BOF and Extensions

Beacon Object Files

BOF is just a block of position-independent code that receives pointers to some Beacon internal APIs. BOFs are single-file C programs that call Win32 APIs and limited Beacon APIs.

AdaptixC2 expects that your BOFs are single-threaded programs that run for a short period of time. BOFs will block other agent tasks and functionality from executing. BOFs execute inside of your agent. If a BOF crashes, you will lose access. Write your BOFs carefully.

Description of BOF for agents

Extensions

The AdaptixСlient allows you to extend the default functionality by adding new commands to the agent console.

Extensions are managed through the context menu of the extensions table.

The extension file must be in JSON format and have the following structure.

{
  "name": "Test",
  "description": "Test extensions",
  "extensions": [
    {
      "type":"<EXTENTION_TYPE>",
      ...
    },
    {
      "type":"<EXTENTION_TYPE>",
      ...
    }
  ]
}

At the moment there is only one extension type available: "command"

1. command

This type defines a new command. In addition to the required type, agents and exec parameters, this type must contain a description of the command (see here for details).

The agents parameter defines the list of agents to whose console the new command will be added.

The exec parameter defines the template for forming the command that will be executed in the console.

The following file defines two new commands: shell and dir.

    {
      "type": "command",
      "agents": ["beacon"],

      "command": "dir",
      "description": "List files in a directory. Supports wildcards (e.g. \"C:\\Windows\\S*\")",
      "message": "BOF implementation: dir",
      "example": "dir C:\\Windows",
      "args" : [
        "STRING </d directory> (.\\)",
        "BOOL </s> (false) {Recursive list}"
      ],
      "exec": "execute bof $EXT_DIR()/dir.$ARCH().o $PACK_BOF(CSTR {directory}, SHORT {/s})"
    },
    {
      "type" : "command",
      "agents": ["beacon"],

      "command": "shell",
      "message": "",
      "description": "Execute command via cmd.exe",
      "example": "shell whoami /all",
      "args": [
        "STRING <cmd>"
      ],
      "exec": "ps run -o C:\\Windows\\System32\\cmd.exe /c {cmd}"
    }

The shell command is a shortcut for the ps run command. The shell command has only one required parameter: cmd. The value of the cmd parameter will simply be substituted into the exec template.

So when you run the command shell whoami, another command will be executed:

# "exec": "ps run -o C:\\Windows\\System32\\cmd.exe /c {cmd}"

ps run -o C:\\Windows\\System32\\cmd.exe /c whoami

In addition to parameter substitution, the extension has certain macros that will also be replaced in the resulting command. Currently, three macros are defined:

$EXT_DIR() - returns the directory where the extension file is located.
$ARCH() - return agent's architecture.
$PACK_BOF(CSTR {directory}, SHORT {/s}) - returns packed data for BOF. Supports the following data types: BYTES, CSTR, WSTR, INT, SHORT.

So when you run the command dir C:\Windows /s, another command will be executed:

# execute bof $EXT_DIR()/dir.$ARCH().o $PACK_BOF(CSTR {directory}, SHORT {/s})

execute bof ~/tmp/dir.x64.o CQAAAAMAAAAuXAAAAA==

PreviousDownloads Storage NextListeners

Last updated 8 days ago