BOF Modules

BOF modules are configured similarly to PowerShell modules with a few key differences:

The script, script_path, and script_end fields are no longer used.
bof.x86 and bof.x64 refer to the path of the beacon object file for each architecture (x86 and x64).
bof.entry_point is an optional field to define the object file's entry point.
An Architecture field is required.
format_string is used to define how data should be passed.

Format String

Type

Description

Unpack With (C)

Binary data

BeaconDataExtract

4-byte integer

BeaconDataInt

2-byte short integer

BeaconDataShort

Zero-terminated + encoded string

BeaconDataExtract

Zero-terminated wide-char string (wchar_t *)

BeaconDataExtract

Example BOF

options:
  - name: Architecture
    description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
    required: true
    value: x64
    strict: true
    suggested_values:
      - x64
      - x86
  - name: Filepath
    description: Filepath to search for permissions.
    required: true
    value: 'C:\\windows\\system32\\cmd.exe'
    format: Z
bof:
  x86: bof/situational_awareness/cacls.x86.o
  x64: bof/situational_awareness/cacls.x64.o
  entry_point: ''
  format_string: Z

BOF modules also support the advanced.custom_generate method of generating the script.

PreviousC# Modules NextAgents

Last updated 7 months ago

Was this helpful?