### Display Help and Options Source: https://context7.com/ccob/beaconeye/llms.txt Use the --help flag to display all available command-line options and usage instructions for BeaconEye.exe. ```bash BeaconEye.exe --help ``` -------------------------------- ### Initialize BeaconProcess for Live Monitoring Source: https://context7.com/ccob/beaconeye/llms.txt Constructs a BeaconProcess object for monitoring a live process. It requires a live process reader and configuration details, and creates a log directory based on process information. ```csharp public BeaconProcess(ProcessReader process, Configuration beaconConfig, long iv_address, long keys_address, ref ManualResetEvent finishedEvent) { if (process is NtProcessReader ntpr) { Process = ntpr.Process; } else { throw new ArgumentException("Only live processes can be monitored"); } // Create log folder: ProcessName_PID_Username folderName = $"{process.Name}_{process.ProcessId}_{Process.User.Name.Replace('\','_')}"; Directory.CreateDirectory(folderName); logFile = new StreamWriter(Path.Combine(folderName, "activity.log")); } ``` -------------------------------- ### Initialize MiniDumpReader from File Source: https://context7.com/ccob/beaconeye/llms.txt Constructs a MiniDumpReader by opening and reading a specified Minidump file. Ensures the input stream is a valid Minidump before proceeding. ```csharp public MiniDumpReader(string fileName) : this(new FileStream(fileName, FileMode.Open, FileAccess.Read)) { } ``` -------------------------------- ### Enumerate Processes with IProcessEnumerator Source: https://context7.com/ccob/beaconeye/llms.txt Provides a unified interface for scanning live processes or MiniDump files. The implementation allows switching between enumeration strategies based on input parameters. ```csharp public interface IProcessEnumerator { IEnumerable GetProcesses(); } // Usage in main scanning loop IProcessEnumerator procEnum; if (!string.IsNullOrEmpty(dump)) { // Scan MiniDump files in directory procEnum = new MiniDumpProcessEnumerator(dump, verbose); } else { // Scan running processes with optional filter procEnum = new RunningProcessEnumerator(processFilter); } foreach (var process in procEnum.GetProcesses()) { ScanResult sr = IsBeaconProcess(process, monitor); if (sr.State == ScanState.Found || sr.State == ScanState.FoundNoKeys) { Console.WriteLine($" {process.Name} ({process.ProcessId}), Keys Found:{sr.State == ScanState.Found}"); sr.Configuration.PrintConfiguration(Console.Out, 1); } } ``` -------------------------------- ### Decode Beacon Output with BeaconProgram Source: https://context7.com/ccob/beaconeye/llms.txt Reverses malleable C2 profile transformations including base64, NetBIOS, and XOR masking. Requires a list of transformation statements to be populated before calling RecoverOutput. ```csharp public class BeaconProgram { public List Statements { get; set; } = new List(); // Decode beacon output by reversing malleable C2 profile transformations public byte[] RecoverOutput(byte[] source) { byte[] decoded = source; var outputStatements = new List(); // Collect transformation statements until BUILD marker foreach (var statement in Statements) { if (statement.Action == Action.BUILD) { int buildType = IPAddress.NetworkToHostOrder( BitConverter.ToInt32(statement.Argument, 0)); if (buildType == 1) decode = true; } else if (statement.Action == Action.print && decode) { outputStatements.Reverse(); break; } else if (decode) { outputStatements.Add(statement); } } // Apply reverse transformations foreach (var statement in outputStatements) { switch (statement.Action) { case Action.base64url: decoded = Convert.FromBase64String( Uri.UnescapeDataString(Encoding.ASCII.GetString(decoded))); break; case Action.base64: decoded = Convert.FromBase64String(Encoding.ASCII.GetString(decoded)); break; case Action.prepend: decoded = decoded.Skip(statement.Argument.Length).ToArray(); break; case Action.append: decoded = decoded.Take(decoded.Length - statement.Argument.Length).ToArray(); break; case Action.netbios: decoded = NetBIOSDecode(decoded, false); break; case Action.mask: decoded = MaskDecode(decoded); break; } } return decoded; } // NetBIOS decode (lowercase variant) byte[] NetBIOSDecode(byte[] source, bool upper) { byte baseChar = (byte)(upper ? 