COFF-Loader

This is a reimplementation of TrustedSec COFF Loader. I decided to create this repo to challenge my understanding of the Windows PE Format. This technique was originally used in Cobalt Strike. This project utilizes Visual Studio 2022 for those who wish to employ the VS Debugger and trace the execution of its memory operations loader.

While coding this I mainly used the following resources:

• Microsoft PE Format
• Otterhacker's COFF Loader Article

Usage

COFFLoader.exe <function name> <COFF file path>

The function name is the name BOF function entry name. This is typically "go"

Example:

COFFLoader.exe "go" C:\Github\COFF-Loader\BOF\test64.out

BOF Arguments

In order to pass arguments to the BOF I used the exact same code that Otterhacker's COFF Loader uses. The struct is as follows:

typedef struct _Arg {
    char* value;
    size_t size;
    BOOL includeSize;
} Arg;

You can see an example of this used here on line 25.

Example

In the example below I used the BOF file that I modified from TrustedSec BOF example. This simple BOF shows that the COFF loader was able to successfully was able to relocate all the symbols in different formats. Included in this I included the modified BOF in BOF/test.c directory. You can use the make file to compile it with gcc or run the following command:

x86_64-w64-mingw32-gcc -c test.c -o test64.out

References

• Microsoft PE Format
• THIS IS AN AMAZING BLOG WRITE UP --> Otterhacker COFF Loader Article
• TrustedSec COFFLoader
• TrustedSec Situational Awareness BOF Repo
• Otterhacker COFF Loader Repo
• Cobalt Strike BOF C API
• Video to GIF