Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rsmudge/unhook-bof
Remove API hooks from a Beacon process.
https://github.com/rsmudge/unhook-bof
Last synced: 26 days ago
JSON representation
Remove API hooks from a Beacon process.
- Host: GitHub
- URL: https://github.com/rsmudge/unhook-bof
- Owner: rsmudge
- License: bsd-3-clause
- Created: 2021-01-13T02:20:44.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2021-09-18T18:12:41.000Z (about 3 years ago)
- Last Synced: 2024-08-05T17:25:26.634Z (4 months ago)
- Language: C
- Size: 33.2 KB
- Stars: 263
- Watchers: 7
- Forks: 57
- Open Issues: 1
-
Metadata Files:
- Readme: README
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - rsmudge/unhook-bof - Remove API hooks from a Beacon process. (C)
README
This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:
https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software
To use:
Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager
Run 'unhook' from Beacon
To build:
x86: Open Visual Studio x86 Native Tools Command Prompt and type 'make'
x64: Open Visual Studio x64 Croos Tools Command Prompt and type 'make'
This project derived from:
Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection
ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook