Simple BOF Runner
This project demonstrates running a Beacon Object File with a PIC loader.
Project Files
Notes
To generate a PIC loader to a run a BOF, use:
./link loader.spec /path/to/bof.x64.o out.bin
This example is most interesting as a demonstration of another way to prepare and run BOFs within a PIC capability.
The bofprep.spec script merges a partial implementation of the Beacon Object File API into a BOF and uses attach to resolve the BOF API imports to the merged functions. This approach greatly reduces the code needed in a capability context to run a BOF. This script is a re-usable base for other projects.
The loader.spec script accepts a BOF as an argument, turns it into a PICO, and uses bofprep.spec to bring in the API. The +optimize flag ensures unused API functions are removed from the BOF at export. The BOF PICO is appended to the loader and linked to the my_data section.
The loader.c file is our BOF runner. You'll notice it's no different from a PICO runner, because PICOs are BOFs without the API. This program implements one function from the Beacon API and that is BeaconOutput. This function is made available to the PICO via the BOFIMPORTS struct (loader.c) and the import command in bofprep.spec. The .spec file import command tells the PICO loader which functions to expect in the struct passed to PicoLoad.
This loader doesn't pass arguments to the BOF.
Conversation
- Beacon Object Files were introduced in Fortra's Cobalt Strike 4.1 (2020) release. The original demo video is a favorite material I produced.
- Beacon Object Files – Five Years On... (2025) describes the road to BOFs in Cobalt Strike
- A Developer's Introduction to Beacon Object Files (2020) by Christopher Paschen provides a first impression of this convention and introduces the BOF-canonical Situational Awareness BOF collection.
- COFFLoader: Building your own in memory loader or how to run BOFs (2021) by Kevin Haubris describes COFF internals and introduces COFFLoader, the open source project that democratized this convention across the C2 space.
- Awesome-BOF (2025) by crusher is a searchable database of 1,100+ (and counting) BOFs implementing all manners of post-exploitation verbs
- Detonating Beacons to Illuminate Detection Gaps (2025) by Mika Ayenson, PhD, Miguel Garzon, and Samir Bousseaden discusses a signals extraction pipeline that ingests Beacon Object Files. A demonstration of stand-alone containerized functionality serving as use-case agnostic ground truth.
- BOF Cocktails (2025) by Rasta Mouse introduces the idea of merging tradecraft with a BOF at time-of-use. This in-effect makes a post-load BOF self-evading and not dependent on the C2 agent for evasion tradecraft.
License
This project is licensed under the BSD License.