Adaptix-Framework · MaorSabag · Mar 23, 2026
diff --git a/SAL-BOF/Makefile b/SAL-BOF/Makefile
@@ -35,6 +35,11 @@ bof: clean
 	@($(CC64) $(CFLAGS) privcheck/pshistory.c -o _bin/pshistory.x64.o && $(STRIP64) _bin/pshistory.x64.o) && echo '[+] pshistory x64' || echo '[!] pshistory x64'
 	@($(CC64) $(CFLAGS) privcheck/uacstatus.c -o _bin/uacstatus.x64.o && $(STRIP64) _bin/uacstatus.x64.o) && echo '[+] uacstatus x64' || echo '[!] uacstatus x64'
 	@($(CC64) $(CFLAGS) privcheck/privcheck_all.c -o _bin/privcheck_all.x64.o && $(STRIP64) _bin/privcheck_all.x64.o) && echo '[+] privcheck_all x64' || echo '[!] privcheck_all x64'
+	@($(CC64) $(CFLAGS) reg/query/query.c -I reg -o _bin/reg_query.x64.o && $(STRIP64) _bin/reg_query.x64.o) && echo '[+] reg query x64' || echo '[!] reg query x64'
+	@($(CC64) $(CFLAGS) reg/write/write.c -I reg -o _bin/reg_write.x64.o && $(STRIP64) _bin/reg_write.x64.o) && echo '[+] reg write x64' || echo '[!] reg write x64'
+	@($(CC64) $(CFLAGS) reg/delete/delete.c -I reg -o _bin/reg_delete.x64.o && $(STRIP64) _bin/reg_delete.x64.o) && echo '[+] reg delete x64' || echo '[!] reg delete x64'
+	@($(CC64) $(CFLAGS) reg/find/find.c -I reg -o _bin/reg_find.x64.o && $(STRIP64) _bin/reg_find.x64.o) && echo '[+] reg find x64' || echo '[!] reg find x64'
+
 
 	# 32-bit builds
 	@($(CC86) $(CFLAGS) arp/arp.c -o _bin/arp.x32.o && $(STRIP86) _bin/arp.x32.o) && echo '[+] arp x32' || echo '[!] arp x32'
@@ -62,5 +67,10 @@ bof: clean
 	@($(CC86) $(CFLAGS) privcheck/pshistory.c -o _bin/pshistory.x32.o && $(STRIP86) _bin/pshistory.x32.o) && echo '[+] pshistory x32' || echo '[!] pshistory x32'
 	@($(CC86) $(CFLAGS) privcheck/uacstatus.c -o _bin/uacstatus.x32.o && $(STRIP86) _bin/uacstatus.x32.o) && echo '[+] uacstatus x32' || echo '[!] uacstatus x32'
 	@($(CC86) $(CFLAGS) privcheck/privcheck_all.c -o _bin/privcheck_all.x32.o && $(STRIP86) _bin/privcheck_all.x32.o) && echo '[+] privcheck_all x32' || echo '[!] privcheck_all x32'
+	@($(CC86) $(CFLAGS) reg/query/query.c -I reg -o _bin/reg_query.x32.o && $(STRIP86) _bin/reg_query.x32.o) && echo '[+] reg query x32' || echo '[!] reg query x32'
+	@($(CC86) $(CFLAGS) reg/write/write.c -I reg -o _bin/reg_write.x32.o && $(STRIP86) _bin/reg_write.x32.o) && echo '[+] reg write x32' || echo '[!] reg write x32'
+	@($(CC86) $(CFLAGS) reg/delete/delete.c -I reg -o _bin/reg_delete.x32.o && $(STRIP86) _bin/reg_delete.x32.o) && echo '[+] reg delete x32' || echo '[!] reg delete x32'
+	@($(CC86) $(CFLAGS) reg/find/find.c -I reg -o _bin/reg_find.x32.o && $(STRIP86) _bin/reg_find.x32.o) && echo '[+] reg find x32' || echo '[!] reg find x32'
+
 clean:
 	@(rm -rf _bin)
diff --git a/SAL-BOF/reg/anticrash.c b/SAL-BOF/reg/anticrash.c
@@ -0,0 +1,21 @@
+#include <stdarg.h>
+#include "bofdefs.h"
+//For some reason char *[] is invalid in BOF files
+//So this function stands to work around that problem
+
+//makes a char *[] since we can't seem to otherwise
+//count is the number of strings you're passing in will crash if this is wrong
+
+//Must call intFree on returned result
+char ** antiStringResolve(unsigned int count, ...)
