John Hammond Explores Malware Development for Cybersecurity

In this video, John Hammond delves into the development of malware for legitimate purposes, such as working as a red teamer or an offensive cybersecurity specialist. He focuses on creating an implant, or endpoint agent, that functions as a beacon and communicates with a command and control (C2) server. The goal is to create a beacon as lightweight as possible, capable of handling communication with the C2 server while offering additional features without weighing down the code.

Hammond introduces the concept of "beacon object files" (bofs), popularized by Cobalt Strike in 2021. Bofs are native object files loaded and executed in memory at runtime, similar to DLLs (Dynamic Link Libraries), but more stealthy. They are compiled into object files in Microsoft's COFF (Common Object File Format). Hammond demonstrates the process of developing a bof using C/C++ code and compiling it with MinGW-GCC on Kali Linux. He also explains how to use the Visual Studio Developer Prompt on Windows to compile these files.

To make the beacon functional, Hammond uses the Beacon API from Cobalt Strike, which allows calling specific functions. He downloads the beacon.h header file and integrates it into his project. Then, he creates a simple example of a bof that displays "Hello World" using the beacon_printf function. He compiles this code into an object file and uses a bof loader to execute it on a Windows machine.

Hammond then moves on to a more practical example: calling the Win32 API GetCurrentProcessId function to obtain the current process ID. He explains the concept of "Dynamic Function Resolution" (DFR), which allows bofs to call system library functions without having a complete import table. He modifies his code to include this functionality and compiles the bof.

To test this bof, Hammond uses PowerShell Empire, an open-source post-exploitation framework. He configures a YAML module for Empire, specifying the details of the bof, and places it in the appropriate directory. Then, he starts the Empire server, creates an HTTP listener, and generates a stager to deploy the agent on a Windows machine. Once the agent is deployed, he executes the bof via Empire's Starkiller interface and obtains the current process ID.

Hammond concludes by discussing the advantages of bofs over other methods of in-memory code execution, such as shellcodes or DLLs. Bofs are lighter, easier to develop, and do not require the overhead of DLLs or .NET assemblies. He also mentions that many public bofs are available, such as those from TrustedSec, which can be used for more advanced capabilities.

In summary, this video provides a detailed introduction to beacon object files, their development, and their use in post-exploitation frameworks like Empire. It is a valuable resource for cybersecurity professionals looking to enhance their skills in malware development for penetration testing and attack simulations.