Skip to content

A reimplementation of Cobalt Strike's Beacon Object File (BOF) Loader

License

Notifications You must be signed in to change notification settings

Ap3x/COFF-Loader

Repository files navigation

COFF-Loader

This is a reimplementation of TrustedSec COFF Loader. I decided to create this repo to challenge my understanding of the Windows PE Format. This technique was originally used in Cobalt Strike. This project utilizes Visual Studio 2022 for those who wish to employ the VS Debugger and trace the execution of its memory operations loader.

While coding this I mainly used the following resources:

Usage

COFFLoader.exe <function name> <COFF file path>

The function name is the name BOF function entry name. This is typically "go"

Example:

COFFLoader.exe "go" C:\Github\COFF-Loader\BOF\test64.out

BOF Arguments

In order to pass arguments to the BOF I used the exact same code that Otterhacker's COFF Loader uses. The struct is as follows:

typedef struct _Arg {
    char* value;
    size_t size;
    BOOL includeSize;
} Arg;

You can see an example of this used here on line 25.

Example

In the example below I used the BOF file that I modified from TrustedSec BOF example. This simple BOF shows that the COFF loader was able to successfully was able to relocate all the symbols in different formats. Included in this I included the modified BOF in BOF/test.c directory. You can use the make file to compile it with gcc or run the following command:

x86_64-w64-mingw32-gcc -c test.c -o test64.out

demo

References

About

A reimplementation of Cobalt Strike's Beacon Object File (BOF) Loader

Topics

Resources

License

Stars

Watchers

Forks