GitHub - rsmudge/unhook-bof: Remove API hooks from a Beacon process.

1 Branch 0 Tags

Name	Name	Last commit message	Last commit date
Latest commit rsmudge Mar 6, 2021 fa3c8d8 · Mar 6, 2021 History 6 Commits
src	src	ignore the DLL where beacon is	Mar 6, 2021
LICENSE	LICENSE	Initial commit of capabilities.	Jan 13, 2021
README	README	ignore the DLL where beacon is	Mar 6, 2021
make.bat	make.bat	Initial commit of capabilities.	Jan 13, 2021
unhook.cna	unhook.cna	ignore the DLL where beacon is	Mar 6, 2021
unhook.x64.o	unhook.x64.o	update .o files	Mar 6, 2021
unhook.x86.o	unhook.x86.o	update .o files	Mar 6, 2021

Repository files navigation

This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research:

https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software

To use:

Load unhook.cna into Cobalt Strike via Cobalt Strike -> Script Manager

Run 'unhook' from Beacon

To build:

x86: Open Visual Studio x86 Native Tools Command Prompt and type 'make'
x64: Open Visual Studio x64 Croos Tools Command Prompt and type 'make'

This project derived from:

Reflective DLL Injection
BSD 3-Clause License
Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
https://github.com/stephenfewer/ReflectiveDLLInjection

ReflectiveDLLRefresher
BSD 3-Clause License
Copyright (c) 2017, Cylance Inc.
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher

Unhook Meterpreter Extension
BSD-3-Clause License
2006-2018, Rapid7, Inc.
https://github.com/rapid7/metasploit-payloads/commits/master/c/meterpreter/source/extensions/unhook