0x41 : 0x61); byte[] result = new byte[source.Length / 2]; for (int idx = 0; idx < source.Length; idx += 2) { result[idx/2] = (byte)(((source[idx] - baseChar) << 4) | (source[idx + 1] - baseChar) & 0xf); } return result; } // XOR mask decode byte[] MaskDecode(byte[] source) { var xorKey = source.Take(4).ToArray(); var result = source.Skip(4).ToArray(); for (int idx = 0; idx < result.Length; ++idx) { result[idx] ^= xorKey[idx % 4]; } return result; } } ``` -------------------------------- ### Implement NtProcessReader for Live Processes Source: https://context7.com/ccob/beaconeye/llms.txt Wraps NtApiDotNet's NtProcess to provide live process memory reading capabilities. ```csharp public class NtProcessReader : ProcessReader { NtProcess process; public NtProcess Process => process; public override string Name => process.Name; public override bool Is64Bit => process.Is64Bit; public override ulong PebAddress => (ulong)(Is64Bit ? process.PebAddress : process.PebAddress32); public override int ProcessId => process.ProcessId; public NtProcessReader(NtProcess process) { this.process = process; } public override byte[] ReadMemory(ulong address, int len) { return process.ReadMemory((long)address, len); } public override T ReadMemory(ulong address) { return process.ReadMemory((long)address); } public override MemoryInfo QueryMemoryInfo(ulong address) { var info = process.QueryMemoryInformation((long)address); return new MemoryInfo( (ulong)info.BaseAddress, (ulong)info.AllocationBase, (ulong)info.RegionSize, info.Protect == MemoryAllocationProtect.ExecuteRead || info.Protect == MemoryAllocationProtect.ExecuteReadWrite, ((int)info.Protect & (int)MemoryAllocationProtect.NoAccess) == (int)MemoryAllocationProtect.NoAccess ); } } ``` -------------------------------- ### Scan Running Processes Source: https://context7.com/ccob/beaconeye/llms.txt Execute BeaconEye.exe without arguments to scan all currently running processes for CobaltStrike beacons. ```bash BeaconEye.exe ``` -------------------------------- ### Parse CobaltStrike Beacon Configuration in C# Source: https://context7.com/ccob/beaconeye/llms.txt The Configuration class maps configuration indices to specific data types and iterates through the memory stream to populate a dictionary of configuration items. ```csharp public class Configuration { public Dictionary Items { get; private set; } = new Dictionary(); public long Address { get; private set; } // Static mapping of config indices to types static Configuration() { configTypes.Add(1, new ConfigAttrbute(1, "BeaconType", typeof(ConfigShortItem))); configTypes.Add(2, new ConfigAttrbute(2, "Port", typeof(ConfigShortItem))); configTypes.Add(3, new ConfigAttrbute(3, "Sleep", typeof(ConfigIntegerItem))); configTypes.Add(8, new ConfigAttrbute(8, "C2Server", typeof(ConfigStringItem))); configTypes.Add(9, new ConfigAttrbute(9, "UserAgent", typeof(ConfigStringItem))); configTypes.Add(13, new ConfigAttrbute(13, "HTTP_Post_Program", typeof(ConfigProgramItem))); configTypes.Add(37, new ConfigAttrbute(37, "Watermark", typeof(ConfigIntegerItem))); // ... additional config fields } public Configuration(long configAddress, BinaryReader configReader, ProcessReader process) { Address = configAddress; configEntrySize = process.Is64Bit ? 