This took me like 4 days (+2 days for an update), but I got it working… rust core + alloc for Cobalt Strike BOFs.
This is very much a PoC, but I’d love to see others playing around with it and contributing.
cargo install cargo-make
cargo make
Edit the entry function in rustbof/src/lib.rs. You can add new args by using the bof_pack
function in the aggressor script, just don’t change the first two because those are the relocations.
I feel like I want to write a blog post about it at some point, but for now, here was the process:
--emit=obj
flag that will just emit the object files into the deps folder of the targetbeacon_inline_execute
. Why? OBJExecutable
and OBJParser
classes in cobaltstrike.jar have main functions that take the path to an object file and print a bunch of useful information!strip
works! strip
actually has a --strip-uneeded
flag that strips everything not needed for relocations, like debug info!rust_oom
and __rust_alloc
. ld -i
. How can I get rid of these symbols? --gc-sections
flag for ld, which allows you to define a root symbol via the -u
flag and then it gets rid of any symbols that aren’t ever referenced. That also fixes it.__imp_
symbols? #[link_name = "__imp_KERNEL32$OutputDebugStringA]
__imp_
symbols are supposed to be pointers to the import table and not functions themselves, so rust thinks that the symbol is a single pointer to a function and not a double pointer to a function. unsafe { make my function pointer a double pointer}(args)
every time I want to make a call.__imp_
method, but I was only able to get it working on variables and not functions, so it was kind of useless.deref
when a type is called. So you can wrap the function pointer in a type and then implement core::ops::Deref
for that type to cast the pointer to a double pointer on the fly. __rust_alloc
and rust_oom
. Why? #[link_section = ".data"]
. Fixed.format!
macro in alloc
to make an allocated String
. It crashes! What gives? pe.OBJExecutable.getRelocations
that creates a relocation structure for symbols in .text, but nothing else.OBJExecutable
class to parse the COFF and the Parser
class to pack in the extra relocations. getRelocations
. The rust side gets the info via the BOF arguments and then applies the relocations..data
and .rdata
sections, but we don’t know where those are from our code.refptr
symbol. How do I stop it from doing that? __
. How can we resolve that??? _imp_
instead of __imp_
cfg_attr
to make the import name have the correct number of underscores depending on the targetcfg_attr
to the __section_start__
symbols from the linker to use a link name minus one underscore for x86 only.chkstk
… which I’ve dealt with at lengthNTDLL!_chkstk
and define a __chkstk
ourselves that calls ityeah and now both 32 and 64 bit BOFs work.
I haven’t tried anything too incredibly fancy yet, but let me know if there are issues.
For more information click here.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…