0e853dd5637af2881697f8de6aecc to your computer and use it in GitHub Desktop.
Save G0ldenGunSec/8ca0e853dd5637af2881697f8de6aecc to your computer and use it in GitHub Desktop.
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32GetModuleBaseNameA(HANDLE, HMODULE, LPSTR, DWORD);
DECLSPEC_IMPORT WINBASEAPI void WINAPI KERNEL32$Sleep(DWORD);
DECLSPEC_IMPORT int __cdecl MSVCRT$strstr(const char* _Str1, const char* _Str2);
DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$IsWow64Process(HANDLE, PBOOL);
DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE);
//to compile: cl.exe /c /GS- enumCLR.c /Fo./enumCLR.o
void go(char* args, int alen) {
HMODULE hMods[256];
DWORD aProcesses[325];
DWORD cbNeeded;
DWORD procNeeded;
DWORD numProcesses;
KERNEL32$K32EnumProcesses(aProcesses, sizeof(aProcesses), &procNeeded);
numProcesses = procNeeded / sizeof(DWORD);
if (numProcesses == 325)
{
BeaconPrintf(CALLBACK_OUTPUT, "WARNING: Process buffer filled, all running processes may not be enumerated");
}
for (int i = 0; i < numProcesses; i++)
{
HANDLE hProcess;
hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);
if (hProcess > 0)
{
if (KERNEL32$K32EnumProcessModulesEx(hProcess, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_ALL))
{
int isCLR = 0;
for (int mod = 0; mod < (cbNeeded / sizeof(HMODULE)); mod++)
{
CHAR szModuleName[MAX_PATH];
KERNEL32$K32GetModuleBaseNameA(hProcess, hMods[mod], szModuleName, sizeof(szModuleName) / sizeof(CHAR));
//compare module (loaded dll) name to our known CLR dll value (mscor)
int s = MSVCRT$strstr(szModuleName, "mscor");
if (s > 0)
{
isCLR = 1;
mod = cbNeeded;
}
}
if (isCLR == 1)
{
CHAR clrProcName[MAX_PATH];
KERNEL32$K32GetModuleBaseNameA(hProcess, hMods[0], clrProcName, sizeof(clrProcName) / sizeof(CHAR));
int isWOW64 = 0;
KERNEL32$IsWow64Process(hProcess, &isWOW64);
if (isWOW64 > 0)
{
BeaconPrintf(CALLBACK_OUTPUT, "Found a process with CLR loaded: %s [%i] (x86)", clrProcName, aProcesses[i]);
}
else
{
BeaconPrintf(CALLBACK_OUTPUT, "Found a process with CLR loaded: %s [%i]", clrProcName, aProcesses[i]);
}
}
}
KERNEL32$CloseHandle(hProcess);
}
KERNEL32$Sleep(1);
}
BeaconPrintf(CALLBACK_OUTPUT, "Finished search, any results should be displayed above.");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment