BOF Modules
BOF modules are configured similarly to PowerShell modules with a few key differences:
The
script
,script_path
, andscript_end
fields are no longer used.bof.x86
andbof.x64
refer to the path of the beacon object file for each architecture (x86 and x64).bof.entry_point
is an optional field to define the object file's entry point.An
Architecture
field is required.format_string
is used to define how data should be passed.
Format String
Type
Description
Unpack With (C)
b
Binary data
BeaconDataExtract
i
4-byte integer
BeaconDataInt
s
2-byte short integer
BeaconDataShort
z
Zero-terminated + encoded string
BeaconDataExtract
Z
Zero-terminated wide-char string (wchar_t *
)
BeaconDataExtract
Example BOF
options:
- name: Architecture
description: Architecture of the beacon_funcs.o to generate with (x64 or x86).
required: true
value: x64
strict: true
suggested_values:
- x64
- x86
- name: Filepath
description: Filepath to search for permissions.
required: true
value: 'C:\\windows\\system32\\cmd.exe'
format: Z
bof:
x86: bof/situational_awareness/cacls.x86.o
x64: bof/situational_awareness/cacls.x64.o
entry_point: ''
format_string: Z
BOF modules also support the advanced.custom_generate
method of generating the script.
Last updated
Was this helpful?