/DojoLoader

Generic PE loader for fast prototyping evasion techniques

Primary LanguageCApache License 2.0Apache-2.0

Twitter

DojoLoader

Generic PE loader for fast prototyping evasion techniques

immagine

What is it

DojoLoader is a generic PE loader initially created to prototype sleep obfuscation techniques with Cobalt Strike UDRL-less raw Beacon payload, in an attempt to reduce debugging time with UDRLs.

You can read this blog post for more insight on the journey.

DojoLoader borrows MemoryModule implementation of the DynamicDllLoader project by ORCA000 and expands on that adding modularity and the following features:

  1. download and execution of (xored) shellcode from HTTP of from file
  2. dynamic IAT hooking for Sleep function
  3. Three different Sleep obfuscation techinques implemented in the hook library
    • RW->RX
    • MemoryBouncing
    • MemoryHopping

Rw->RX sleep obfuscation is a classic RW -> encrypt -> Sleep -> decrypt -> RX -> RW -> encrypt scheme.

MemoryBouncing is a diferent (from publicly available techniques) sleep obfuscation that aims to evade public RX->RW detections and involves the following steps:

  1. Copy mapped PE to a buffer and encrypt it
  2. Free mapped PE address
  3. do sleep time (e.g. SleepEx)
  4. Allocate RWX address on the same address were PE was mapped
  5. deecrypt the buffer and copy it over the RWX memory

RX->RW detection is evaded by avoiding VirtualProtect and hiding the payload during sleep by freeing the payload memory area.

membounce.mp4

MemoryHopping is another different (from publicly available techniques) sleep obfuscation that aims to evade public RX->RW detections and involves the following steps:

  1. save the return address
  2. copy the mapped PE bytes to a buffer and optionally encrypt it
  3. Free the memory of the mapped payload
  4. allocate RWX memory on a different address
  5. calculate delta and adjust the return address accordingly
  6. copy bytes from the buffer to the newly created memory region
  7. perform relocations on the copied bytes
  8. resume execution form the adjusted return address
memhop2.mp4

Usage

To use the loader with Cobalt Strike Beacon, generate first a UDRL-less payload using the cna in the Utils folder and -beacon flag with the loader.

Usage: -d <url> | -f <file> [-k <key>] [-s <function>] [-beacon]
Options:
  -d -download <url>     Load PE from the specified URL
  -f -file <file>                Load PE from the specified file
  -k -key <key>                  XOR the payload with the specified key
  -s -sleep <1 (membounce),2 (memhop),3 (RWRX)>          Sleep Obfuscation techniques:
                 1 or membounce for MemoryBouncing
                 2 or memhop for Memory Hopping (choose a compatible payload)
                 3 or RWRX for classic RW->RX
  -beacon                use Cobalt Strike UDRL-les Beacon payload execution method
  -h                     print this help