No-Consolation: Stealthy In-Memory PE Execution for Beacon
No-Consolation
This is a Beacon Object File (BOF) that executes unmanaged PEs inline and retrieves their output without allocating a console (i.e. spawning conhost.exe).
Feature
- Supports 64 and 32 bits
- Supports EXEs and DLLs
- Does not create new processes
- Links modules to the PEB
- Saves binaries in memory
- Supports C++ exceptions (x64 only)
- Custom loads all dependencies
Use
Loading binaries into memory
Binaries are automatically encrypted and stored in memory after they are run the first time. This means that you do not need to constantly send the binary over the wire.
To execute a binary that has already been saved in memory, simply specify its name instead of its entire path. So, instead of running:
beacon> noconsolation –local C:\windows\system32\cmd.exe /c ipconfig
You would run:
beacon> noconsolation cmd.exe /c ipconfig
To list all binaries loaded in memory, run
If you are done with some binary and wish to unload it, run
Finally, if you want to run a binary without it being automatically loaded in memory, run it with
--list-pes.If you are done with some binary and wish to unload it, run
--unload-pe mimikatz.exe.Finally, if you want to run a binary without it being automatically loaded in memory, run it with
--dont-save.Loading PE’s dependencies
You can avoid all image load events by custom loading all the PE’s dependencies:
beacon> noconsolation –load-dependencies –link-to-peb /tmp/malware.exe
After execution is completed, the PE and its dependencies will be offloaded automatically.
DLLs that use Thread Local Storage are not supported.
DLLs that use Thread Local Storage are not supported.
Download
Copyright (c) 2024 Fortra
