{"id":13578681,"url":"https://github.com/hakaioffsec/coffee","last_synced_at":"2025-04-05T19:33:27.342Z","repository":{"id":176361342,"uuid":"657006112","full_name":"hakaioffsec/coffee","owner":"hakaioffsec","description":"A COFF loader made in Rust","archived":false,"fork":false,"pushed_at":"2024-10-12T19:51:31.000Z","size":104,"stargazers_count":282,"open_issues_count":1,"forks_count":43,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-03-12T05:48:55.781Z","etag":null,"topics":["bof","cobalt-strike","coff","coff-loader","rust"],"latest_commit_sha":null,"homepage":"https://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hakaioffsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-22T05:42:01.000Z","updated_at":"2025-03-10T09:49:03.000Z","dependencies_parsed_at":"2024-01-16T20:29:02.527Z","dependency_job_id":"ff918ded-88cf-495c-b577-ae40283c9b48","html_url":"https://github.com/hakaioffsec/coffee","commit_stats":null,"previous_names":["hakaioffsec/coffee"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hakaioffsec%2Fcoffee","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hakaioffsec%2Fcoffee/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hakaioffsec%2Fcoffee/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hakaioffsec%2Fcoffee/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hakaioffsec","download_url":"https://codeload.github.com/hakaioffsec/coffee/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247393095,"owners_count":20931804,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bof","cobalt-strike","coff","coff-loader","rust"],"created_at":"2024-08-01T15:01:32.871Z","updated_at":"2025-04-05T19:33:26.502Z","avatar_url":"https://github.com/hakaioffsec.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# Coffee\r\n\r\nCoffee is a custom implementation of the original Cobalt Strike's [beacon_inline_execute](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics_aggressor-scripts/as-resources_functions.htm#beacon_inline_execute). It is written in Rust and supports most of the features of the Cobalt Strike compatibility layer. Coffee is structured so it can be used as a library in other projects too.\r\n\r\nThe original blog post can be found here: \u003chttps://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/\u003e\r\n\r\n## Usage\r\n\r\n```bash\r\n$ coffee.exe -h\r\nCoffee: A COFF loader made in Rust\r\n\r\nUsage: coffee.exe [OPTIONS] --bof-path \u003cBOF_PATH\u003e [-- \u003cARGS\u003e...]\r\n\r\nArguments:\r\n  [ARGS]...  Arguments to the BOF passed after the \"--\" delimiter, supported types are: str, wstr, int, short, bin\r\n\r\nOptions:\r\n  -b, --bof-path \u003cBOF_PATH\u003e      Path to the Beacon Object File (BOF)\r\n  -e, --entrypoint \u003cENTRYPOINT\u003e  The entrypoint name to execute in case of a custom entrypoint name [default: go]\r\n  -v, --verbosity \u003cVERBOSITY\u003e    Verbosity level, 0 = ERROR, 1 = WARN, 2 = INFO, 3 = DEBUG, 4 = TRACE [default: 0]\r\n  -h, --help                     Print help\r\n  -V, --version                  Print version\r\n```\r\n\r\n### Arguments\r\n\r\nArguments for the BOF can be passed after the `--` delimiter. Each argument must be prefixed with the type of the argument followed by a colon (`:`). The following types are supported:\r\n\r\n- `str` - A null-terminated string\r\n- `wstr` - A wide null-terminated string\r\n- `int` - A signed 32-bit integer\r\n- `short` - A signed 16-bit integer\r\n- `bin` - A base64-encoded binary blob\r\n\r\n## Examples\r\n\r\nUsing the `dir.x64.o` BOF from the [trustedsec/CS-Situational-Awareness-BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF) repository and passing arguments to the BOF:\r\n\r\n```bash\r\ncoffee.exe --bof-path .\\dir.x64.o -- wstr:\"C:\\\\Windows\\\\System32\"\r\n```\r\n\r\nUsing the `ntcreatethread.x64.o` BOF from the [trustedsec/CS-Remote-OPs-BOF](https://github.com/trustedsec/CS-Remote-OPs-BOF) repository and passing a PID and the shellcode to execute as base64-encoded binary data.\r\n\r\n```bash\r\ncoffee.exe --bof-path .\\ntcreatethread.x64.o -- int:1337 bin:/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA\r\n```\r\n\r\n## Usage as library\r\n\r\n```bash\r\ncargo add coffee-ldr\r\n```\r\n\r\nCoffee can be used as a library in other projects. The following example shows how to use Coffee to load a BOF and execute the BOF:\r\n\r\n```rust\r\nuse coffee_ldr::loader::Coffee;\r\n\r\nfn main() {\r\n    let whoami_bof: [u8; 6771] = [\r\n        0x64, 0x86, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x14, 0x00, 0x00, 0x33, 0x00, 0x00,\r\n        ...\r\n    ];\r\n\r\n    let _ = Coffee::new(\u0026whoami_bof).unwrap().execute(None, None, None);\r\n}\r\n```\r\n\r\nThe example above will execute the BOF passed as an array of bytes and show the output in console.\r\n\r\nThe detailed documentation can be found at: \u003chttps://docs.rs/coffee-ldr/latest/coffee_ldr/loader/struct.Coffee.html\u003e\r\n\r\n## Building from source\r\n\r\n1. Install Rust from \u003chttps://rustup.rs/\u003e\r\n2. Clone the repository\r\n3. Build the project using\r\n\r\n```bash\r\ncargo build --release\r\n```\r\n\r\n## License\r\n\r\nCoffee is licensed under the GNU GPLv3 license. See [LICENSE](LICENSE) for more information.\r\n\r\n## Contributing\r\n\r\nPull requests are welcome. Please open an issue first to discuss what you would like to change.\r\n\r\n## References\r\n\r\nThanks to the amazing people who have written about COFF loaders and helped me understand the format:\r\n\r\n- \u003chttps://github.com/trustedsec/COFFLoader\u003e\r\n- \u003chttps://github.com/Cracked5pider/CoffeeLdr\u003e\r\n- \u003chttps://github.com/yamakadi/ldr\u003e\r\n- \u003chttps://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/\u003e\r\n- \u003chttps://0xpat.github.io/Malware_development_part_8/\u003e\r\n- \u003chttps://otterhacker.github.io/Malware/CoffLoader.html\u003e\r\n- \u003chttps://signal-labs.com/trainings/offensive-tool-development/\u003e\r\n- \u003chttps://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image\u003e\r\n- \u003chttps://blog.cloudflare.com/how-to-execute-an-object-file-part-1/\u003e\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhakaioffsec%2Fcoffee","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhakaioffsec%2Fcoffee","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhakaioffsec%2Fcoffee/lists"}