Goffloader is a library that allows easy in-memory execution of Cobalt Strike BOFs and unmanaged PE files.
Goffloader is designed to make loading of BOFs or PE files as straightforward as possible by using the go:embed
tag. For example, to run an embedded executable and display its console output the code is:
import "github.com/praetorian-inc/goffloader/src/pe"
//go:embed hello.exe
var helloBytes []byte
func main() {
output, _ := pe.RunExecutable(helloBytes, []string{"Arg1", "Arg2", "Arg3"})
fmt.Println(output)
}
Full examples for running BOFs or PE files can be found in the cmd
folder. The ability to run PE files is enabled via the No-Consolation BOF, and an example of executing that can be seen here
Given that there's already a number of very excellent C implementations of this functionality, why do this in Go?
- Adding BOF loading to Go expands the number of open source security projects that can be used within Go security tooling. There are entire repositories of useful functionality that are now accessible for Go tools via this library.
- While you can technically just use a C implementation of COFF loaders (Sliver does this, for example), CGO is annoying.
- Go is a nice language for static signature evasion. You can see an example of us being able to run an embedded version of mimikatz without jumping through too many hoops.
- Our open-source breach & attack simulation tests are written in Go...and we wanted this functionality.
- Currently the COFFLoader implementation is only for x64 architecture. 32-bit support will be coming soon.
- At the moment the PE execution is just loading a BOF with hard-coded arguments - eventually a few different approaches will be supported.
- The
Beacon*
API implementation is partial - most BOFs don't use much beyond the arg parsing + output functions, but there's a chunk ofbeacon.h
which still needs to be implemented. This will be done as useful BOFs are identified that rely on these APIs. - Using this library in its current state will NOT generate a 0/N detections file on VT. Right now it's 2 or 3 detections from the usual offender false+ mills, but users should be aware of this.
- Ne0nD0g's go-coff project
- Didn't realize this the dev branch of go-coff was actually filled in when this project was started. The Golang implementation of Beacon functions was the base for the
lighthouse
code along with the idea to use windows.NewCallback to avoid CGO.
- Didn't realize this the dev branch of go-coff was actually filled in when this project was started. The Golang implementation of Beacon functions was the base for the
- TrustedSec's COFFLoader blogpost
- OtterHacker's EXCELLENT COFFLoader blogpost
- Fortra's No-Consolation BOF
- The developers of the (now-archived) Go pecoff library.