In this series of posts, I will create a Beacon Object File (BOF) that works with Havoc C2. I will start by implementing simple functionality and gradually increase the level of complexity.

If this is the first time you are learning about BOFs, I recommend that you read my posts, Enhancing C2 agent via Beacon Object Files (BOF) and Creating a simple beacon object file for Havoc C2 for a quick introduction to BOF and BOF development.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

In this part, I will cover how to handle user input in a BOF. I will expand on the message box BOF developed in the previous part. So far, we have a BOF that displays a hard-coded message in a message box on the target machine.

Let’s modify it to let the user specify a message. To work with user specified arguments, we will rely on the char *args variable that is passed to the go() function of BOF:

int go(char *args, unsigned long len)

Here, args is a pointer to the buffer of type char which holds the user specified arguments. len stores the length of this buffer.

We can access arguments passed to a BOF in following ways:

• Using args directly - This is similar to how command line arguments are accessed in a C or C++ program.

• Using the Packer class & Beacon APIs- Havoc C2 provides a Packer Python class that can be used to pack and dispatch user specified arguments from the Python script to the BOF. These arguments can be extracted in the BOF using BeaconDataParse() and BeaconDataExtract() APIs. This is the most commonly used approach when working with BOFs.

The code for the updated BOF which accepts a user specified message is as follows:

The code is available here.

Save the code in .c file and use the following command to compile (use the beacon.h file available here):

x86_64-w64-mingw32-gcc -c message-box2.c -o message-box2.o -w

Next, let’s update the Python script to register the command to invoke this BOF. Remember, we can also use the command inline-execute to execute a BOF without registering a command in the Havoc C2 GUI.

The code is available here.

To load this in Havoc C2, go to Scripts → Script Manager → Load Script and select the message-box.py file.

To see the help for the message-box2 command, use

help message-box2

Now, lets run the command:

message-box2 "This is a custom message from 100 Days of Red Team"

Note: The message-box2 BOF will not work properly when executed via the inline-execute command. There is a discrepancy in the way Havoc C2 handles arguments passed via inline-execute command. I will cover that in a later post.

Red Team Notes
- User specified arguments can be accessed in a BOF via the args variable or using Packer class and BeaconDataParse() and BeaconDataExtract() APIs.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.