Friend
Professional
- Messages
- 2,675
- Reaction score
- 987
- Points
- 113
Praetorian has released a tool that simplifies the execution of malicious code.
Security firm Praetorian has released GoffLoader, a tool that makes it easy to execute BOF files and unmanaged PE Cobalt Strikes directly into memory without writing any files to disk.
GoffLoader is a clean Go implementation in the memory of the COFF and PE loader. This tool aims to make functionality traditionally in the C/C++ realm easily accessible to security tools on Golang.
The developers of GoffLoader aimed to expand Go's security capabilities. Now entire repositories of useful functionality become available through this library. In addition, GoffLoader avoids the complexities associated with using CGO when integrating C-code with Go.
One of the advantages of GoffLoader is its potential to bypass static signatures. The developers have successfully launched the built-in version of Mimikatz without the need to apply complex circumvention methods.
GoffLoader is designed to make it as easy as possible to load BOF or PE files using the go:embed tag. Here's an example code for running an embedded executable and displaying its console output:
Full examples of running BOF or PE files can be found in the cmd folder of the GitHub repository. The ability to run PE files is implemented using No-Consolation BOF.
Despite its advantages, GoffLoader has a number of limitations. At the moment, the implementation of COFFLoader supports only the x64 architecture, but support for 32-bit systems is planned in the near future. PE execution currently involves loading BOF with hard-coded arguments, however, more flexible approaches will be supported in future updates.
The implementation of the Beacon API is partial. While most BOFs only use basic features such as argument parsing and inference, some parts of beacon.h have yet to be implemented.
Praetorian has open-sourced GoffLoader in support of its Chariot BAS (Breach & Attack Simulation) product. The company hopes that the new tool will be an invaluable resource for security professionals and enthusiasts.
The developers express their gratitude to a number of projects and individuals whose work played an important role in the creation of the new product. Among them are the go-coff project by Ne0nD0g, blog posts about COFFLoader by TrustedSec and OtterHacker, No-Consolation BOF by Fortra, and the developers of the archive library Go pecoff.
Source
Security firm Praetorian has released GoffLoader, a tool that makes it easy to execute BOF files and unmanaged PE Cobalt Strikes directly into memory without writing any files to disk.
GoffLoader is a clean Go implementation in the memory of the COFF and PE loader. This tool aims to make functionality traditionally in the C/C++ realm easily accessible to security tools on Golang.
The developers of GoffLoader aimed to expand Go's security capabilities. Now entire repositories of useful functionality become available through this library. In addition, GoffLoader avoids the complexities associated with using CGO when integrating C-code with Go.
One of the advantages of GoffLoader is its potential to bypass static signatures. The developers have successfully launched the built-in version of Mimikatz without the need to apply complex circumvention methods.
GoffLoader is designed to make it as easy as possible to load BOF or PE files using the go:embed tag. Here's an example code for running an embedded executable and displaying its console output:
Code:
import "github.com/praetorian-inc/goffloader/src/pe"
//go:embed hello.exe
var helloBytes []byte
func main() {
output, _ := pe. RunExecutable(helloBytes, []string{"Arg1", "Arg2", "Arg3"})
fmt. Println(output)
}Full examples of running BOF or PE files can be found in the cmd folder of the GitHub repository. The ability to run PE files is implemented using No-Consolation BOF.
Despite its advantages, GoffLoader has a number of limitations. At the moment, the implementation of COFFLoader supports only the x64 architecture, but support for 32-bit systems is planned in the near future. PE execution currently involves loading BOF with hard-coded arguments, however, more flexible approaches will be supported in future updates.
The implementation of the Beacon API is partial. While most BOFs only use basic features such as argument parsing and inference, some parts of beacon.h have yet to be implemented.
Praetorian has open-sourced GoffLoader in support of its Chariot BAS (Breach & Attack Simulation) product. The company hopes that the new tool will be an invaluable resource for security professionals and enthusiasts.
The developers express their gratitude to a number of projects and individuals whose work played an important role in the creation of the new product. Among them are the go-coff project by Ne0nD0g, blog posts about COFFLoader by TrustedSec and OtterHacker, No-Consolation BOF by Fortra, and the developers of the archive library Go pecoff.
Source
