POC tool to convert a Cobalt Strike BOF into raw shellcode.
Introduction
This code was written as part of a blog tutorial on how to convert an existing C tool, in this case @trustedsec's COFFLoader into a raw shellcode.
It uses techniques based on @thefLink's C-To-Shellcode-Examples repository.
Usage
First run make to build the bofloader.bin
file.
After that the bof2shellcode.py
script can be used to convert a BOF into raw shellcode.
Usage Examples
Converting the tasklist BOF to shellcode and executing it:
% python3 bof2shellcode.py -i tasklist.x64.o -o tasklist.x64.bin
Writing tasklist.x64.bin
load_sc.exe tasklist.x64.bin | c:\msys64\usr\bin\head.exe
Name ProcessId ParentProcessId SessionId CommandLine
System Idle Process 0 0 0 (NULL)
System 4 0 0 (NULL)
Registry 92 4 0 (NULL)
smss.exe 348 4 0 (NULL)
csrss.exe 464 456 0 (NULL)
wininit.exe 536 456 0 (NULL)
csrss.exe 544 528 1 (NULL)
winlogon.exe 628 528 1 (NULL)
services.exe 636 536 0 (NULL)
Notes
This is purely a POC, it is missing some implementations of Beacon related functions, for example BeaconPrintf has been replace by a simple printf call that writes to stdout.
Credits
Note that the code in this repository is heavily based on @trustedsec's COFFLoader and @thefLink's C-To-Shellcode-Examples repository.