Ghost in the Beacon: Mastering In-Memory PE Execution with BOF RunPE

BOF RunPE is a Beacon Object File for Cobalt Strike that executes PE files entirely in-memory within the beacon process. Unlike traditional fork&run, no child process is spawned, no console is created, and no pipe is used – all output is captured via IAT hooking and redirected to the beacon console.

Key Features

• No Process Creation: PE runs inside the beacon process
• No Console/Pipe: Output captured via printf/WriteConsole hooks
• Multiple Allocation Methods: Heap, VirtualAlloc, Module Stomping
• Proxy Loading: Timer Queue, RegisterWait, or direct calls
• Ntdll Unhooking: Optional fresh copy from disk
• RWX : Optional allocate memory in RWX
• Thread Start Spoofing: Legitimate start address with RIP hijacking

Evasion Techniques

Detection Vectors

Kernel Telemetry (ETW-TI)

NtGetContextThread / NtSetContextThread:

• Thread context manipulation on suspended threads then resume it

Memory Operations:

• NtAllocateMemory allocation, can be in RWX (depend with config)
• NtProtectVirtualMemory transitions (RW → RX)
• Executable memory in heap regions is suspicious (depend with config)
• Module stomping detectable via section hash mismatch (depend with config)

Behavioral Indicators

• Suspended thread created, take the context then change the value of RIP
• Heap memory marked as executable (if memory allocator is heap)
• DLL loaded with DONT_RESOLVE_DLL_REFERENCES (if memory allocator is module stomping)
• Ntdll .text section modified (if unhooking enabled)

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy