The way Shoggoth handled provided COFF arguments wasn't working, so I spent some time revamping this. Now you can use TrustedSec's beacon_generate.py script (which has been included as COFFArgGenerate/beacon_generate.py) to generate COFF arguments (of any number and of any type) which can then be provided to shoggoth via --coff-arg. An example usage is shown below:
I noticed that when you run a BOF through Cobalt Strike, even if no arguments are provided, the length member of go() will still be 4. This is because CobaltStrike ALWAYS sends an argument buffer to BOFs, regardless of whether a user supplies arguments. When no user args are specified, CS sends a 4-byte long argument buffer that contains an integer describing how long the overall argument buffer is (which is 4 bytes in this case). To emulate this and simplify the need for separate arguments vs no arguments code blocks, if the --coff-arg switch isn't used Shoggoth will aritifically create the "default" args of 4 bytes to send to the BOF.
frkngksl
commented
3 months ago
Hi there, great project!
The way Shoggoth handled provided COFF arguments wasn't working, so I spent some time revamping this. Now you can use TrustedSec's beacon_generate.py script (which has been included as COFFArgGenerate/beacon_generate.py) to generate COFF arguments (of any number and of any type) which can then be provided to shoggoth via --coff-arg. An example usage is shown below:
Shoggoth.exe -i testBOF.o -o testPIC.bin -m coff --coff-arg 0a0000000600000068656c6c6f00
I noticed that when you run a BOF through Cobalt Strike, even if no arguments are provided, the length member of go() will still be 4. This is because CobaltStrike ALWAYS sends an argument buffer to BOFs, regardless of whether a user supplies arguments. When no user args are specified, CS sends a 4-byte long argument buffer that contains an integer describing how long the overall argument buffer is (which is 4 bytes in this case). To emulate this and simplify the need for separate arguments vs no arguments code blocks, if the --coff-arg switch isn't used Shoggoth will aritifically create the "default" args of 4 bytes to send to the BOF.