Load and execute COFF files and Cobalt Strike BOFs in-memory

Overview

COFFLoader2

This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation done by Kevin Haubris @Kev169 on the TrustedSec GitHub repo here. Kevin also wrote an article about building your own COFF loader

Kevin did an excellent job in figuring out the relocations and implementing the beacon compatibility layer. This repo takes it a bit further in making the code prettier (beauty is in the eyes of the beholder anyway) and more readable. This repo includes more comments, extracted COFF-related code into re-usable functions, usage of MSVC-compliant functions, and fix issues with MSVC-compiled BOFs. Also, while the code is initially inspired by Kevin's work, the approach to the implementation of the relocations and memory allocation is different.

Why?

Rewriting code is an excellent way to improve one's understanding of a topic. This was the main drive for rewriting the code. Another reason is that the original code is probably not meant for the VS toolchain, which is apparent in the fact that MSVC won't compile the code because of its insecure-function warnings and that the loader won't load MSVC-compiled BOFs. Since I like developing and compiling my BOFs with VS, this was another good reason to rewrite. Further, the original code seemed too complicated to my simple brain. For example, when I was trying to understand the original code, I found myself reading an if statement which is inside an else if that is inside another else which is inside a for loop that is inside another for loop. My brain couldn't keep up, the folks at TrustedSec are too smart for me haha. The code also lacked variables which made it quite challenging to read, so a rewrite seemed definitely worth the time and effort. Looking retrospectively, I am pretty happy about the decision!

What?

The rewrite is focussed on the COFF-loading process only. I did not modify the beacon compatibility layer. A non-comprehensive list of changes

  • Re-implemented the relocations. The code now performs relocations on the .text section only, which is sufficient to get the COFF executed. However, applying the relocations to any other section should be straightforward with the new structure
  • Improved readability by removing some nesting, using variables, and extracting some re-usable code into functions
  • Used WIN32 API calls to open and read the file instead of the standard library functions
  • Avoid double allocation for every section. The exception is .text section which is allocated again on PAGE_EXECUTE_READWRITE memory region. The other sections are located in PAGE_READONLY memory region.
  • Removed fixed-size allocation for function mapping and check of whether the mapping is within 4GB limit by ensuring that the mapping will be right after the .text section.
  • Added more error checking here and there

Todo

While I didn't have any issues with testing, I'll maintain the original disclaimer. This code should be used for testing purposes, it needs further testing before using in production.

What I'd like to do from here is using the loader over the network and take a deeper look into the beacon compatibility layer to see how this can be transformed into a COFF-based C2 and perhaps add x86 support. Much more can be added/modified but at one point I realized that the cycle of refactoring can continue forever and wanted to share a first version. Hopefully a blog post and more comments will follow.

Credits

  1. Huge thanks to Kevin @Kev169 and the TrustedSec team for sharing their code. Going through the code and rewriting it made me realize the great effort and time invested in the original implementation. Great job Kevin and TrustedSec!
  2. Patryk Czeczko (@0xpat) wrote a nice blog article about COFF loaders on his blog, was quite useful
  3. While not directly related to the re-implementation, I liked the BOF2Shellcode article by Gijs Hollestelle (@gijs_h) and found it to be an exciting read.
You might also like...
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

 EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

PoC MSVC COFF Object file loader/injector.

COFFInjector A Proof of Concept code - loading and injecting MSVC object file. Blog post with explanation: https://0xpat.github.io/Malware_development

x64 PE-COFF virtualization driven obfuscation engine

Singularity Prerequisite To use and build this library you will have to have the following installed: Python version 2.7 / 3.4 or higher Git msbuild (

An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory

memory-module-loader memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. T

Owner
Yasser
Yasser
A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Securify 162 Nov 26, 2022
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 104 Aug 21, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Cobalt Strike 42 Nov 9, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.4k Nov 20, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 348 Nov 15, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 304 Nov 15, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Bobby Cooke 824 Nov 23, 2022