{"id":20563720,"url":"https://github.com/trustedsec/pplfaultdumpbof","last_synced_at":"2025-04-14T14:43:23.563Z","repository":{"id":166459337,"uuid":"641430669","full_name":"trustedsec/PPLFaultDumpBOF","owner":"trustedsec","description":null,"archived":false,"fork":false,"pushed_at":"2023-05-17T12:57:20.000Z","size":429,"stargazers_count":140,"open_issues_count":0,"forks_count":11,"subscribers_count":4,"default_branch":"BOFRelease","last_synced_at":"2025-03-28T03:41:23.485Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-16T13:02:22.000Z","updated_at":"2025-03-04T17:26:59.000Z","dependencies_parsed_at":null,"dependency_job_id":"ed6e3445-6a39-4c58-ad1a-e336d9d8d613","html_url":"https://github.com/trustedsec/PPLFaultDumpBOF","commit_stats":null,"previous_names":["trustedsec/PPLFaultDumpBOF"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FPPLFaultDumpBOF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FPPLFaultDumpBOF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FPPLFaultDumpBOF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FPPLFaultDumpBOF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedsec","download_url":"https://codeload.github.com/trustedsec/PPLFaultDumpBOF/tar.gz/refs/heads/BOFRelease","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248898726,"owners_count":21179830,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-16T04:20:27.213Z","updated_at":"2025-04-14T14:43:23.557Z","avatar_url":"https://github.com/trustedsec.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# This is a derivative work of [https://github.com/gabriellandau/PPLFault](https://github.com/gabriellandau/PPLFault). \n\nPlease view that repo for all of the original research and further information\nThis conversion intentionaly does not modify IOC's of the original tool release.\n\n# PPLFaultDumpBOF\n\nTakes the original PPLFault and the original included DumpShellcode and combinds it all into a BOF targeting cobalt strike.\n\nIf you would like to run this in other projects please consider using our BOF runner implementation [COFFLoader](https://github.com/trustedsec/COFFLoader)\n\n## Building\n\nNormally I like to use mingw-w64 to build my BOF's but given that this expolit requires modern version of windows 10 to work, it was easier to convert and compile against cl.exe.\n\nYou need to start an x64 native visual studio developer prompt. Then from that prompt run [makebof.bat](PPLFault/makebof.bat)\n\n## Code layout\nThe layout of this code closely matches the original, but the original solution files have been removed as they are unused in a BOF build.  Start at [entry.c](PPLFault/entry.c) as that is the BOF entry point and where all other .h / .c files are included.\n\n## Example Output\n\n![Cobalt Strike Output](images/cs.jpeg)\n\n## Usage\nFirst load PPLFault.cna into cobalt strike\nThen in any console run `pplfaultdump \u003cpid\u003e \u003coutputpath\u003e`\n\n# License\n\nSilhouette is covered by the [ELv2 license](LICENSE.txt).  It uses [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt) from SystemInformer under the [MIT license](phnt/LICENSE.txt).\n\n# Credits\nInspired by [PPLdump](https://github.com/itm4n/PPLdump) by [Clément Labro](https://infosec.exchange/@itm4n), which Microsoft [patched](https://itm4n.github.io/the-end-of-ppldump/) in July 2022.\n\n[ANGRYORCHARD](https://github.com/gabriellandau/ANGRYORCHARD) was created by [Austin Hudson](https://twitter.com/ilove2pwn_), who released it when Microsoft patched PPLdump.\n\n [PPLFault](https://github.com/gabriellandau/PPLFault) From [Gabriel Landau](https://twitter.com/GabrielLandau) at [Elastic Security](https://www.elastic.co/security-labs/)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fpplfaultdumpbof","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedsec%2Fpplfaultdumpbof","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Fpplfaultdumpbof/lists"}