fix: resolve silent BOF crash — add missing DFR declarations

Root cause: 3 unresolved imports caused Cobalt Strike to silently
crash all BOFs before go() could execute:

- GetSidSubAuthority/GetSidSubAuthorityCount called without ADVAPI32$
  DFR prefix in helpers.c is_high_integrity()
- NdrClientCall2 from RPCRT4 used by bkrp.c but never declared in
  bofdefs.h

Since these were in common libraries linked into every BOF via ld -r,
all 19 BOFs were affected.

Fixes:
- bofdefs.h: Add ADVAPI32,
  ADVAPI32, RPCRT4 DFR decls
- helpers.c: Use ADVAPI32$ prefix for SID functions in BOF code path
- bkrp.h: Remove duplicate NdrClientCall2 decl (now in bofdefs.h)
- dpapi.cna: Fix keepass substr offset (7 -> 8)

Author: bhanunamikze

README.md

@@ -2,7 +2,7 @@
 
 **SharpDPAPI** ported to **Cobalt Strike Beacon Object Files (BOFs)** - 19 self-contained BOFs for DPAPI credential triage, all under 52KB each.
 
-> Full port of [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) by @harmj0y - including MS-BKRP RPC masterkey decryption, Chrome/Edge/Brave credential extraction, and machine-level DPAPI triage.
+> Full port of [GhostPack/SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) - including MS-BKRP RPC masterkey decryption, Chrome/Edge/Brave credential extraction, and machine-level DPAPI triage.
 
 ---
 

dpapi.cna

@@ -243,7 +243,7 @@ beacon_command_register(
 alias keepass {
     local('%args $data $bid');
     $bid = $1;
-    %args = _parse_args(substr($0, 7));
+    %args = _parse_args(substr($0, 8));
 
     $data = _load_bof("keepass");
     $args = bof_pack($bid, "zzzzzii",

include/bkrp.h

@@ -13,14 +13,8 @@
 
 #include "bofdefs.h"
 
-/* ---- DFR for NdrClientCall2 (only declared here, not in bofdefs.h) ---- */
-#ifndef BKRP_NDRCLIENTCALL2_DECLARED
-#define BKRP_NDRCLIENTCALL2_DECLARED
-DECLSPEC_IMPORT void* CDECL RPCRT4$NdrClientCall2(
-    void* pStubDescriptor, void* pFormat, ...);
-#endif
-
 /* ---- Public API ---- */
+/* NdrClientCall2 DFR is declared in bofdefs.h */
 
 /*
  * bkrp_decrypt_masterkey — Decrypt a masterkey's domain key via MS-BKRP RPC

include/bofdefs.h

@@ -197,6 +197,8 @@ DECLSPEC_IMPORT LONG    WINAPI ADVAPI32$RegCloseKey(HKEY);
 DECLSPEC_IMPORT BOOL    WINAPI ADVAPI32$IsTextUnicode(const VOID*, int, LPINT);
 DECLSPEC_IMPORT BOOL    WINAPI ADVAPI32$GetTokenInformation(HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, DWORD, PDWORD);
 DECLSPEC_IMPORT BOOL    WINAPI ADVAPI32$ConvertSidToStringSidW(PSID, LPWSTR*);
+DECLSPEC_IMPORT PDWORD  WINAPI ADVAPI32$GetSidSubAuthority(PSID, DWORD);
+DECLSPEC_IMPORT PUCHAR  WINAPI ADVAPI32$GetSidSubAuthorityCount(PSID);
 
 /* --- ncrypt.dll --- */
 DECLSPEC_IMPORT SECURITY_STATUS WINAPI NCRYPT$NCryptOpenStorageProvider(NCRYPT_PROV_HANDLE*, LPCWSTR, DWORD);
@@ -245,6 +247,7 @@ DECLSPEC_IMPORT long    WINAPI RPCRT4$RpcBindingFromStringBindingW(wchar_t*, voi
 DECLSPEC_IMPORT long    WINAPI RPCRT4$RpcStringFreeW(wchar_t**);
 DECLSPEC_IMPORT long    WINAPI RPCRT4$RpcBindingFree(void**);
 DECLSPEC_IMPORT long    WINAPI RPCRT4$RpcBindingSetAuthInfoExW(void*, wchar_t*, unsigned long, unsigned long, void*, unsigned long, RPC_SECURITY_QOS*);
+DECLSPEC_IMPORT void*   __cdecl RPCRT4$NdrClientCall2(void*, void*, ...);
 
 /* --- msvcrt.dll (CRT-like functions available in Windows) --- */
 DECLSPEC_IMPORT int     __cdecl MSVCRT$sprintf(char*, const char*, ...);

src/common/helpers.c

@@ -126,8 +126,8 @@ BOOL is_high_integrity(void) {
     if (!tml) { KERNEL32$CloseHandle(hToken); return FALSE; }
 
     if (ADVAPI32$GetTokenInformation(hToken, TokenIntegrityLevel, tml, dwSize, &dwSize)) {
-        DWORD* pCount = GetSidSubAuthorityCount(tml->Label.Sid);
-        DWORD integrity = *GetSidSubAuthority(tml->Label.Sid, *pCount - 1);
+        DWORD* pCount = (DWORD*)ADVAPI32$GetSidSubAuthorityCount(tml->Label.Sid);
+        DWORD integrity = *ADVAPI32$GetSidSubAuthority(tml->Label.Sid, *pCount - 1);
         result = (integrity >= SECURITY_MANDATORY_HIGH_RID);
     }