BFG is now merged into AVET:
What & Why:
- bfg is a tool that helps you to inject and execute shellcode/executables
- it uses some concepts from
- it is not meant to be another antivirus evasion tool
- this README applies to the use on Kali 2 (64bit) and tdm-gcc
How to install tdm-gcc with wine:
Even though a prebuilt make_bfg executable is given in the repository, you should compile it for your system:
$ gcc -o make_bfg make_bfg.c
The purpose of make_bfg is to preconfigure a definition file (defs.h) so that the source code can be compiled in the next step. Let's have a look at the options of make_bfg, examples will be given further below:
-i inject
-i shellcode to be used for shellcode injection
-i dll dll injection
-H Hollow target process and insert payload executable. Usage: bfg.exe target.exe
Set -x flag to XOR-obfuscate the payload with a random byte key
Set -a flag to use alternative obfuscation which is a little more complex
It would be unwise to use both obfuscations at once. You have been warned...
Set -X flag to specify that the hollowing target is a 64 bit process
-P inject shellcode by PID as argument, call bfg.exe PID for sc and bfg.exe my.dll PID for dll injection
-I inject shellcode by image name, call for example: pwn.exe keepass.exe
-l load and exec shellcode from given file, call is with mytrojan.exe myshellcode.bin
-f compile and insert shellcode into .exe, needs filename of shellcode file
-X compile for amd64 architecture
-p print debug information
-q quiet mode (hide console window)
-h help
Of course it is possible to run all commands step by step from command line. But it is strongly recommended to use build scripts or the
The build scripts themselves are written so as they have to be called from within the bfg directory:
root@kalidan:~/tools/bfg# ./build/
Here are some explained examples for building the .exe files from the build directory. Please have a look at the build scripts for further explanation.
Please refer to the files in the build directory.
Hollow target 32 bit process and insert payload executable (here a simple exe with a messagebox).
Hollow target 32 bit process and insert payload executable (here a metasploit-generated tcp reverse shell).
Simply loads and execs a dll.
Loads and execute a shellcode, the shellcode is compiled into the .exe file.
Loads and execute a shellcode from a file.
Inject a dll by the imagename.
Inject a dll by the PID. Call with bfg.exe yourdll.dll PID.
Inject a shellcode into a process by PID.
Inject and load a shellcode into a process by PID.
Loads and execute a shellcode that is injected into a process. Therefore the name of
the process (imagename) has to be specified.
Build an exe file that loads & execs a dll.
Inject a dll by the PID. Call with bfg.exe yourdll.dll PID.
Inject a 64bit shellcode into a 64bit process.
Hollow target 64 bit process and insert payload executable (here a simple exe with a messagebox).
Hollow target 64 bit process and insert payload executable (here a metasploit-generated tcp reverse shell).
bfg_fabric is an assistant, that loads all build scripts in the build directory (name has to be build*.sh) and then lets the user edit the settings line by line.
A short explanation about process hollowing mechanics, of which some are used in this project, can be found in this presentation: