COFF stands for Common Object File Format, it is the file format generated by compilers after the code-generation stage, they typically include only the machine code or assembly code generated from the corresponding source code without any external dependencies. beacon_inline_execute is a custom Windows COFF loader made primarily by Cobalt Strike, which the main goal is to load a BOF (Beacon Object File) in-memory and handle custom internal functions that are implemented in the loader’s code and external functions: Windows API calls.

BOFs can be used to execute code in the target machine, in-memory, without loading any shellcode or injecting into a remote process. They are executed in the current thread and its code is relocated in the memory space, being very useful for going under the radar. Not only BOFs are very useful for bypassing AV/EDR protection, but they can easily escalate the scope of C2 agents by providing the ability to load dynamic tasks.

This is where Coffee comes in: a Rust COFF loader made with BOFs in mind. Coffee works by parsing the object file format, allocating necessary memory for execution, and calling the entry-point inside our loader’s process. Finally, the code gets executed and the output is written to the terminal.

Coffee’s GitHub repository can be found at: https://github.com/hakaioffsec/coffee
Coffee’s Blog Post can be found at: https://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/

Speaker:

Rafael Felix has been working with malware development for 2 years, also being involved in the malware community for more than 4 years. He is also experienced in Incident and Response, specifically during malware inner workings analysis. Currently, Rafael is a researcher for [Hakai Offensive Security](https://labs.hakaioffsec.com/), being deeply involved with COFF format and BOFs and how they can be used in the context of red-team operations.