+{
+    va_list strings;
+    va_start(strings, count);
+    char ** result = intAlloc(sizeof(char *) * count);
+    for(int i = 0; i < count; i++)
+    {
+        result[i] = (char *)va_arg(strings, char *);
+    }
+    va_end(strings);
+    return result;
+}
diff --git a/SAL-BOF/reg/base.c b/SAL-BOF/reg/base.c
@@ -0,0 +1,207 @@
+#include <windows.h>
+#include "bofdefs.h"
+#include "beacon.h"
+#ifndef bufsize
+#define bufsize 8192
+#endif
+
+
+char * output __attribute__((section (".data"))) = 0;  // this is just done so its we don't go into .bss which isn't handled properly
+WORD currentoutsize __attribute__((section (".data"))) = 0;
+HANDLE trash __attribute__((section (".data"))) = NULL; // Needed for x64 to not give relocation error
+
+#ifdef BOF
+int bofstart();
+void internal_printf(const char* format, ...);
+void printoutput(BOOL done);
+#endif
+char * Utf16ToUtf8(const wchar_t* input);
+
+int bofstart()
+{   
+    output = (char*)MSVCRT$calloc(bufsize, 1);
+    currentoutsize = 0;
+    return 1;
+}
+
+void internal_printf(const char* format, ...){
+    int buffersize = 0;
+    int transfersize = 0;
+    char * curloc = NULL;
+    char* intBuffer = NULL;
+    va_list args;
+    va_start(args, format);
+    buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); // +1 because vsprintf goes to buffersize-1 , and buffersize won't return with the null
+    va_end(args);
+
+    // vsnprintf will return -1 on encoding failure (ex. non latin characters in Wide string)
+    if (buffersize == -1)
+        return;
+
+    char* transferBuffer = (char*)intAlloc(bufsize);
+    intBuffer = (char*)intAlloc(buffersize);
+    /*Print string to memory buffer*/
+    va_start(args, format);
+    MSVCRT$vsnprintf(intBuffer, buffersize, format, args); // tmpBuffer2 has a null terminated string
+    va_end(args);
+    if(buffersize + currentoutsize < bufsize) // If this print doesn't overflow our output buffer, just buffer it to the end
+    {
+        //BeaconFormatPrintf(&output, intBuffer);
+        memcpy(output+currentoutsize, intBuffer, buffersize);
+        currentoutsize += buffersize;
+    }
+    else // If this print does overflow our output buffer, lets print what we have and clear any thing else as it is likely this is a large print
+    {
+        curloc = intBuffer;
+        while(buffersize > 0)
+        {
+            transfersize = bufsize - currentoutsize; // what is the max we could transfer this request
+            if(buffersize < transfersize) //if I have less then that, lets just transfer what's left
+            {
+                transfersize = buffersize;
+            }
+            memcpy(output+currentoutsize, curloc, transfersize); // copy data into our transfer buffer
+            currentoutsize += transfersize;
+            if(currentoutsize == bufsize)
+            {
+            printoutput(FALSE); // sets currentoutsize to 0 and prints
+            }
+            memset(transferBuffer, 0, transfersize); // reset our transfer buffer
+            curloc += transfersize; // increment by how much data we just wrote
