POC tool to convert CobaltStrike BOF files to raw shellcode

Overview

BOF2Shellcode

POC tool to convert a Cobalt Strike BOF into raw shellcode.

Introduction

This code was written as part of a blog tutorial on how to convert an existing C tool, in this case @trustedsec's COFFLoader into a raw shellcode.

It uses techniques based on @thefLink's C-To-Shellcode-Examples repository.

Usage

First run make to build the bofloader.bin file.

After that the bof2shellcode.py script can be used to convert a BOF into raw shellcode.

Usage Examples

Converting the tasklist BOF to shellcode and executing it:

% python3 bof2shellcode.py -i tasklist.x64.o -o tasklist.x64.bin
Writing tasklist.x64.bin

load_sc.exe tasklist.x64.bin | c:\msys64\usr\bin\head.exe
Name                              ProcessId  ParentProcessId  SessionId CommandLine
System Idle Process                       0                0          0 (NULL)
System                                    4                0          0 (NULL)
Registry                                 92                4          0 (NULL)
smss.exe                                348                4          0 (NULL)
csrss.exe                               464              456          0 (NULL)
wininit.exe                             536              456          0 (NULL)
csrss.exe                               544              528          1 (NULL)
winlogon.exe                            628              528          1 (NULL)
services.exe                            636              536          0 (NULL)

Notes

This is purely a POC, it is missing some implementations of Beacon related functions, for example BeaconPrintf has been replace by a simple printf call that writes to stdout.

Credits

Note that the code in this repository is heavily based on @trustedsec's COFFLoader and @thefLink's C-To-Shellcode-Examples repository.

You might also like...
Building and Executing Position Independent Shellcode from Object Files in Memory

PIC-Privileges Building and Executing Position Independent Shellcode from Object Files in Memory. This is a pingback to the blogpost I wrote at https:

BOF implementation of chlonium tool to dump Chrome/Edge Masterkey

ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey. Forked from https://github.com/crypt0p3g/bof-collection Setup How t

pluggable tool to convert an unrolled TritonAST to LLVM-IR, optimize it and get back to TritonAST

it is fork from https://github.com/fvrmatteo/TritonASTLLVMIRTranslator *WARNINGS: tested only linux(ubuntu 20.04) and only llvm and clang version 10*

⚔️ A tool for cross compiling shaders. Convert between GLSL, HLSL, Metal Shader Language, or older versions of GLSL.
⚔️ A tool for cross compiling shaders. Convert between GLSL, HLSL, Metal Shader Language, or older versions of GLSL.

A cross compiler for shader languages. Convert between SPIR-V, GLSL / GLSL ES, HLSL, Metal Shader Language, or older versions of a given language. Cross Shader wraps glslang and SPIRV-Cross, exposing a simpler interface to transpile shaders.

Tool to convert ELF (S)hared (O)bject to Nintendo (R)elocatable (S)hared (O)bject

elf2rso Tool to convert ELF (S)hared (O)bject to Nintendo (R)elocatable (S)hared (O)bject Command Line Options -i or --input - It's the ELF File to be

An efficient tool written in C to convert base numbers dumps into human readable string and vice versa.

strtools A tool written in C to convert number bases to human readable string and vice versa. Usage Compile make Help strtools -h Output: Usage: strt

Basic definitions and utility functions for GNSS raw measurement processing

gnss_comm Authors/Maintainers: CAO Shaozu (shaozu.cao AT gmail.com) The gnss_comm package contains basic definitions and utility functions for GNSS ra

A dataset containing synchronized visual, inertial and GNSS raw measurements.
A dataset containing synchronized visual, inertial and GNSS raw measurements.

GVINS-Dataset Author/Maintainer: CAO Shaozu (shaozu.cao AT gmail.com), LU Xiuyuan (xluaj AT connect.ust.hk) This repository hosts dataset collected du

Raw HID keyboard forwarder to turn the Pi 400 into a USB keyboard

Raspberry Pi 400 as a USB HID Keyboard Hook your Pi 400 up to your PC somehow, using a USB Type-C cable into the power port. Anker make good ones- I u

Comments
  • Providing BOF arguments?

    Providing BOF arguments?

    First off, neat project! This is a really cool project you've put together. Looking through the code, it doesn't look like there's a way to provide arguments to the BOF before converting it to shellcode. Am I missing something? If BOF arguments aren't accepted, do you have recommendations for implementing that feature?

    opened by scottctaylor12 0
Owner
FalconForce
FalconForce
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 203 Dec 20, 2022
A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

ripmeep 12 Dec 16, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs

Self_Deletion_BOF BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs Why? I didn't see that it currently existed (via

null 130 Nov 13, 2022
Cobaltstrike addons to interact with clipboard

Cobalt-Clip Cobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q cli

null 72 Dec 14, 2022
A tool to convert Call of Duty XBIN/EXPORT files to and from each other.

exportxbin exportxbin is an enhanced version of export2bin included in the Call of Duty: Black Ops III Mod Tools. Its main goal is to provide users wi

Philip 3 Jan 22, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Filip Olszak 547 Dec 28, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 761 Jan 9, 2023
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Filip Olszak 547 Dec 28, 2022
Convert ATARI ATR files to CAR (SWITCHABLE XEGS CARTRIDGE)

ATR2CAR Convert ATARI ATR files to CAR (SWITCHABLE XEGS CARTRIDGE) Konwerter uruchamiamy z wiersza poleceń: atr2car File.atr File.car [-c] [-128|-256|

null 4 Apr 26, 2022