cli4bofs v0.9.0 Release Notes

Download

Our cli4bofs tool allows you to execute, build and maintain collection of BOFs files outside of Cobalt Strike environment.

With this release the tool achieves major milestone toward version 1.0 therefore it is bumped straight from v0.3.0 to v0.9.0. For notable additions and modifications see below:

Added support for displaying documentation for API-style BOFs

In an addition to classical BOFs where go() function is available as BOF’s entrypoint, bof-launcher supports special kind of BOFs dubbed API-style BOFs. These kind of BOFs are meant to be used in similar way as dll/so libraries but with all advantages of BOFs (i.e. no dlopen/dlsym calls, no noisy dll reflection).

Following capabilities in bof-launcher are in place to support this functionality:

ability to simultaneously store multiple BOFs in memory, each loaded BOF is identified by its handle of type BofObjectHandle;
unloading each BOF only on demand with void bofObjectRelease(BofObjectHandle bof_handle) function;
presence of void* bofObjectGetProcAddress(BofObjectHandle bof_handle, const char* name) function which returns pointer to a function with provided char* name from BOF identified by its handle bof_handle;
presence of int bofObjectIsValid(BofObjectHandle bof_handle) function which allows to check if BOF identified by its handle is still valid (i.e. not already unloaded).

Combining these capabilities allows to:

develop BOFs that are libraries of commonly used routines;
provide alternative implementations of common behaviour/actions (e.g.
modularize developed software (i.e. post-exploitation implant) and provide required funcionality only when its needed.

For an example of API-style BOF check out our kmodLoader BOF for Linux. Below, documentation for it is shown:

More flexible BOFs listing

‘list’ command allows now filtering displayed BOFs based on provided tag:

Included documentation for a number of third party BOFs

Added BOF-curated-collection.yaml to the repository. BOF-curated-collection contains documentation for commonly used 3rd party BOFs. To take advantage of it just rename it to BOF-collection.yaml and drop to the directory with your cli4bofs binary.

Included companion script for downloading BOFs collection sources

Added fetch-3rdparty-BOFs.py script to the repository. fetch-3rdparty-BOFs script allows to conveniently fetch all source files for BOFs included in specified BOFs collection yaml file, allowing for building all the BOFs in a batch.

Invocation below:

$ python fetch-3rdparty-BOFs.py BOF-curated-collection.yaml BOFs

will fetch all the sources required to build BOFs from BOF-curated-collection.yaml collection file and will store them in BOFs directory, in hierarchical directory structure:

BOFs/Cerbersec/KillDefender
BOFs/Outflank/Domaininfo
BOFs/Outflank/ReconAD
BOFs/Outflank/Smbinfo
BOFs/rasta-mouse/ppenum
BOFs/Trustedsec/adcs_enum
BOFs/Trustedsec/arp
BOFs/Trustedsec/cat
BOFs/Trustedsec/listmods
BOFs/Trustedsec/pwd
BOFs/Trustedsec/tasklist
BOFs/X-Force-Red/detect-hooks
BOFs/Z-Labs/hostid
BOFs/Z-Labs/hostname
BOFs/Z-Labs/id
BOFs/Z-Labs/ifconfig
BOFs/Z-Labs/kmodLoader
BOFs/Z-Labs/tcpScanner
BOFs/Z-Labs/udpScanner
BOFs/Z-Labs/uname

Additionally, ready to use array of BOFs will be displayed:

const bofs_my_custom = [_]Bof{
    .{ .name = "udpScanner", .dir = "Z-Labs/udpScanner/", .formats = &.{ .coff, .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "tcpScanner", .dir = "Z-Labs/tcpScanner/", .formats = &.{ .coff, .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "uname", .dir = "Z-Labs/uname/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "hostid", .dir = "Z-Labs/hostid/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "hostname", .dir = "Z-Labs/hostname/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "id", .dir = "Z-Labs/id/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "ifconfig", .dir = "Z-Labs/ifconfig/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "kmodLoader", .dir = "Z-Labs/kmodLoader/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "cat", .dir = "Trustedsec/cat/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "tasklist", .dir = "Trustedsec/tasklist/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "pwd", .dir = "Trustedsec/pwd/", .formats = &.{ .elf }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
    .{ .name = "listmods", .srcfile = "entry", .dir = "Trustedsec/listmods/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "adcs_enum", .srcfile = "entry", .dir = "Trustedsec/adcs_enum/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "arp", .srcfile = "entry", .dir = "Trustedsec/arp/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "Domaininfo", .dir = "Outflank/Domaininfo/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "Smbinfo", .dir = "Outflank/Smbinfo/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "ReconAD", .dir = "Outflank/ReconAD/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "KillDefender", .dir = "Cerbersec/KillDefender/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "ppenum", .dir = "rasta-mouse/ppenum/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
    .{ .name = "detect-hooks", .dir = "X-Force-Red/detect-hooks/", .formats = &.{ .coff }, .archs = &.{ .x64, .x86 } },
};

To build all the BOFs just replace the empty array from the bofs/build.zig file, with the one above:

const bofs_my_custom = [_]Bof{
    //.{ .name = "bof", .formats = &.{ .elf, .coff }, .archs = &.{ .x64, .x86, .aarch64, .arm } },
};

Copy BOFs directory together with its subdirectories to the bof-launcher repository directory structure, like that (the command below implies that copying is performed from outside of cli4bofs repository’s root directory and bof-launcher repository resides next to it):

cp -r cli4bofs/BOFs/* bof-launcher/bofs/src/

Jump to bof-launcher directory and build the project:

cd bof-launcher
zig build

All BOFs should be built and should reside in zig-out/bin/ directory.