Coffee
Coffee is a custom implementation of the original Cobalt Strike's beacon_inline_execute. It is written in Rust and supports most of the features of the Cobalt Strike compatibility layer. Coffee is structured so it can be used as a library in other projects too.
The original blog post can be found here: https://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/
Usage
)
Arguments
Arguments for the BOF can be passed after the --
delimiter. Each argument must be prefixed with the type of the argument followed by a colon (:
). The following types are supported:
str
- A null-terminated stringwstr
- A wide null-terminated stringint
- A signed 32-bit integershort
- A signed 16-bit integer
Example
Using the dir.x64.o
BOF from the trustedsec/CS-Situational-Awareness-BOF repository and passing arguments to the BOF:
Usage as library
Coffee can be used as a library in other projects. The following example shows how to use Coffee to load a BOF and execute the BOF:
use Coffee;
The example above will execute the BOF passed as an array of bytes and show the output in console.
The detailed documentation can be found at: https://docs.rs/coffee-ldr/latest/coffee_ldr/loader/struct.Coffee.html
Building from source
- Install Rust from https://rustup.rs/
- Clone the repository
- Build the project using
License
Coffee is licensed under the GNU GPLv3 license. See LICENSE for more information.
Contributing
Pull requests are welcome. Please open an issue first to discuss what you would like to change.
References
Thanks to the amazing people who have written about COFF loaders and helped me understand the format:
- https://github.com/trustedsec/COFFLoader
- https://github.com/Cracked5pider/CoffeeLdr
- https://github.com/yamakadi/ldr
- https://www.trustedsec.com/blog/coffloader-building-your-own-in-memory-loader-or-how-to-run-bofs/
- https://0xpat.github.io/Malware_development_part_8/
- https://otterhacker.github.io/Malware/CoffLoader.html
- https://signal-labs.com/trainings/offensive-tool-development/
- https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image
- https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/