+            buffersize -= transfersize; // subtract how much we just wrote from how much we are writing overall
+        }
+    }
+    intFree(intBuffer);
+    intFree(transferBuffer);
+}
+
+void printoutput(BOOL done)
+{
+
+    char * msg = NULL;
+    BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
+    currentoutsize = 0;
+    memset(output, 0, bufsize);
+    if(done) {MSVCRT$free(output); output=NULL;}
+}
+
+
+#ifdef DYNAMIC_LIB_COUNT
+
+
+typedef struct loadedLibrary {
+    HMODULE hMod; // mod handle
+    const char * name; // name normalized to uppercase
+}loadedLibrary, *ploadedLibrary;
+loadedLibrary loadedLibraries[DYNAMIC_LIB_COUNT] __attribute__((section (".data"))) = {0};
+DWORD loadedLibrariesCount __attribute__((section (".data"))) = 0;
+
+BOOL intstrcmp(LPCSTR szLibrary, LPCSTR sztarget)
+{
+    BOOL bmatch = FALSE;
+    DWORD pos = 0;
+    while(szLibrary[pos] && sztarget[pos])
+    {
+        if(szLibrary[pos] != sztarget[pos])
+        {
+            goto end;
+        }
+        pos++;
+    }
+    if(szLibrary[pos] | sztarget[pos]) // if either of these down't equal null then they can't match
+        {goto end;}
+    bmatch = TRUE;
+
+    end:
+    return bmatch;
+}
+
+FARPROC DynamicLoad(const char * szLibrary, const char * szFunction)
+{
+    FARPROC fp = NULL;
+    HMODULE hMod = NULL;
+    DWORD i = 0;
+    DWORD liblen = 0;
+    for(i = 0; i < loadedLibrariesCount; i++)
+    {
+        if(intstrcmp(szLibrary, loadedLibraries[i].name))
+        {
+            hMod = loadedLibraries[i].hMod;
+        }
+    }
+    if(!hMod)
+    {
+        hMod = LoadLibraryA(szLibrary);
+        if(!hMod){ 
+            BeaconPrintf(CALLBACK_ERROR, "*** DynamicLoad(%s) FAILED!\nCould not find library to load.", szLibrary);
+            return NULL;
+        }
+        loadedLibraries[loadedLibrariesCount].hMod = hMod;
+        loadedLibraries[loadedLibrariesCount].name = szLibrary; //And this is why this HAS to be a constant or not freed before bofstop
+        loadedLibrariesCount++;
+    }
+    fp = GetProcAddress(hMod, szFunction);
+
+    if (NULL == fp)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "*** DynamicLoad(%s) FAILED!\n", szFunction);
+    }
+    return fp;
+}
+#endif
+
+
+char* Utf16ToUtf8(const wchar_t* input)
+{
+    int ret = KERNEL32$WideCharToMultiByte(
+        CP_UTF8,
+        0,
+        input,
+        -1,
+        NULL,
+        0,
+        NULL,
+        NULL
+    );
+
+    char* newString = (char*)intAlloc(sizeof(char) * ret);
+
+    ret = KERNEL32$WideCharToMultiByte(
+        CP_UTF8,
+        0,
+        input,
+        -1,
+        newString,
+        sizeof(char) * ret,
+        NULL,
+        NULL
+    );
+
+    if (0 == ret)
+    {
+        goto fail;
+    }
+
+retloc:
+    return newString;
+/*location to free everything centrally*/
+fail:
+    if (newString){
+        intFree(newString);
+        newString = NULL;
+    };
+    goto retloc;
+}
+
+//release any global functions here
+void bofstop()
+{
+#ifdef DYNAMIC_LIB_COUNT
+    DWORD i;
+    for(i = 0; i < loadedLibrariesCount; i++)
+    {
+        FreeLibrary(loadedLibraries[i].hMod);
+    }
+#endif
+	return;
+}