Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Project Contributors: Bobby Cooke & Santiago Pecin
- This project is based on Stephen Fewer's incredible Reflective Loader project:
- Initially created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
| Feature | Description |
|---|---|
| BEACON_RDLL_SIZE 100K | BokuLoader uses the increased reserved size in Beacon for a larger User Defined Reflective Loader. This increases the initial beacon size to 100kb (5kb default). BokuLoader will work out of the box when generating raw unstaged shellcode. BokuLoader will not work out of the box with the default Cobalt Strike Artifact kit. A custom artifact kit must be loaded, which increases the stagesize to 412256 within build.sh of the artifact kit. |
| x86 Support | @Santiago Pecin - New 32bit loader with WOW64 support, 32bit Halos&HellsGate, code optimizations & bug fixes! |
| Direct Syscalls | HellsGate & HalosGate direct syscaller, replaced allot of ASM stubs, code refactor, and ~500 bytes smaller. Credit to @SEKTOR7net the jedi HalosGate creator & @smelly__vx & @am0nsec Creators/Publishers of the Hells Gate technique! |
| AMSI & ETW bypasses | AMSI & ETW bypasses baked into reflective loader. Can disable by commenting #define BYPASS line when compiling. Credit to @mariuszbit for the awesome idea. Credit to @_xpn_ + @offsectraining + @ajpc500 for their research and code |
| Custom xGetProcAddress | Resolve APIs natively, without using the GetProcAddres() WINAPI |
| Malleable PE Support | @Santiago Pecin - Added support for loader options directly from the configured Cobalt Strike Malleable C2 profile. Options supported are stomppe,obfuscate,userwx, and sleep_mask |
| FREE_HEADERS | Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers. |
| STOMP_HEADERS | If stomppe: true in Cobalt Strike Malleable Profile is set, then the loader will stomp out the PE header |
userwx: false |
The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions |
- Start the Cobalt Strike Team Server.
- Connect to the CS Team Server using the CS GUI client.
- Ensure mingw GCC is installed. (MacOS & Linux supported)
- If generating RAW payloads, skip this step. This step is for native artifact support.
- Download the Cobalt Strike Artifact Kit.
- Set the stagesize to 412256 within
build.shof the artifact kit.
- Build the Artifacts.
- Load the Artifact Aggressor script via the Script Manager within the CS GUI client.
- Import the
BokuLoader.cnaAggressor script via the Script Manager.
- Generate a beacon payload (
Attacks->Packages->Windows Executable (S))
- https://github.com/stephenfewer/ReflectiveDLLInjection
- 100% recommend these videos if you're interested in Reflective DLL:
- Reenz0h from @SEKTOR7net
- Most of the C techniques I use are from Reenz0h's awesome courses and blogs
- Best classes for malware development out there.
- Creator of the halos gate technique. His work was the motivation for this work.
- Sektor7 HalosGate Blog
- @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- https://github.com/am0nsec/HellsGate
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
- @mariuszbit - for awesome idea to implement bypasses in reflective loader!
- @XPN Hiding Your .NET – ETW
- ajpc500/BOFs
- Offensive Security OSEP