[Loki]

Goffloader is a library that allows easy in-memory execution of Cobalt Strike BOFs and unmanaged PE files.

Given that there's already a number of very excellent C implementations of this functionality, why do this in Go?

Adding BOF loading to Go expands the number of open source security projects that can be used within Go security tooling. There are entire repositories of useful functionality that are now accessible for Go tools via this library.
While you can technically just use a C implementation of COFF loaders (Sliver does this, for example), CGO is annoying.
Go is a nice language for static signature evasion. You can see an example of us being able to run an embedded version of mimikatz without jumping through too many hoops.

Limitations

Currently the COFFLoader implementation is only for x64 architecture. 32-bit support will be coming soon.
At the moment the PE execution is just loading a BOF with hard-coded arguments - eventually a few different approaches will be supported.
The Beacon* API implementation is partial - most BOFs don't use much beyond the arg parsing + output functions, but there's a chunk of beacon.h which still needs to be implemented. This will be done as useful BOFs are identified that rely on these APIs.
Using this library in its current state will NOT generate a 0/N detections file on VT. Right now it's 2 or 3 detections from the usual offender false+ mills, but users should be aware of this.

Hidden Content

You must register or login to view this content.

[morrey059]

Something interesting

[HTBcracker]

Goffloader is a library that allows easy in-memory execution of Cobalt Strike BOFs and unmanaged PE files.

Given that there's already a number of very excellent C implementations of this functionality, why do this in Go?

Adding BOF loading to Go expands the number of open source security projects that can be used within Go security tooling. There are entire repositories of useful functionality that are now accessible for Go tools via this library.
While you can technically just use a C implementation of COFF loaders (Sliver does this, for example), CGO is annoying.
Go is a nice language for static signature evasion. You can see an example of us being able to run an embedded version of mimikatz without jumping through too many hoops.

Limitations

Currently the COFFLoader implementation is only for x64 architecture. 32-bit support will be coming soon.
At the moment the PE execution is just loading a BOF with hard-coded arguments - eventually a few different approaches will be supported.
The Beacon* API implementation is partial - most BOFs don't use much beyond the arg parsing + output functions, but there's a chunk of beacon.h which still needs to be implemented. This will be done as useful BOFs are identified that rely on these APIs.
Using this library in its current state will NOT generate a 0/N detections file on VT. Right now it's 2 or 3 detections from the usual offender false+ mills, but users should be aware of this.

is this BOF loader for some kind of stage 1 C2? or this is for CS directly?

This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Malware. /Thread-Shellter-Pro-v4-7-x86-NOT-WORKING-crack

[lildrainer]

Goffloader is a library that allows easy in-memory execution of Cobalt Strike BOFs and unmanaged PE files.

Given that there's already a number of very excellent C implementations of this functionality, why do this in Go?

Adding BOF loading to Go expands the number of open source security projects that can be used within Go security tooling. There are entire repositories of useful functionality that are now accessible for Go tools via this library.
While you can technically just use a C implementation of COFF loaders (Sliver does this, for example), CGO is annoying.
Go is a nice language for static signature evasion. You can see an example of us being able to run an embedded version of mimikatz without jumping through too many hoops.

Limitations

Currently the COFFLoader implementation is only for x64 architecture. 32-bit support will be coming soon.
At the moment the PE execution is just loading a BOF with hard-coded arguments - eventually a few different approaches will be supported.
The Beacon* API implementation is partial - most BOFs don't use much beyond the arg parsing + output functions, but there's a chunk of beacon.h which still needs to be implemented. This will be done as useful BOFs are identified that rely on these APIs.
Using this library in its current state will NOT generate a 0/N detections file on VT. Right now it's 2 or 3 detections from the usual offender false+ mills, but users should be aware of this.

enter chinese apt

[whaahaa]

qwerwerqwerqweqweqweqweqweqweqweqwe

[khak1]

Something interesting

[nothing0112358]

will check this

This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching | http://breached26tezcofqla4adzyn22notfqw...an-Appeals if you feel this is incorrect.

[HexaLocker]

look pretty good

[distroo]

thanks lets see how it is

[toms]

nice11111111111111