trustedsec / CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
GNU General Public License v2.0
1.28k stars 221 forks source link

Issue with running BOF modules #65

Closed nowhey2 closed 2 years ago

nowhey2 commented 2 years ago

Somewhere between commit c46f814af4490779ebf4bd938815feb52b8aafec (May 7, 2021) and commit 63b4e7deaff78b15ce21d69072754cb14fbaa873 (Sept 1, 2021), an error was introduced that persists to the most recent commit. Most, if not all, of the commands will trigger the following error on x64 systems (x86 was not tested): Error: [-] no slot for function (reduce number of Win32 APIs called)

Examples: `beacon> tasklist Connecting to \. and retrieving list of currently running processes

[*] Running tasklist [+] host called home, sent: 10272 bytes [-] no slot for function (reduce number of Win32 APIs called) `

beacon> driversigs [*] Running driversigs [+] host called home, sent: 7726 bytes [-] no slot for function (reduce number of Win32 APIs called)

Reproduction:

  1. git clone https://github.com/trustedsec/CS-Situational-Awareness-BOF.git
  2. cd CS-Situational-Awareness-BOF
  3. make_all
  4. Load CS-Situational-Awareness-BOF/SA.cna
  5. from an active x64 beacon session 'tasklist' or 'driversigs' (these are not the only ones)

I've written some internal/private ones that have not changed, but inherit the same libraries/common code, and they issue the same error. It may have been introduced as soon as commit fffdf75c187bec59e730adc84618d0b3bbd0b1f1 with its numerous additions to bofdefs.h; however, I have not attempted testing to confirm.

freefirex commented 2 years ago

Thanks for calling this out. I re-wrote the offending code and re-tested various modules. Everything should be good to go now!