{"id":13573820,"url":"https://github.com/trustedsec/COFFLoader","last_synced_at":"2025-04-04T12:31:39.838Z","repository":{"id":37755759,"uuid":"340466325","full_name":"trustedsec/COFFLoader","owner":"trustedsec","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-31T15:44:06.000Z","size":37,"stargazers_count":509,"open_issues_count":1,"forks_count":77,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-03-31T21:48:13.158Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-19T19:14:43.000Z","updated_at":"2025-03-31T01:44:35.000Z","dependencies_parsed_at":"2024-01-16T20:26:09.690Z","dependency_job_id":"5271a648-f481-4306-a309-8fbfedbdf71a","html_url":"https://github.com/trustedsec/COFFLoader","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FCOFFLoader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FCOFFLoader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FCOFFLoader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2FCOFFLoader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedsec","download_url":"https://codeload.github.com/trustedsec/COFFLoader/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247179876,"owners_count":20897111,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T15:00:41.682Z","updated_at":"2025-04-04T12:31:34.828Z","avatar_url":"https://github.com/trustedsec.png","language":"C","readme":"# COFF Loader\n\nThis is a quick and dirty COFF loader (AKA Beacon Object Files). Currently can run un-modified BOF's so it can be used for testing without a CS agent running it. The only exception is that the injection related beacon compatibility functions are just empty.\n\nThe main goal is to provide a working example and maybe be useful to someone.\n\n\n## Parts\nThere are a few parts to it they are listed below.\n\n- beacon_compatibility: This is the beacon internal functions so that you can load BOF files and run them.\n- COFFLoader: This is the actual coff loader, and when built for nix just loads the 64 bit object file and parses it.\n- test: This is the example \"COFF\" file, will build to the COFF file for you when make is called.\n- beacon_generate: This is a helper script to build strings/arguments compatible with the beacon_compatibility functions.\n\n\n## Beacon Generate\nThis is used to generate arguments for the COFFLoader code, if the BOF takes arguments simply add the arguments with the type expected with this and generate the hex string for use.\n\nExample usage here:\n```\nCOFFLoader % python3 beacon_generate.py\nBeacon Argument Generator\nBeacon\u003ehelp\n\nDocumented commands (type help \u003ctopic\u003e):\n========================================\naddString  addWString  addint  addshort  exit  generate  help  reset\n\nBeacon\u003eaddWString test\nBeacon\u003eaddint 4\nBeacon\u003egenerate\nb'120000000a0000007400650073007400000004000000'\nBeacon\u003ereset\nBeacon\u003eaddint 5\nBeacon\u003egenerate\nb'0400000005000000'\nBeacon\u003eexit\n```\n\n## BOF Arguments\nYou can find what arguments are required by each BOF by viewing the source code. Using the Net User BOF as an example, you would view the `src/SA/netuser/entry.c` file found in the `CS-Situational-Awareness-BOF` Github and then view the arguments found in the `void go()` function.\n\n``` CPP\nVOID go(IN PCHAR Buffer, IN ULONG Length)\n{\n    datap parser;\n    wchar_t *username = NULL;\n    wchar_t *domain = NULL;\n\n    BeaconDataParse(\u0026parser, Buffer, Length);\n    username = (wchar_t *)BeaconDataExtract(\u0026parser, NULL);\n    domain = (wchar_t *)BeaconDataExtract(\u0026parser, NULL);\n    domain = *domain == 0 ? NULL : domain;\n    netuserinfo(username, domain);\n\n    printoutput(TRUE);\n};\n```\n\nWe can see that our Net User BOF requires a \"username\" and \"domain\" (*which we can get by running the whoami BOF*). Using the `beacon_generate.py` helper script, we would generate the arguments like this:\n\n```\nCOFFLoader % python3 beacon_generate.py\nBeacon Argument Generator\nBeacon\u003eaddWString Administrator\nBeacon\u003eaddWString client2\nBeacon\u003egenerate\nb'340000001c000000410064006d0069006e006900730074007200610074006f00720000001000000063006c00690065006e00740032000000'\nBeacon\u003eexit\n```\n\nLastly, copy the hexified numeric values (just the numbers) into your execution command\n``` Shell\nCOFFLoader64.exe go ..\\CS-Situational-Awareness-BOF\\SA\\netuser\\netuser.x64.o 340000001c000000410064006d0069006e006900730074007200610074006f00720000001000000063006c00690065006e00740032000000\n```\nYou can find more detailed examples at this link:\\\nhttps://trustedsec.com/blog/situational-awareness-bofs-for-script-kiddies\n\n\n\n## Running\nAn example of how to run a BOF is below.\n\n```\nCOFFLoader64.exe go test64.out\nCOFFLoader64.exe go ..\\CS-Situational-Awareness-BOF\\SA\\whoami\\whoami.x64.o\n```\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2FCOFFLoader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedsec%2FCOFFLoader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2FCOFFLoader/lists"}