Unable to resolve thread_handle from KERNEL32

[rasta-mouse]

PS C:\Tools\RunOF\RunOF\RunOF> .\bin\x64\Debug\RunOF.exe -f ..\..\demo_files\demo_bof.x64.o
[*] Starting RunOF [x64]
[=] [ParsedArgs:Void .ctor(System.String[])] Parsing 2 Arguments: -f ..\..\demo_files\demo_bof.x64.o
[*] Loading object file ..\..\demo_files\demo_bof.x64.o
[=] [BofRunner:Void .ctor(RunOF.Internals.ParsedArgs)] Initialising bof runner
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] --- Loading object file from byte array ---
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Got file header. Architecture IMAGE_FILE_MACHINE_AMD64
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Parsing 8 section headers
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Parsing 73 symbols
[=] [Coff:Void FindSymbols()] Created list of 73 symbols
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Setting string table offset to 0x2786
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] We need to allocate 7 pages of memory
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Mapped image base @ 0x24fd3410000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .text @ 154 sized FE0
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3410000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 0
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .data @ 0 sized 0
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .bss @ 0 sized 10
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3411000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 1000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .drectve @ 1134 sized 10C
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3412000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 2000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .rdata @ 1240 sized 620
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3413000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 3000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .xdata @ 1860 sized 11C
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3414000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 4000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section .pdata @ 197C sized 120
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3415000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 5000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Section /4 @ 1A9C sized 20
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] This section needs 1 pages
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Copying section to 0x24FD3416000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Updating section ptrToRawData to 6000
[=] [Coff:Void .ctor(Byte[], RunOF.Internals.IAT)] Processing relocations...
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Processing 124 relocations for .text section from offset 1ABC
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: 17 - 23 - IMAGE_REL_AMD64_REL32 - @ 24FD3410017
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: .rdata
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Resolving internal reference
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] reloc_location: 0x24FD3410017, section offset: 0x0 reloc VA: 17
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: 1E - 34 - IMAGE_REL_AMD64_REL32 - @ 24FD341001E
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: __imp_MSVCRT$printf
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [IAT:IntPtr Resolve(System.String, System.String)] Resolving printf from MSVCRT
[=] [IAT:IntPtr Resolve(System.String, System.String)]  Got function address 7FF88A10C890
[=] [IAT:IntPtr Add(System.String, System.String, IntPtr)] Adding MSVCRT$printf at address 7FF88A10C890 to IAT address 24FD3400000
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Current value: 0
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Write relocation to 24FD341001E
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: 27 - 23 - IMAGE_REL_AMD64_REL32 - @ 24FD3410027
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: .rdata
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Resolving internal reference
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] reloc_location: 0x24FD3410027, section offset: 0x0 reloc VA: 27
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: 2E - 35 - IMAGE_REL_AMD64_REL32 - @ 24FD341002E
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: __imp_KERNEL32$LoadLibraryA
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [IAT:IntPtr Resolve(System.String, System.String)] Resolving LoadLibraryA from KERNEL32
[=] [IAT:IntPtr Resolve(System.String, System.String)]  Got function address 7FF8880B95D0
[=] [IAT:IntPtr Add(System.String, System.String, IntPtr)] Adding KERNEL32$LoadLibraryA at address 7FF8880B95D0 to IAT address 24FD3400008
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Current value: 0
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Write relocation to 24FD341002E
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: 51 - 36 - IMAGE_REL_AMD64_REL32 - @ 24FD3410051
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: __imp_NTDLL$RtlNtStatusToDosError
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [IAT:IntPtr Resolve(System.String, System.String)] Resolving RtlNtStatusToDosError from NTDLL
[=] [IAT:IntPtr Resolve(System.String, System.String)]  Got function address 7FF88A303810
[=] [IAT:IntPtr Add(System.String, System.String, IntPtr)] Adding NTDLL$RtlNtStatusToDosError at address 7FF88A303810 to IAT address 24FD3400010
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Current value: 0
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Write relocation to 24FD3410051
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: 8B - 37 - IMAGE_REL_AMD64_REL32 - @ 24FD341008B
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: __imp_FormatMessageA
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [IAT:IntPtr Resolve(System.String, System.String)] Resolving FormatMessageA from KERNEL32
[=] [IAT:IntPtr Resolve(System.String, System.String)]  Got function address 7FF8880B9970
[=] [IAT:IntPtr Add(System.String, System.String, IntPtr)] Adding KERNEL32$FormatMessageA at address 7FF8880B9970 to IAT address 24FD3400018
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Current value: 0
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Write relocation to 24FD341008B
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: C1 - 23 - IMAGE_REL_AMD64_REL32 - @ 24FD34100C1
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: .rdata
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Resolving internal reference
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] reloc_location: 0x24FD34100C1, section offset: 0x0 reloc VA: C1
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: C8 - 34 - IMAGE_REL_AMD64_REL32 - @ 24FD34100C8
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: __imp_MSVCRT$printf
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Current value: 0
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Write relocation to 24FD34100C8
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: ED - 23 - IMAGE_REL_AMD64_REL32 - @ 24FD34100ED
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: .rdata
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Resolving internal reference
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] reloc_location: 0x24FD34100ED, section offset: 0x0 reloc VA: ED
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: F4 - 34 - IMAGE_REL_AMD64_REL32 - @ 24FD34100F4
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: __imp_MSVCRT$printf
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Current value: 0
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)]       Write relocation to 24FD34100F4
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Got reloc info: FD - 32 - IMAGE_REL_AMD64_REL32 - @ 24FD34100FD
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Relocation name: thread_handle
[=] [Coff:Void ResolveRelocs(RunOF.IMAGE_SECTION_HEADER)] Win32API function
[=] [IAT:IntPtr Resolve(System.String, System.String)] Resolving thread_handle from KERNEL32
[!!] Unable to load object file - System.Exception: Unable to resolve thread_handle from KERNEL32
   at RunOF.Internals.IAT.Resolve(String dll_name, String func_name) in C:\Tools\RunOF\RunOF\RunOF\Internals\IAT.cs:line 37
   at RunOF.Internals.Coff.ResolveRelocs(IMAGE_SECTION_HEADER section_header) in C:\Tools\RunOF\RunOF\RunOF\Internals\Coff.cs:line 532
   at System.Collections.Generic.List`1.ForEach(Action`1 action)
   at RunOF.Internals.Coff..ctor(Byte[] file_contents, IAT iat) in C:\Tools\RunOF\RunOF\RunOF\Internals\Coff.cs:line 181
[!!] Error! System.Exception: Unable to resolve thread_handle from KERNEL32
   at RunOF.Internals.BofRunner..ctor(ParsedArgs parsed_args) in C:\Tools\RunOF\RunOF\RunOF\Internals\BofRunner.cs:line 50
   at RunOF.Program.Main(String[] args) in C:\Tools\RunOF\RunOF\RunOF\Program.cs:line 45

