BokuLoader - Cobalt Strike Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Features

Supports obfuscate "true"
Supports sleepmask "true" & all sleepmask kit options
- default sleepmask, sleepmask kit 47, sleepmask MASK_TEXT_SECTION 1, and Ekko implementation all tested & work
Stomp MZ Magic Bytes
Find-Self EggHunter
Direct NT Syscalls via HellsGate & HalosGate
PE Header Obfuscation
PE String Replacement
NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
XGetProcAddress for resolving symbols
100k UDRL Size
Caesar Cipher for string obfuscation
Prepend ASM Instructions
Supports Malleable C2 profile option cleanup "true"

Based on Stephen Fewer's incredible Reflective Loader project:
- https://github.com/stephenfewer/ReflectiveDLLInjection
Initially created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course

Compile the BokuLoader Object file with make
Start your Cobalt Strike Team Server
Within Cobalt Strike, import the BokuLoader.cna Aggressor script
Generate the x64 beacon (Attacks -> Packages -> Windows Executable (S))
Use the Script Console to ensure BokuLoader was implemented in the beacon build

Does not support x86 option. The x86 bin is the original Reflective Loader object file.
Generating RAW beacons works out of the box. When using the Artifact Kit for the beacon loader, the stagesize variable must be larger than the default.
- See the Cobalt Strike User-Defined Reflective Loader documenation for additional information

BokuLoader changes some commonly detected strings to new hardcoded values. These strings can be used to signature BokuLoader:

Original Cobalt Strike String	BokuLoader Cobalt Strike String
ReflectiveLoader	djoiqnfkjlnslfmn
Microsoft Base Cryptographic Provider v1.0	12367321236742382543232341241261363163151d
(admin)	(tomin)
beacon	bacons

BokuLoader calls the following NT systemcalls to setup the loaded executable beacon memory: NtAllocateVirtualMemory, NtProtectVirtualMemory, NtFreeVirtualMemory
- These are called directly from the BokuLoader executable memory. These system calls are not backed by NTDLL memory.
- Setting userland hooks in ntdll.dll will not detect these systemcalls.
- It may be possible to register kernelcallbacks using a kernel driver to monitor for the above system calls and detect their usage when they are not called from ntdll.dll.
- The BokuLoader itself will contain the mov eax, r11d; syscall; ret assembly instructions within its executable memory.
The loaded beacon memory is hardcoded as a Private: Commit memory region and is 292KB.
- The memory section will be loaded at a +0x1000 offset. This is due to the first 0x1000 bytes of the memory being deallocated within BokuLoader.
The BokuLoader source code is provided within the repository and can be used to create memory signatures.
If you have additional detection guidance, please feel free to contribute by submitting a pull request.

Reenz0h from @SEKTOR7net
- Checkout Reenz0h's awesome courses and blogs!
- Best classes for malware development I have taken.
- Creator of the halos gate technique. His work was initially the motivation for this work.
- Sektor7 HalosGate Blog

@smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- https://github.com/am0nsec/HellsGate
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf