Skip to content

Cobalt-Strike/unhook-bof

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:

https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software

To use:

Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager

Run 'unhook' from Beacon

To build:

make

This project derived from:

Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection

ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook

About

Remove API hooks from a Beacon process.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 99.6%
  • Makefile 0.4%