// Beacon Object File Loader Masterclass
A standalone COFF (Common Object File Format) loader that executes Beacon Object Files (BOFs) outside of Cobalt Strike. Understand in-process execution of position-independent object code, COFF section loading, symbol resolution, relocation fixups, and the Beacon API compatibility layer. By TrustedSec.
BOFs explained, why in-process execution matters, advantages over fork-and-run, and why COFFLoader brings BOFs outside Cobalt Strike.
02 BeginnerCOFF header, section table, symbol table, string table, relocation entries — understanding the raw binary format that BOFs compile to.
03 BeginnerBeaconPrintf, BeaconDataParse, BeaconDataExtract, the datap/formatp structures, and the Beacon compatibility layer that BOFs depend on.
04 IntermediateParsing section headers, VirtualAlloc with RWX, copying raw data, handling .text, .data, .rdata, .bss, and section characteristics.
05 IntermediateParsing the symbol table, resolving external symbols, the __imp_ prefix convention, LoadLibraryA/GetProcAddress resolution, and function pointer tables.
06 IntermediateIMAGE_REL_AMD64_ADDR64, REL32, ADDR32NB — applying fixups to loaded sections so code and data references point to the right addresses.
07 AdvancedImplementing BeaconPrintf, BeaconOutput, BeaconDataParse outside CS, the InternalFunctions table, dynamic API resolution, and beacon_funcs mapping.
08 AdvancedComplete loader walkthrough, writing custom BOFs, MSVC/MinGW compilation flags, security considerations, and comparison with bof-launcher.
github.com/trustedsec/COFFLoadergithub.com/trustedsec/CS-Situational-Awareness-BOFgithub.com/The-Z-Labs/bof-launcherhstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguidelearn.microsoft.com/en-us/windows/win32/debug/pe-formatTrustedSec (@truaborern, Kevin Haubris)