Goffloader: In-Memory Execution, No Disk Required

GoffLoader

The security company Praetorian has released GoffLoader, a tool designed to simplify the execution of BOF files and unmanaged Cobalt Strike PE files directly in memory, without writing any files to disk.

GoffLoader, a COFF and PE loader implemented entirely in Go, empowers security professionals to execute BOF (Beacon Object Files) and unmanaged Cobalt Strike PE files directly within memory. This approach eliminates the need to write files to disk, making it a potent tool for bypassing traditional security defenses.

By enabling the seamless integration of C/C++ functionality into Go-based tools, GoffLoader opens up a vast array of security capabilities. This streamlined approach eliminates the complexity of using CGO (C language bindings for Go) while offering access to rich libraries of security-focused code.

The ability to load and execute code in memory, without leaving a trace on disk, offers a significant advantage in bypassing static signature detection. The developers have successfully demonstrated this capability by running an embedded version of Mimikatz, a well-known credential harvesting tool, without resorting to intricate evasion techniques.

GoffLoader’s user-friendly design makes it easy to integrate with existing Go projects. The go:embed directive allows for seamless loading of BOF or PE files, and the provided examples in the GitHub repository offer clear guidance on its usage.

While GoffLoader is already a powerful tool, its development is ongoing. Future updates promise support for 32-bit systems, enhanced flexibility in PE execution, and broader implementation of the Beacon API.