Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Project Contributors: Bobby Cooke @0xBoku & Santiago Pecin @s4ntiago_p
- Stomp MZ Magic Bytes
- Find-Self EggHunter
- Direct NT Syscalls via HellsGate & HalosGate
- PE Header Obfuscation
- PE String Replacement
- NOHEADERCOPY - Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers
- NoRWX - The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
- XGetProcAddress for resolving symbols
- 100k UDRL Size
- Caesar Cipher for string obfuscation
- Prepend ASM Instructions
- Based on Stephen Fewer's incredible Reflective Loader project:
- Initially created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
- Start your Cobalt Strike Team Server with or without a profile.
- Unless you only generate RAW payloads, set the stagesize to 412256 on
build.shin the artifact kit.
- Load the
- Go to your Cobalt Strike GUI and import the BokuLoader.cna Aggressor script.
- Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
- Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
- Run the
makecommand after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/) /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install Ming using Brew brew install mingw-w64 # Clone this Reflective DLL project from this github repo git clone https://github.com/boku7/BokuLoader.git # Compile the BokuLoader Object file cd BokuLoader/ make
- Follow "Usage" instructions
Credits / References
- 100% recommend these videos if you're interested in Reflective DLL:
- Reenz0h from @SEKTOR7net
- Most of the C techniques I use are from Reenz0h's awesome courses and blogs
- Best classes for malware development out there.
- Creator of the halos gate technique. His work was the motivation for this work.
- Sektor7 HalosGate Blog
- @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
Cobalt Strike User Defined Reflective Loader
Great Resource for learning Intel ASM
ETW and AMSI Bypass
- @mariuszbit - for awesome idea to implement bypasses in reflective loader!
- @XPN Hiding Your .NET – ETW
- Offensive Security OSEP
Implementing ASM in C Code with GCC