Jump to content

Title: CobaltStrike secondary development

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

CS 二次开发

Tools:

IDEA's own java-decompiler.jar

1 CS 反编译

Taking MAC as an example, the java-decompiler.jar address that IDEA comes with is:

/Applications/IntelliJ IDEA.app/Contents/plugins/java-decompiler/lib/java-decompiler.jar

Because MANIFEST.MF does not have the main class attribute and the main class is not specified, java -jar cannot be used directly. If you want to execute specific classes in the java package, you must use java -cp to enter the following command:

How to use:

1

java -cp java-decompiler.jar org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -dgs=true cs_bin/cobaltstrike.jar cs_src

20201221164315.png-water_print

After decompiling, it will be automatically packaged into a jar package. After right-clicking to decompress, you can see that it is all .java. It will be very convenient to use this method and there is no need for third-party tools. This decompiled can be put directly into IntelliJ IDEA, which can directly implement code search and related cross-references.

20201221164914.png-water_print

2 CS 二次开发准备工作

2.1 创建工程

Open IntelliJ IDEA Select Create New Project Select Next all the time.

20201221165123.png-water_print

Create a project directory:

20201221165131.png-water_print

After creating it, you need to create two folders first, right-click and select New Directory to create a decompiled_src folder, and then create a lib folder.

2.2 配置依赖关系

Copy the CobaltStrike that has just been decompiled into decompiled_src, and then unzip it out to see a complete decompiled directory.

20201221165416.png-water_print

Then put the original uncompiled CobaltStrike into the newly created lib.

Next, you need to set this project, click Project Structure in File to set Dependencies in Modules.

20201221165747.png-water_print

20201221172053.png-water_print

Click Add Jar or Directories, add the original JAR package under ./lib, and check Export:

20201221172115.png-water_print

2.3 寻找 Main Class

Click ./lib/META_INF/MANIFEST.MF to copy Main-Class:

20201221172643.png-water_print

Copy the contents of MANIFEST.MF from the original package to MANIFEST.MF in the project

2.4 配置 Artifacts

20201221172836.png-water_print

20201221172843.png-water_print

Next, find the decompiled aggressor main class in the decompiled_src directory, right-click and select Refactor ——Copy File to the same directory under src:

20201221173302.png-water_print

20201221173311.png-water_print

2.5 修改后编译

Click Build - Build Artifacts - build

3 IDEA 其它 Tips

3.1 比对 JAR 包

Automatically decompile when comparing bin files

Command line form:

1

2

3

4

5

windows:

/path/to/idea/bin/idea64.exe diff absolute/path/to/file1 absolute/path/to/file2

mac:

/Applications/IntelliJ IDEA.app/Contents/MacOS/idea absolute/path/to/file1 absolute/path/to/file2

20201222093453.png-water_print

In IDEA:

Select the two files to be compared, Command + D to compare

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.