| BOF name |
Description |
Supported platforms |
Example |
| z-beac0n core |
So called BOF zero (BOF0), BOF that operates as standalone implant, manages other loaded BOFs; capable of executing other BOFs |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
z-beac0n |
| tcpScanner |
TCP connect() port scanner |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
tcpScanner 4.3.2.1-255:22,80 |
| udpScanner |
UDP port sweeper |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
udpScanner 4.3.2.1-255:5000-5010 |
| whoami |
On Linux: print effective user name; On Windows: output the current UserName and domain |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
whoami |
| pwd |
print name of current/working directory |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
pwd |
| cd |
change working directory |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
cd / |
| cat |
print content of a file |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
cat /etc/passwd |
| zcat |
print content of a gzip compressed file |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
cat /boot/config.gz |
| ls |
list directory content |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
ls /etc |
| whereami |
print hypervisor vendor signature from CPUID |
Linux x86/x86_64; Windows x86/x86_64 |
whereami |
| grep |
Print lines that match patterns |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
grep root /etc/passwd |
| find |
Search for files in a directory hierarchy |
Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
find /dev -type b |
| BOF name |
Description |
Supported platforms |
Example |
| dirtypipe |
Exploit for 'dirtypipe' vulnerability (CVE-2022-0847) implemented as a BOF |
Linux x86/x86_64/ARMv6+/AArch64 |
dirtypipe /etc/shadow 913 "backdoor:xxx:10123::::::" |
| kmodLoader |
API-style BOF; load/unload kernel module directly from memory (root privileges required) |
Linux x86/x86_64/ARMv6+/AArch64 |
see docs |
| lskmod |
list currently loaded kernel modules |
Linux x86/x86_64/ARMv6+/AArch64 |
lskmod |
| sniffer |
[EXPERIMENTAL] network sniffer based on libpcap library |
Linux x86_64 |
sniffer eth0 |
Implementation of chosen tools from GNU coreutils as BOFs
| BOF name |
Description |
Supported platforms |
Example |
| hostname |
show the system's host name |
Linux x86/x86_64/ARMv6+/AArch64 |
hostname |
| hostid |
print the numeric identifier for the current host |
Linux x86/x86_64/ARMv6+/AArch64 |
hostid |
| id |
print real and effective user and group IDs |
Linux x86/x86_64/ARMv6+/AArch64 |
id www-data |
| uname |
print system information |
Linux x86/x86_64/ARMv6+/AArch64 |
uname -a |
| uptime |
show how long the system has been running |
Linux x86/x86_64/ARMv6+/AArch64 |
uptime |
| who |
print currently logged in users |
Linux x86/x86_64/ARMv6+/AArch64 |
who |
Implementation of chosen tools from net-tools package as BOFs
| BOF name |
Description |
Supported platforms |
Example |
| ifconfig |
Display the status of the currently active network interfaces. With root privileges: also manipulate current state of the device |
Linux x86/x86_64/ARMv6+/AArch64 |
ifconfig eth0 promisc |
| BOF name |
Description |
Supported platforms |
Example |
| winver |
show the edition, version, and system type of Windows operating system |
Windows x86/x86_64 |
winver |
| processInjectionSrdi |
This BOF can inject any other BOF to any running process |
Windows x86/x86_64 |
cli4bofs inject file:abs_path_to_bof -i:<pid> |