Secondary Categories: 02-Command and Control, 02-Malware


Description:

An object file is the output file from the compilation phase. This is mostly machine code, but also has info that allows the linker to see the symbols (names of gloabl object, functions, etc.) for the linker to work.

A linker will then take all the object files and combine them to form one executable assuming there arent any duplicate or undefined symbols. A lot of compilers will do the linking for you on their own. If you dont want them to link it and just get the output file you can use the -c flag.

Example:

x86_64-w64-mingw32-gcc -c whereami.x64.c -o whereami.x64.o -masm=intel

Although there are tools on github you can compile and place on a target systems computer they are often OPSEC expensive due to the regular fork then run pattern that involves creating a process. BOF have a light footprint and can be run inside a beacon process and are cleaned up after the capability is done. A tool from github that is a UAC Bypass that compiles to an exe can be >100Kb. If this is turned into a BOF it can be <3Kb and this can make a big difference when using constrained bandwidth such as DNS.

To compile this with Visual Studio:

cl.exe /c /GS- hello.c /Fohello.o

To compile this with x86 MinGW:

i686-w64-mingw32-gcc -c hello.c -o hello.o

To compile this with x64 MinGW:

x86_64-w64-mingw32-gcc -c hello.c -o hello.o

The above commands will produce a hello.o file. Use inline-execute in Beacon to run the BOF.

beacon> inline-execute /path/to/hello.o these are arguments

Resources:

TitleURL
What are Beacon Object Fileshttps://www.cobaltstrike.com/help-beacon-object-files
Matt Eidelberg - Operation Bypass Catch My Payload If You Canhttps://www.youtube.com/watch?v=JXKNdWUs77w
Boku - Creating a BOF for whoamihttps://0xboku.com/2021/08/19/Bof-WhereAmI.html
whereami BOFhttps://github.com/boku7/whereami
Cobalt Strike Situational Awareness BOFhttps://github.com/trustedsec/CS-Situational-Awareness-BOF
Collection of Beacon Object Files Repohttps://github.com/ajpc500/BOFs/
Implementing ASM in C Code with GCC - 1http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/Extended-Asm.html#Extended-Asm
Implementing ASM in C Code with GCC - 2https://www.cs.uaf.edu/2011/fall/cs301/lecture/10_12_asm_c.html
Implementing ASM in C Code with GCC - 3https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/

Also Check Out:

  • PLACEHOLDER