first

Author: 0range-x

.DS_Store

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.0.32112.339
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "self_delete", "self_delete\self_delete.vcxproj", "{5064E764-61D8-4FDF-838E-A00C3B0F172A}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Debug|x64.ActiveCfg = Debug|x64
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Debug|x64.Build.0 = Debug|x64
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Debug|x86.ActiveCfg = Debug|Win32
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Debug|x86.Build.0 = Debug|Win32
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Release|x64.ActiveCfg = Release|x64
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Release|x64.Build.0 = Release|x64
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Release|x86.ActiveCfg = Release|Win32
+		{5064E764-61D8-4FDF-838E-A00C3B0F172A}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {8F602002-14C1-4008-BF8C-A941934A5BB4}
+	EndGlobalSection
+EndGlobal

self_delete.sln

@@ -0,0 +1,69 @@
+///*
+// * Beacon Object Files (BOF)
+// * -------------------------
+// * A Beacon Object File is a light-weight post exploitation tool that runs
+// * with Beacon's inline-execute command.
+// *
+// * Additional BOF resources are available here:
+// *   - https://github.com/Cobalt-Strike/bof_template
+// *
+// * Cobalt Strike 4.x
+// * ChangeLog:
+// *    1/25/2022: updated for 4.5
+// */
+//
+///* data API */
+//typedef struct {
+//	char * original; /* the original buffer [so we can free it] */
+//	char * buffer;   /* current pointer into our buffer */
+//	int    length;   /* remaining length of data */
+//	int    size;     /* total size of this buffer */
+//} datap;
+//
+//DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+//DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+//DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+//DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+//DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+//DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+//
+///* format API */
+//typedef struct {
+//	char * original; /* the original buffer [so we can free it] */
+//	char * buffer;   /* current pointer into our buffer */
+//	int    length;   /* remaining length of data */
+//	int    size;     /* total size of this buffer */
+//} formatp;
+//
+//DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+//DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+//DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+//DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+//DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+//DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+//DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+//
+///* Output Functions */
+//#define CALLBACK_OUTPUT      0x0
+//#define CALLBACK_OUTPUT_OEM  0x1e
+//#define CALLBACK_OUTPUT_UTF8 0x20
+//#define CALLBACK_ERROR       0x0d
+//
+//DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+//DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+//
+//
+///* Token Functions */
+//DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+//DECLSPEC_IMPORT void   BeaconRevertToken();
+//DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+//
+///* Spawn+Inject Functions */
+//DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+//DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+//DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+//DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+//DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+//
+///* Utility Functions */
+//DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

self_delete/beacon.h

@@ -0,0 +1,81 @@
+//#include"beacon.h"
+//#include<Windows.h>
+//
+//DECLSPEC_IMPORT  BOOL WINAPI KERNEL32$$EnumProcesses(DWORD*, DWORD, DWORD*);
+//DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
+//DECLSPEC_IMPORT BOOL WINAPI KERNEL32$EnumProcessModules(HANDLE, HMODULE*, DWORD, LPDWORD);
+//DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetModuleBaseNameW(HANDLE, HMODULE, LPWSTR, DWORD);
+//DECLSPEC_IMPORT DWORD WINAPI KERNEL32$GetModuleFileNameExW(HANDLE, HMODULE, LPWSTR, DWORD);
+//DECLSPEC_IMPORT WINBASEAPI BOOL WINAPI KERNEL32$CloseHandle(HANDLE);
+//
+//void FindPathAndDeleteFiles(const TCHAR* szFileName);
+//
+//
+//int _tmain(int argc, TCHAR* argv[])
+//{
+//    if (argc != 2)
+//    {
+//        printf("Usage: %s <process_name>\n", argv[0]);
+//        return 1;
+//    }
+//    FindPathAndDeleteFiles(argv[1]);
+//    return 0;
+//}
+//
+//void FindPathAndDeleteFiles(const TCHAR* szFileName)
+//{
+//    DWORD aProcesses[1024], cbNeeded, cProcesses;
+//    TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
+//
+//    if (!KERNEL32$$EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
+//    {
+//        return;
+//    }
+//
+//    cProcesses = cbNeeded / sizeof(DWORD);
+//
+//    for (DWORD i = 0; i < cProcesses; i++)
+//    {
+//        HANDLE hProcess = KERNEL32$OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);
+//
+//        if (hProcess)
+//        {
+//            HMODULE hMod;
+//            DWORD cbNeeded;
+//
+//            if (KERNEL32$EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded))
+//            {
+//                KERNEL32$GetModuleBaseNameW(hProcess, hMod, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
+//
+//                if (_tcscmp(szProcessName, szFileName) == 0)
+//                {
+//                    TCHAR szPath[MAX_PATH];
+//                    KERNEL32$GetModuleFileNameExW(hProcess, hMod, szPath, sizeof(szPath) / sizeof(TCHAR));
+//
+//                    TCHAR szDrive[_MAX_DRIVE], szDir[_MAX_DIR], szFileName[_MAX_FNAME], szExt[_MAX_EXT];
+//                    _tsplitpath_s(szPath, szDrive, _MAX_DRIVE, szDir, _MAX_DIR, szFileName, _MAX_FNAME, szExt, _MAX_EXT);
+//
+//                    TCHAR szDirPath[MAX_PATH];
+//                    _tmakepath_s(szDirPath, MAX_PATH, szDrive, szDir, NULL, NULL);
+//
+//                    if (_tchdir(szDirPath) != 0)
+//                    {
+//                        BeaconPrintf("Failed to change directory. Error:%d \n", GetLastError());
+//                        return;
+//                    }
+//
+//                    system("taskkill /im qrotate.exe /f");
+//                    system("del libmlt-6.dll");
+//                    system("del qrotate.exe");
+//                    system("del ictl.dt");
+//
+//                    BeaconPrintf("Successfully deleted files and changed directory to %s\n", szDirPath);
+//                    return;
+//                }
+//            }
+//            KERNEL32$CloseHandle(hProcess);
+//        }
+//    }
+//
+//    BeaconPrintf("Could not find %s process\n", szFileName);
+//}