BOF Modules

BOF modules are configured similarly to PowerShell modules with a few key differences:

  • The script, script_path, and script_end fields are no longer used.

  • bof.x86 and bof.x64 refer to the path of the beacon object file for each architecture (x86 and x64).

  • bof.entry_point is an optional field to define the object file's entry point.

  • An Architecture field is required.

  • format_string is used to define how data should be passed.

Format String

Type
Description
Unpack With (C)

b

Binary data

BeaconDataExtract

i

4-byte integer

BeaconDataInt

s

2-byte short integer

BeaconDataShort

z

Zero-terminated + encoded string

BeaconDataExtract

Z

Zero-terminated wide-char string (wchar_t *)

BeaconDataExtract

Example BOF

options:
  - name: Architecture
    description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
    required: true
    value: x64
    strict: true
    suggested_values:
      - x64
      - x86
  - name: Filepath
    description: Filepath to search for permissions.
    required: true
    value: 'C:\\windows\\system32\\cmd.exe'
    format: Z
bof:
  x86: bof/situational_awareness/cacls.x86.o
  x64: bof/situational_awareness/cacls.x64.o
  entry_point: ''
  format_string: Z

BOF modules also support the advanced.custom_generate method of generating the script.

Last updated

Was this helpful?