this post was submitted on 19 Feb 2024
7 points (100.0% liked)

Zig Programming Language

168 readers
3 users here now

A lemm.ee community for Zig!

founded 1 year ago
MODERATORS
 

From the README:

Z-labs blog post - Running BOFs with 'bof-launcher' library

Introduction

Cobalt Strike 4.1 released on 25 June 2020, introduced a novel (for that time) capability of running so called Beacon Object Files - small post-ex capabilities that execute in Beacon, parse arguments, call a few Win32 APIs, report output, and exit. Since that time BOFs became very popular and the demand to launch/execute them in other environments than Cobalt Strike's Beacon has emerged.

Purpose

We at Z-Labs saw a big potential in BOFs and decided to extend its capabilities, versatility and usefulness even further. That's how this project came to live.

bof-launcher is an open-source library for loading, relocating and launching BOFs on Windows and UNIX/Linux systems. It's an alternative to Trustedsec's COFFLoader and ELFLoader with some very interesting features:

  • Fully compatibile with Cobalt Strike's Beacon. Can compile and run every BOF available at Cobalt Strike Community Kit and every other open-source BOF that adheres to generic BOF template.
  • Distributed as a fully standalone library with zero dependency (it does not even use libc).
  • Fully integrable with programs written in C/C++ and/or Zig progamming languages.
  • Adds capability to write BOFs in Zig programming language - which is a low-level langauge with a goal of being a "better C". All the features of the language and rich standard library can be used in BOFs (hash maps and other data structures, cross-platform OS layer, http, networking, threading, crypto and more).
  • Asynchronous BOF execution - capability to launch more time-consuming BOFs in a separate thread.
  • BOF process injection - capability to launch more risky BOFs (i.e. privilege escalation exploits) by injecting it to a new process.
  • Seamless support for either Windows COFF and UNIX/Linux ELF formats.
  • ARM and AARCH64 support on Linux.
  • Used in our cli4bofs tool that allows for running BOF files directly from a filesystem.
  • Very flexible and efficient API allowing for so called BOF chaining.
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here