16 : 8; while (configReader.BaseStream.Position < configReader.BaseStream.Length) { Type type = (Type)(configEntrySize == 16 ? configReader.ReadInt64() : configReader.ReadInt32()); if (configTypes.ContainsKey(index) && type != Type.Unconfigured) { var configType = configTypes[index]; ConfigItem configItem = (ConfigItem)Activator.CreateInstance( configType.Type, new object[] { configType.Name }); configItem.Parse(configReader, process); Items.Add(configItem.Name, configItem); } index++; } } public void PrintConfiguration(TextWriter writer, int numTabs) { foreach (var config in Items) { writer.Write(new string('\t', numTabs)); writer.WriteLine(config.Value); } } } ``` -------------------------------- ### Beacon Process Callback Types Source: https://context7.com/ccob/beaconeye/llms.txt Defines an enumeration for various callback output types used by the BeaconProcess, such as standard output, keystrokes, file transfers, and screenshots. ```csharp public enum OutputTypes : int { CALLBACK_OUTPUT = 0, CALLBACK_KEYSTROKES = 1, CALLBACK_FILE = 2, CALLBACK_SCREENSHOT = 3, CALLBACK_HASHDUMP = 21, CALLBACK_OUTPUT_UTF8 = 32 // ... additional callback types } ``` -------------------------------- ### Initialize MiniDumpReader from Stream Source: https://context7.com/ccob/beaconeye/llms.txt Initializes the MiniDumpReader by parsing a given stream. It reads the dump header and directories to prepare for further analysis of memory, threads, and modules. ```csharp public MiniDumpReader(Stream source) { miniDumpStream = source; miniDumpReader = new BinaryReader(miniDumpStream); source.Seek(0, SeekOrigin.Begin); var hdr = ReadStruct
(); if (hdr.Signature != 0x504d444d) { throw new FormatException("Input stream doesn't appear to be a Minidump"); } // Parse stream directories for memory, threads, modules, system info // Memory64ListStream contains full memory regions for scanning } ``` -------------------------------- ### Scan and Monitor Beacons Source: https://context7.com/ccob/beaconeye/llms.txt Employ the --monitor flag to scan for beacons and actively monitor detected instances for Command and Control (C2) traffic. ```bash BeaconEye.exe --monitor ``` -------------------------------- ### Scan MiniDump Files Source: https://context7.com/ccob/beaconeye/llms.txt Utilize the --dump option with a directory path to scan MiniDump files within that directory for CobaltStrike beacons. ```bash BeaconEye.exe --dump C:\dumps\ ``` -------------------------------- ### Monitor Beacon Traffic with Debugger Source: https://context7.com/ccob/beaconeye/llms.txt Attaches to a live beacon process as a debugger to intercept HTTP/HTTPS C2 communications. It sets breakpoints on WinINet functions and extracts encryption keys upon hitting a breakpoint. ```csharp public void MonitorTraffic() { NtDebug debugObject = NtDebug.Create(); debugObject.SetKillOnClose(false); debugObject.Attach(Process); while (debugging) { DebugEvent debugEvent = debugObject.WaitForDebugEvent(100); if (debugEvent is LoadDllDebugEvent loadDllDebugEvent) { if (Path.GetFileName(loadDllDebugEvent.File.FileName) == "wininet.dll") { // Set breakpoint on HttpSendRequestA var wininetLib = SafeLoadLibraryHandle.LoadLibrary("wininet.dll"); httpSendRequestAddress = wininetLib.Exports .Where(e => e.Name == "HttpSendRequestA") .Select(e => e.Address).First(); oldBPInst = EnableBreakpoint(httpSendRequestAddress); } } else if (debugEvent is ExceptionDebugEvent exceptionDebugEvent) { if (exceptionDebugEvent.Code == NtStatus.STATUS_BREAKPOINT) { // Extract encryption keys and decrypt C2 traffic keys = Process.ReadMemory(keys_address, 32); LogMessage($"AES Key: {StringUtils.ByteArrayToString(keys.Take(16).ToArray())}"); } } } debugObject.Detach(Process); } ``` -------------------------------- ### Combined Scan, Monitor, and Filter Source: https://context7.com/ccob/beaconeye/llms.txt Combine multiple flags for a comprehensive scan: verbose output (-v), monitoring (-m), and filtering by process name prefix (-f). ```bash BeaconEye.exe -v -m -f explorer ``` -------------------------------- ### Compile YARA Rules Source: https://context7.com/ccob/beaconeye/llms.txt This C# function compiles YARA rules dynamically based on the target architecture (x64 or 32-bit) using the libyaraNET library. It requires an active 'Compiler' instance. ```csharp static Rules CompileRules(bool x64) { using (Compiler compiler = new Compiler()) { compiler.AddRuleString(x64 ? cobaltStrikeRule64 : cobaltStrikeRule32); return