[benpturner]

Thanks @rasta-mouse - we'll try and take a look into this.

[riskydissonance]

Hey, apologies for the slow response over xmas etc.

I'm not able to reproduce this with a fresh build from the master branch - I only get the error you get when using the wrong bof architecture for the binary (though from your logs it looks like you have it correct).

E.g. working:

Not working:

I appreciate "it works on my machine" isn't helpful but maybe just double check the files are named correctly in terms of architecture and have another go. I used make with mingw32 on WSL to build the dependencies if it helps.

Feel free to ping me on twitter/discord (am on the HTB server with the same name) if you want to dive into it a bit and we can re-open this if we confirm issues.

[riskydissonance]

Unable to reproduce locally but issue confirmed on @rasta-mouse 's build. Looking into it but have published working builds as a release in the interim.

[rasta-mouse]

Your build works with both the published BOF and my BOF. Issue certainly appears to be in my build of RunOF.

[checkymander]

Trying to implement this in a .net agent, and getting the same issue as rasta. Made some modifications to the code (mostly to change parsed_args to a dictionary rather than an object and removed debug messages)

In case it matters I'm running modified RunOF in an executable on .NET 7
Windows version: 22621.1105
Windows 11 Pro 22H2

[checkymander]

Update when I use this code to steal the embedded resource from your release, and use that it works fine lmao

using System.IO;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.Loader;

AssemblyLoadContext alc = new AssemblyLoadContext("");
Assembly assembly = alc.LoadFromAssemblyPath(@"C:\Users\Administrator\Downloads\RunOF_x64 (1)\RunOF.exe");

using(Stream s = assembly.GetManifestResourceStream("RunOF.beacon_funcs"))
{
    Console.WriteLine(s.Length);
    var file = File.Create(@"C:\users\Administrator\Downloads\stolen_beacon_funcs.o");
    byte[] buffer = new byte[8 * 1024];
    int len;
    while ((len = s.Read(buffer, 0, buffer.Length)) > 0)
    {
        file.Write(buffer, 0, len);
    }
    file.Close();

}

So, I think Rasta's issue has something to do with the Makefile, or the compilation environment?

[riskydissonance]

Hmm that's interesting aye 🤔and I assume if you build the beacon_funcs and use that you also hit the error?

[checkymander]

yep exactly, I built the beacon_funcs on an ubuntu 20.04 box using the Makefile and got the same issue as Rasta.

[checkymander]

Re-examining this, I compiled it in a more up to date Linux machine (Ubuntu 22.04) and it compiled and ran without issue. So it definitely seems like it's down to the version being run.