Running BOFs
Running BOFs in Nighthawk can be super frustrating, mainly due to the hard requirement that all arguments are passed to the BOF with the correct argument types.
This means that when we run this BOF, we need to do it like this:
execute-bof z:\tools\CS-Situational-Awareness-BOF\SA\netuser\netuser.x64.o go Z"targetuser" Z"targetdomain.fqdn.com"
You may be asking, WTF are those Z things before the args? The execute-bof help menu explains them a bit further:
| | Parameters must be prefixed with the expected type, these are: |
| | z - ASCII string (e.g z"foobar") |
| | Z - Wide char string (e.g Z"foobar") |
| | s - Short (2 byte) integer (e.g. s123) |
| | i - Integer (4 bytes) (e.g. i123456789) |
| | b - Binary as hex (e.g. b414243444546) |
| | |
| | If a type is prefixed with 'f' (eg. fb:foo.bin, z:bar.txt) then the relevant data is read from file rather than the command line. |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
OK, so how did we choose between z and Z (between an ASCII String and a “Wide char string”)
Looking at the source code of the “netuser” bof, we find that the function accepts the “wchar” character type:
wchar = wide char. so we need to use Z. Remembering this off-hand for every BOF is not realistic, so we can build an alias that does it for us:
alias netuser "execute-bof z:\\tools\\CS-Situational-Awareness-BOF\\SA\\netuser\\netuser.x64.o go Z\"$1\" Z\"$2\"
see the Aliases page for a list of examples. you should only have to modify the file path.