compiler.GetRules(); } } ``` -------------------------------- ### NtProcessReader for Live Processes Source: https://context7.com/ccob/beaconeye/llms.txt The NtProcessReader class implements the ProcessReader interface for live processes by utilizing the NtApiDotNet library. ```APIDOC ## NtProcessReader for Live Processes The `NtProcessReader` class wraps NtApiDotNet's `NtProcess` to read memory from running processes. It implements the `ProcessReader` interface for live process scanning. ### Constructor - **NtProcessReader(NtProcess process)** - Initializes a new instance of the `NtProcessReader` class with the specified `NtProcess` object. ### Properties - **Process** (NtProcess) - Gets the underlying `NtProcess` object. - **Name** (string) - Gets the name of the process. - **Is64Bit** (bool) - Indicates if the process is 64-bit. - **PebAddress** (ulong) - Gets the base address of the Process Environment Block (PEB), adjusted for architecture. - **ProcessId** (int) - Gets the ID of the process. ### Methods - **ReadMemory(ulong address, int len)** (byte[]) - Reads a block of memory from the live process. - **ReadMemory(ulong address)** (T) - Reads a value of type T from the live process memory. - **QueryMemoryInfo(ulong address)** (MemoryInfo) - Retrieves memory information for a specific memory region in the live process, converting NtApiDotNet's `MemoryInformation` to the `ProcessReader.MemoryInfo` structure. ``` -------------------------------- ### CobaltStrike YARA Rules (64-bit) Source: https://context7.com/ccob/beaconeye/llms.txt This C# string defines the YARA rule used for detecting 64-bit CobaltStrike beacons by searching for specific byte patterns in memory. ```csharp public static string cobaltStrikeRule64 = "rule CobaltStrike { " + "strings: " + "$sdec = { " + " 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 " + " 01 00 00 00 00 00 00 00 (00|01|02|04|08|10) 00 00 00 00 00 00 00 " + " 01 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 " + " 02 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 " + " 02 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 " + " 01 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 " + "} " + "condition: any of them" + "}"; ``` -------------------------------- ### Scan with Verbose Output Source: https://context7.com/ccob/beaconeye/llms.txt Use the --verbose flag to enable verbose output, which shows all processes being checked during the scan. ```bash BeaconEye.exe --verbose ``` -------------------------------- ### CobaltStrike YARA Rules (32-bit) Source: https://context7.com/ccob/beaconeye/llms.txt This C# string defines the YARA rule used for detecting 32-bit CobaltStrike beacons by searching for specific byte patterns in memory. ```csharp public static string cobaltStrikeRule32 = "rule CobaltStrike { " + "strings: " + "$sdec = { " + " 00 00 00 00 00 00 00 00 " + " 01 00 00 00 (00|01|02|04|08|10) 00 00 00" + " 01 00 00 00 ?? ?? 00 00 " + " 02 00 00 00 ?? ?? ?? ?? " + " 02 00 00 00 ?? ?? ?? ?? " + " 01 00 00 00 ?? ?? 00 00 " + "} " + "condition: any of them" + "}"; ``` -------------------------------- ### ProcessReader Abstract Class Source: https://context7.com/ccob/beaconeye/llms.txt The ProcessReader abstract class defines an interface for reading memory from processes and includes utility methods for pointer and heap enumeration. ```APIDOC ## ProcessReader Abstract Class The `ProcessReader` abstract class provides a unified interface for reading memory from both live processes and MiniDump files. It handles architecture differences and provides heap enumeration for scanning. ### MemoryInfo Structure Represents information about a memory region. - **BaseAddress** (ulong) - The base address of the memory region. - **AllocationBase** (ulong) - The base address of the memory allocation. - **RegionSize** (ulong) - The size of the memory region. - **IsExecutable** (bool) - Indicates if the memory region is executable. - **NoAccess** (bool) - Indicates if the memory region has no access permissions. ### Abstract Properties These properties must be implemented by derived classes. - **ProcessId** (int) - The ID of the process. - **PebAddress** (ulong) - The base address of the Process Environment Block (PEB). - **Name** (string) - The name of the process. - **Is64Bit** (bool) - Indicates if the process is 64-bit. ### Abstract Methods These methods must be implemented by derived classes for memory operations. - **ReadMemory(ulong address)** (T) - Reads a value of type T from the specified address. - **ReadMemory(ulong address, int len)** (byte[]) - Reads a block of memory of the specified length from the given address. - **QueryMemoryInfo(ulong address)** (MemoryInfo) - Retrieves memory information for the region containing the specified address. - **QueryAllMemoryInfo()** (IEnumerable) - Retrieves memory information for all memory regions in the process. ### Utility Methods - **ReadPointer(ulong address)** (long) - Reads a pointer value from the specified address, handling architecture differences (8 bytes for x64, 4 bytes for x86). - **Heaps** (List) - Enumerates and returns a list of heap addresses within the process, determined by parsing the PEB. ``` -------------------------------- ### Filter Processes for Scanning Source: https://context7.com/ccob/beaconeye/llms.txt Use the --filter option followed by a process name prefix to limit the scan to only processes matching the specified name. ```bash BeaconEye.exe --filter notepad ``` -------------------------------- ### Define ProcessReader Abstract Class Source: https://context7.com/ccob/beaconeye/llms.txt Defines the base interface for memory reading operations, including memory info structures and heap enumeration logic. ```csharp public abstract class ProcessReader { // Memory region information structure public struct MemoryInfo { public ulong BaseAddress { get; } public ulong AllocationBase { get; } public ulong RegionSize { get; } public bool IsExecutable { get; } public bool NoAccess { get; } } // Abstract properties implemented by derived classes public abstract int ProcessId { get; } public abstract ulong PebAddress { get; } public abstract string Name { get; } public abstract bool Is64Bit { get; } // Memory read operations public abstract T ReadMemory(ulong address) where T : new(); public abstract byte[] ReadMemory(ulong address, int len); public abstract MemoryInfo QueryMemoryInfo(ulong address); public abstract IEnumerable QueryAllMemoryInfo(); // Read pointer based on architecture (8 bytes for x64, 4 bytes for x86) public long ReadPointer(ulong address) { if (Is64Bit) { return ReadMemory(address); } else { return ReadMemory(address); } } // Enumerate process heaps from PEB public List Heaps { get { int numHeaps; long heapArray; if (Is64Bit) { numHeaps = ReadMemory(PebAddress + 0xE8); heapArray = ReadPointer(PebAddress + 0xF0); } else { numHeaps = ReadMemory(PebAddress + 0x88); heapArray = ReadPointer(PebAddress + 0x90); } var heaps = new List(); for (int idx = 0; idx < numHeaps; ++idx) { var heap = ReadPointer((ulong)(heapArray + (idx * PointerSize()))); heaps.Add(heap); } return heaps; }} } ``` -------------------------------- ### Read Memory from MiniDump Source: https://context7.com/ccob/beaconeye/llms.txt Reads a specified number of bytes from the MiniDump file at a given virtual address. It iterates through memory descriptors to find the correct offset within the dump file. ```csharp public override byte[] ReadMemory(ulong address, int len) { ulong fileAddress = memoryFullRVA; foreach (var descriptor in memoryInfoFull) { if (address >= descriptor.StartOfMemoryRange && address < descriptor.StartOfMemoryRange + descriptor.DataSize) { ulong offsetInRange = address - descriptor.StartOfMemoryRange; miniDumpStream.Seek((long)(fileAddress + offsetInRange), SeekOrigin.Begin); byte[] data = new byte[len]; miniDumpStream.Read(data, 0, data.Length); return data; } fileAddress += descriptor.DataSize; } throw new ArgumentOutOfRangeException(); } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.