CobaltStrikeReflectiveLoader Save

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. By: @0xBoku & @s4ntiago_p

Project README

BokuLoader - Cobalt Strike Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Contributors: Bobby Cooke @0xBoku & Santiago Pecin @s4ntiago_p

Features

  • Stomp MZ Magic Bytes
  • Find-Self EggHunter
  • Direct NT Syscalls via HellsGate & HalosGate
  • PE Header Obfuscation
  • PE String Replacement
  • NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
  • NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
  • XGetProcAddress for resolving symbols
  • 100k UDRL Size
  • Caesar Cipher for string obfuscation
  • Prepend ASM Instructions

Project Origins

Usage

  1. Compile the BokuLoader Object file with make
  2. Start your Cobalt Strike Team Server
  3. Within Cobalt Strike, import the BokuLoader.cna Aggressor script
  4. Generate the x64 beacon (Attacks -> Packages -> Windows Executable (S))
  5. Use the Script Console to ensure BokuLoader was implemented in the beacon build
  • Does not support x86 option. The x86 bin is the original Reflective Loader object file.
  • Generating RAW beacons works out of the box. When using the Artifact Kit for the beacon loader, the stagesize variable must be larger than the default.

Detection Guidance

  • BokuLoader does not support the Cobalt Strike sleep_mask option.
    • This is due to the supported userwx false settings hardcoded into BokuLoader.
    • Since the memory sections are either RW or RX, this will cause sleep encryption to fail when attempting to write to the .text section of beacon.
    • Analyzing the beacons process memory will reveal strings common to Cobalt Strike.
  • BokuLoader changes some commonly detected strings to new hardcoded values. These strings can be used to signature BokuLoader:
Original Cobalt Strike String BokuLoader Cobalt Strike String
ReflectiveLoader djoiqnfkjlnslfmn
Microsoft Base Cryptographic Provider v1.0 12367321236742382543232341241261363163151d
(admin) (tomin)
beacon bacons
  • BokuLoader calls the following NT systemcalls to setup the loaded executable beacon memory: NtAllocateVirtualMemory, NtProtectVirtualMemory, NtFreeVirtualMemory
    • These are called directly from the BokuLoader executable memory. These system calls are not backed by NTDLL memory.
    • Setting userland hooks in ntdll.dll will not detect these systemcalls.
    • It may be possible to register kernelcallbacks using a kernel driver to monitor for the above system calls and detect their usage when they are not called from ntdll.dll.
    • The BokuLoader itself will contain the mov eax, r11d; syscall; ret assembly instructions within its executable memory.
  • The original beacon memory which loads beacon to a new memory location will be left in memory.
    • This original memory will contain both the obfuscated beacon DLL header and the beacon itself.
    • The executable beacon memory will not contain the beacon DLL header.
    • It may be possible to scan memory to detect these duplicate memory regions.
  • The loaded beacon memory is hardcoded as a Private: Commit memory region and is 292KB.
    • The original beacon memory will be larger, as it also contains the 0x1000 byte beacon DLL header, used for loading the beacon DLL into memory.
    • The memory section will be loaded at a +0x1000 offset. This is due to the first 0x1000 bytes of the memory being deallocated within BokuLoader.
  • The BokuLoader source code is provided within the repository and can be used to create memory signatures.
  • If you have additional detection guidance, please feel free to contribute by submitting a pull request.

Credits / References

Reflective Loader

HalosGate SysCaller

  • Reenz0h from @SEKTOR7net
    • Checkout Reenz0h's awesome courses and blogs!
    • Best classes for malware development I have taken.
    • Creator of the halos gate technique. His work was initially the motivation for this work.
    • Sektor7 HalosGate Blog

HellsGate Syscaller

Cobalt Strike User Defined Reflective Loader

Great Resource for learning Intel ASM

ETW and AMSI Bypass

Implementing ASM in C Code with GCC

Cobalt Strike C2 Profile Generator

Open Source Agenda is not affiliated with "CobaltStrikeReflectiveLoader" Project. README Source: boku7/BokuLoader
Stars
787
Open Issues
1
Last Commit
1 month ago
Repository

Open Source Agenda Badge

Open Source Agenda Rating