Secondary Categories: 02-Command and Control, 02-Malware
Description:
An object file is the output file from the compilation phase. This is mostly machine code, but also has info that allows the linker to see the symbols (names of gloabl object, functions, etc.) for the linker to work.
A linker will then take all the object files and combine them to form one executable assuming there arent any duplicate or undefined symbols. A lot of compilers will do the linking for you on their own. If you dont want them to link it and just get the output file you can use the -c
flag.
Example:
x86_64-w64-mingw32-gcc -c whereami.x64.c -o whereami.x64.o -masm=intel
Although there are tools on github you can compile and place on a target systems computer they are often OPSEC expensive due to the regular fork then run
pattern that involves creating a process. BOF have a light footprint and can be run inside a beacon process and are cleaned up after the capability is done. A tool from github that is a UAC Bypass that compiles to an exe can be >100Kb. If this is turned into a BOF it can be <3Kb and this can make a big difference when using constrained bandwidth such as DNS.
To compile this with Visual Studio:
cl.exe /c /GS- hello.c /Fohello.o
To compile this with x86 MinGW:
i686-w64-mingw32-gcc -c hello.c -o hello.o
To compile this with x64 MinGW:
x86_64-w64-mingw32-gcc -c hello.c -o hello.o
The above commands will produce a hello.o file. Use inline-execute in Beacon to run the BOF.
beacon> inline-execute /path/to/hello.o these are arguments
Resources:
Title | URL |
---|---|
What are Beacon Object Files | https://www.cobaltstrike.com/help-beacon-object-files |
Matt Eidelberg - Operation Bypass Catch My Payload If You Can | https://www.youtube.com/watch?v=JXKNdWUs77w |
Boku - Creating a BOF for whoami | https://0xboku.com/2021/08/19/Bof-WhereAmI.html |
whereami BOF | https://github.com/boku7/whereami |
Cobalt Strike Situational Awareness BOF | https://github.com/trustedsec/CS-Situational-Awareness-BOF |
Collection of Beacon Object Files Repo | https://github.com/ajpc500/BOFs/ |
Implementing ASM in C Code with GCC - 1 | http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/Extended-Asm.html#Extended-Asm |
Implementing ASM in C Code with GCC - 2 | https://www.cs.uaf.edu/2011/fall/cs301/lecture/10_12_asm_c.html |
Implementing ASM in C Code with GCC - 3 | https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/ |
Also Check Out:
- PLACEHOLDER