POC tool to convert CobaltStrike BOF files to raw shellcode

BOF2Shellcode

POC tool to convert a Cobalt Strike BOF into raw shellcode.

Introduction

This code was written as part of a blog tutorial on how to convert an existing C tool, in this case @trustedsec's COFFLoader into a raw shellcode.

It uses techniques based on @thefLink's C-To-Shellcode-Examples repository.

Usage

First run make to build the bofloader.bin file.

After that the bof2shellcode.py script can be used to convert a BOF into raw shellcode.

Usage Examples

Converting the tasklist BOF to shellcode and executing it:

% python3 bof2shellcode.py -i tasklist.x64.o -o tasklist.x64.bin
Writing tasklist.x64.bin

load_sc.exe tasklist.x64.bin | c:\msys64\usr\bin\head.exe
Name                              ProcessId  ParentProcessId  SessionId CommandLine
System Idle Process                       0                0          0 (NULL)
System                                    4                0          0 (NULL)
Registry                                 92                4          0 (NULL)
smss.exe                                348                4          0 (NULL)
csrss.exe                               464              456          0 (NULL)
wininit.exe                             536              456          0 (NULL)
csrss.exe                               544              528          1 (NULL)
winlogon.exe                            628              528          1 (NULL)
services.exe                            636              536          0 (NULL)

Notes

This is purely a POC, it is missing some implementations of Beacon related functions, for example BeaconPrintf has been replace by a simple printf call that writes to stdout.

Credits

Note that the code in this repository is heavily based on @trustedsec's COFFLoader and @thefLink's C-To-Shellcode-Examples repository.

Similar Resources

BOF implementation of chlonium tool to dump Chrome/Edge Masterkey

ChromiumKeyDump BOF implementation of Chlonium tool to dump Chrome/Edge Masterkey. Forked from https://github.com/crypt0p3g/bof-collection Setup How t

Feb 12, 2022

Building and Executing Position Independent Shellcode from Object Files in Memory

PIC-Privileges Building and Executing Position Independent Shellcode from Object Files in Memory. This is a pingback to the blogpost I wrote at https:

Dec 26, 2022

Basic definitions and utility functions for GNSS raw measurement processing

gnss_comm Authors/Maintainers: CAO Shaozu (shaozu.cao AT gmail.com) The gnss_comm package contains basic definitions and utility functions for GNSS ra

Dec 21, 2022

A dataset containing synchronized visual, inertial and GNSS raw measurements.

A dataset containing synchronized visual, inertial and GNSS raw measurements.

GVINS-Dataset Author/Maintainer: CAO Shaozu (shaozu.cao AT gmail.com), LU Xiuyuan (xluaj AT connect.ust.hk) This repository hosts dataset collected du

Dec 21, 2022

Raw HID keyboard forwarder to turn the Pi 400 into a USB keyboard

Raspberry Pi 400 as a USB HID Keyboard Hook your Pi 400 up to your PC somehow, using a USB Type-C cable into the power port. Anker make good ones- I u

Dec 12, 2022

Extremely minimal raw Wayland greeter for greetd.

Extremely minimal raw Wayland greeter for greetd.

greetd-mini-wl-greeter An extremely simple raw Wayland greeter for greetd, inspired by lightdm-mini-greeter. Usage Follow the same steps as for e.g. g

Dec 4, 2022

GPS parser which read raw GPS messages, selects only the valid ones and sends them to CAN bus

EagleTRT GPS System for Fenice GPS parser which read raw GPS messages, selects only the valid ones and sends them to CAN bus Compiling GPS Logger gps_

Nov 11, 2021

This is for interfacing rasberry-pi's (2 cards) with an arduino for sending raw data to form the close loop system to avoid motor heating by acting on a given temperature.

This is for interfacing rasberry-pi's (2 cards) with an arduino for sending raw data to form the close loop system to avoid motor heating by acting on a given temperature. Interface is explained through a master slave approach and client server approach. another camera is used with OPEN-CV platform to interface and collect data aswell.

Oct 25, 2021

A USB proxy based on raw-gadget and libusb

usb-proxy This software is a USB proxy based on raw-gadget and libusb. It is recommended to run this repo on a computer that has an USB OTG port, such

Dec 7, 2022
Comments
  • Providing BOF arguments?

    Providing BOF arguments?

    First off, neat project! This is a really cool project you've put together. Looking through the code, it doesn't look like there's a way to provide arguments to the BOF before converting it to shellcode. Am I missing something? If BOF arguments aren't accepted, do you have recommendations for implementing that feature?

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Dec 9, 2022
A shellcode crypto-packing tool for PoC (used with msfvenom payloads)

crypter A shellcode crypto-packing tool for PoC (used with msfvenom/binary payloads) This tool is for proof of concept only - please use responsibly.

Dec 16, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022
BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs

Self_Deletion_BOF BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs Why? I didn't see that it currently existed (via

Nov 13, 2022
Cobaltstrike addons to interact with clipboard

Cobalt-Clip Cobalt-clip is clipboard addons for cobaltstrike to interact with clipboard. With this you can dump, edit and monitor the content of q cli

Dec 14, 2022
A tool to convert Call of Duty XBIN/EXPORT files to and from each other.

exportxbin exportxbin is an enhanced version of export2bin included in the Call of Duty: Black Ops III Mod Tools. Its main goal is to provide users wi

Jan 22, 2022
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de

Dec 28, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Jan 9, 2023
Evasive shellcode loader for bypassing event-based injection detection (PoC)
Evasive shellcode loader for bypassing event-based injection detection (PoC)

DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project

Dec 28, 2022
Convert ATARI ATR files to CAR (SWITCHABLE XEGS CARTRIDGE)

ATR2CAR Convert ATARI ATR files to CAR (SWITCHABLE XEGS CARTRIDGE) Konwerter uruchamiamy z wiersza poleceń: atr2car File.atr File.car [-c] [-128|-256|

Apr 26, 2022