Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Project Contributors: Bobby Cooke @0xBoku & Santiago Pecin @s4ntiago_p
- Direct NT Syscalls via HellsGate & HalosGate
- NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
- NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
- XGetProcAddress for resolving symbols
- 100k UDRL Size
- Caesar Cipher for string obfuscation
- Based on Stephen Fewer's incredible Reflective Loader project:
- Initially created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
- Start your Cobalt Strike Team Server with or without a profile.
- Unless you only generate RAW payloads, set the stagesize to 412256 on
build.shin the artifact kit.
- Load the
dist-template/artifact.cnaAggressor script.
- Go to your Cobalt Strike GUI and import the BokuLoader.cna Aggressor script.
- Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
- Does not support x86 option. The x86 bin is the original Reflective Loader object file.
- Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
- If successful, the output in the Script Console will look like this:
- Run the
makecommand after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ming using Brew
brew install mingw-w64
# Clone this Reflective DLL project from this github repo
git clone https://github.com/boku7/BokuLoader.git
# Compile the BokuLoader Object file
cd BokuLoader/
make- Follow "Usage" instructions
- https://github.com/stephenfewer/ReflectiveDLLInjection
- 100% recommend these videos if you're interested in Reflective DLL:
- Reenz0h from @SEKTOR7net
- Most of the C techniques I use are from Reenz0h's awesome courses and blogs
- Best classes for malware development out there.
- Creator of the halos gate technique. His work was the motivation for this work.
- Sektor7 HalosGate Blog
- @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- https://github.com/am0nsec/HellsGate
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
- @mariuszbit - for awesome idea to implement bypasses in reflective loader!
- @XPN Hiding Your .NET – ETW
- ajpc500/BOFs
- Offensive Security OSEP