Command Profiler

C4 profiles allow users to configure custom commands. C4 profiles can be configured to use reflective DLLs using the register_dll command, C# PE using the register_pe command and PIC object files using register_obj command. The register_dll command can be used to configure how a reflective DLL get’s placed in memory, and if certain strings need to be extracted before copying the DLL to memory and executing it.

DLL Register

{
    "register_dll": {
        "boxreflect": {
            "file_path": "server_confs/boxreflect.dll",
            "description": "Loads a test reflective dll message box",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "boxcheck",
            "minimumArgCount": 1,
            "replace_str": {
                "boxit": "\\x00\\x00\\x00\\x00\\x00",
                "!This program cannot ": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
                "be run in DOS mode.": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
            }
        }
    }
}

PE Register

If you are not a fan of typing the whole C# script path in the command-line of badger, The register_pe command comes to rescue. This can be used to configure your own C# scripts with under specific command name by specifying them directly in the C4 profiles.

{
    "register_pe": {
        "seatbelt": {
            "file_path": "server_confs/Seatbelt.exe",
            "description": "Runs Seatbelt C# executable",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "seatbelt",
            "minimumArgCount": 1
        }
    }
}

PIC Register

The register_obj command works similarly as register_pe except the fact that this loads position independent object files with executable sections into memory and executes them. A detailed blog on how to write your own object file can be found here

{
    "register_obj": {
        "o_getprivs": {
            "file_path": "server_confs/getprivs.o",
            "description": "Get privilege of current user",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "o_getprivs",
            "minimumArgCount": 1
        }
    }
}