Ps bof

.github/ci/tasks.yaml

@@ -74,10 +74,7 @@ tasks:
 
   # copy-wildcard-match
   - cmdline: "copy C:\\Temp\\fsbof-test\\*.log C:\\Temp\\fsbof-test\\dest\\"
-    expected: |
-      C:\Temp\fsbof-test\file1.log
-      C:\Temp\fsbof-test\file2.log
-              2 file(s) copied.
+    expected_regex: "(?s)C:\\\\Temp\\\\fsbof-test\\\\file1\\.log.*C:\\\\Temp\\\\fsbof-test\\\\file2\\.log|C:\\\\Temp\\\\fsbof-test\\\\file2\\.log.*C:\\\\Temp\\\\fsbof-test\\\\file1\\.log"
 
   # copy-wildcard-no-match
   - cmdline: "copy C:\\Temp\\fsbof-test\\*.xyz C:\\Temp\\fsbof-test\\dest\\"
@@ -106,10 +103,7 @@ tasks:
 
   # move-wildcard-match
   - cmdline: "move C:\\Temp\\fsbof-test\\*.log C:\\Temp\\fsbof-test\\moved\\"
-    expected: |
-      C:\Temp\fsbof-test\file1.log
-      C:\Temp\fsbof-test\file2.log
-              2 file(s) moved.
+    expected_regex: "(?s)C:\\\\Temp\\\\fsbof-test\\\\file1\\.log.*C:\\\\Temp\\\\fsbof-test\\\\file2\\.log|C:\\\\Temp\\\\fsbof-test\\\\file2\\.log.*C:\\\\Temp\\\\fsbof-test\\\\file1\\.log"
 
   # move-wildcard-no-match
   - cmdline: "move C:\\Temp\\fsbof-test\\*.xyz C:\\Temp\\fsbof-test\\moved\\"
@@ -173,3 +167,39 @@ tasks:
   # pwd-happy-path-step2
   - cmdline: "pwd"
     expected: "C:\\Temp\\fsbof-test"
+
+  # ── PS-BOF ──
+
+  # ps-list
+  - cmdline: "ps list"
+    expected: "System"
+
+  # ps-list-lsass
+  - cmdline: "ps list"
+    expected: "lsass.exe"
+
+  # ps-run-spawn-ping (CI-02/04/05/06 fixture — ping runs indefinitely on server SKUs)
+  - cmdline: 'ps run --command "ping -n 999 127.0.0.1"'
+    expected_regex: "Process started: PID \\d+"
+    capture:
+      pid: "Process started: PID (\\d+)"
+
+  # ps-run-pipe-whoami (CI-03)
+  - cmdline: 'ps run --command "cmd.exe /c whoami" --pipe'
+    expected_regex: "(?i)ci_runner"
+
+  # ps-grep (CI-04)
+  - cmdline: "ps grep {{pid}}"
+    expected_regex: "(?s)\\[Token\\].*\\[Modules\\].*\\[Cmdline\\].*\\[Threads\\]"
+
+  # ps-suspend (CI-05)
+  - cmdline: "ps suspend {{pid}}"
+    not_expected: "error"
+
+  # ps-resume (CI-06)
+  - cmdline: "ps resume {{pid}}"
+    not_expected: "error"
+
+  # ps-kill (CI-02)
+  - cmdline: "ps kill {{pid}}"
+    not_expected: "error"

.github/workflows/test.yaml

@@ -264,6 +264,10 @@ jobs:
               cp /workspace/FS-BOF/_bin/*.o /tmp/adaptixc2/dist/BOF-Collection/FS-BOF/_bin/
               cp /workspace/FS-BOF/fs.axs /tmp/adaptixc2/dist/BOF-Collection/FS-BOF/fs.axs
               cp /workspace/Exit-BOF/_bin/*.o /tmp/adaptixc2/dist/BOF-Collection/Exit-BOF/_bin/
+              mkdir -p /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/_bin
+              cp /workspace/PS-BOF/_bin/*.o /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/_bin/
+              cp /workspace/PS-BOF/ps.axs /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/
+              cp /workspace/bof-collection.axs /tmp/adaptixc2/dist/BOF-Collection/
 
               # ── Build verification ───────────────────────────────────────
               echo "=== Build verification ==="
@@ -273,8 +277,16 @@ jobs:
               count=$(ls /tmp/adaptixc2/dist/BOF-Collection/FS-BOF/_bin/*.x64.o | wc -l)
               [ "$count" -eq 8 ] && echo "✓ All 8 FS-BOF x64 objects deployed to container" || \
                 { echo "✗ Expected 8 FS-BOF x64 objects in container bin, got $count"; exit 1; }
+              count=$(ls /workspace/PS-BOF/_bin/*.x64.o | wc -l)
+              [ "$count" -eq 6 ] && echo "✓ All 6 PS-BOF x64 objects compiled" || \
+                { echo "✗ Expected 6 PS-BOF x64 objects, got $count"; exit 1; }
+              count=$(ls /tmp/adaptixc2/dist/BOF-Collection/PS-BOF/_bin/*.x64.o | wc -l)
+              [ "$count" -eq 6 ] && echo "✓ All 6 PS-BOF x64 objects deployed to container" || \
+                { echo "✗ Expected 6 PS-BOF x64 objects in container bin, got $count"; exit 1; }
               echo "=== Build verification passed ==="
 
+              uv tool install --reinstall "git+https://github.com/TheGr3atJosh/Testing-Kit@c53a47d"
+
               # ── Server startup ───────────────────────────────────────────
               echo "Generating required TLS certificate..."
               openssl req -x509 -nodes -newkey rsa:2048 \

Makefile

@@ -1,4 +1,4 @@
-SUBDIRS := FS-BOF Exit-BOF
+SUBDIRS := FS-BOF Exit-BOF PS-BOF
 
 .PHONY: all $(SUBDIRS) clean docker-build
 

PS-BOF/Makefile

@@ -0,0 +1,25 @@
+CC64 = x86_64-w64-mingw32-gcc
+CC86 = i686-w64-mingw32-gcc
+STRIP64 = x86_64-w64-mingw32-strip --strip-unneeded
+STRIP86 = i686-w64-mingw32-strip --strip-unneeded
+CFLAGS = -I ../_include -I _include -w -Wno-incompatible-pointer-types -Os -DBOF -c
+
+all: bof
+
+bof: clean
+	@(mkdir _bin 2>/dev/null) && echo 'creating _bin directory' || echo '_bin directory exists'
+	@($(CC64) $(CFLAGS) list/list.c -o _bin/list.x64.o && $(STRIP64) _bin/list.x64.o) && echo '[+] list x64' || echo '[!] list x64'
+	@($(CC86) $(CFLAGS) list/list.c -o _bin/list.x32.o && $(STRIP86) _bin/list.x32.o) && echo '[+] list x32' || echo '[!] list x32'
+	@($(CC64) $(CFLAGS) kill/kill.c -o _bin/kill.x64.o && $(STRIP64) _bin/kill.x64.o) && echo '[+] kill x64' || echo '[!] kill x64'
+	@($(CC86) $(CFLAGS) kill/kill.c -o _bin/kill.x32.o && $(STRIP86) _bin/kill.x32.o) && echo '[+] kill x32' || echo '[!] kill x32'
+	@($(CC64) $(CFLAGS) run/run.c -o _bin/run.x64.o && $(STRIP64) _bin/run.x64.o) && echo '[+] run x64' || echo '[!] run x64'
+	@($(CC86) $(CFLAGS) run/run.c -o _bin/run.x32.o && $(STRIP86) _bin/run.x32.o) && echo '[+] run x32' || echo '[!] run x32'
+	@($(CC64) $(CFLAGS) grep/grep.c -o _bin/grep.x64.o && $(STRIP64) _bin/grep.x64.o) && echo '[+] grep x64' || echo '[!] grep x64'
+	@($(CC86) $(CFLAGS) grep/grep.c -o _bin/grep.x32.o && $(STRIP86) _bin/grep.x32.o) && echo '[+] grep x32' || echo '[!] grep x32'
+	@($(CC64) $(CFLAGS) suspend/suspend.c -o _bin/suspend.x64.o && $(STRIP64) _bin/suspend.x64.o) && echo '[+] suspend x64' || echo '[!] suspend x64'
+	@($(CC86) $(CFLAGS) suspend/suspend.c -o _bin/suspend.x32.o && $(STRIP86) _bin/suspend.x32.o) && echo '[+] suspend x32' || echo '[!] suspend x32'
+	@($(CC64) $(CFLAGS) resume/resume.c -o _bin/resume.x64.o && $(STRIP64) _bin/resume.x64.o) && echo '[+] resume x64' || echo '[!] resume x64'
+	@($(CC86) $(CFLAGS) resume/resume.c -o _bin/resume.x32.o && $(STRIP86) _bin/resume.x32.o) && echo '[+] resume x32' || echo '[!] resume x32'
+
+clean:
+	@(rm -rf _bin)

PS-BOF/README.md

@@ -0,0 +1,60 @@
+# PS-BOF
+
+Process management operations: ps list, ps kill, ps run, ps grep, ps suspend, ps resume.
+
+## ps list
+
+List all running processes. Output columns: PID, PPID, session ID, owner (domain\user), architecture.
+
+```
+ps list
+```
+
+## ps kill
+
+Terminate a process by PID. Optional exit code argument (defaults to 1 if omitted).
+
+```
+ps kill <PID> [exit_code]
+```
+
+## ps run
+
+Launch a new process. Supports default CreateProcess, credential-based launch (WithLogon), and token-based launch (WithToken), with optional PPID spoofing and stdout/stderr pipe capture.
+
+```
+ps run --command <cmd> [--pipe] [--ppid <PID>] [--state suspended] [--domain <domain> --username <user> --password <pass>] [--token <handle>]
+```
+
+- `--command <cmd>` — Command line to execute (required)
+- `--pipe` — Capture stdout/stderr via anonymous pipe
+- `--ppid <PID>` — Spoof parent PID
+- `--state suspended` — Launch process in suspended state
+- `--domain <domain>` — Domain for CreateProcessWithLogon
+- `--username <user>` — Username for CreateProcessWithLogon
+- `--password <pass>` — Password for CreateProcessWithLogon
+- `--token <handle>` — Token handle for CreateProcessWithToken
+
+## ps grep
+
+Inspect a process by PID. Output sections: token (owner, elevated flag, integrity level), modules (name, base address, entry point, size), command line, threads (TIDs).
+
+```
+ps grep <PID>
+```
+
+## ps suspend
+
+Suspend a process by PID.
+
+```
+ps suspend <PID>
+```
+
+## ps resume
+
+Resume a suspended process by PID.
+
+```
+ps resume <PID>
+```