Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
Project Contributors: Bobby Cooke @0xBoku & Santiago Pecin @s4ntiago_p
- Based on Stephen Fewer's incredible Reflective Loader project:
- Initially created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
| Feature | Description |
|---|---|
| x86 Support | By @s4ntiago_p! New 32bit loader with WOW64 support, 32bit Halos&HellsGate, code optimizations & bug fixes! |
| Direct Syscalls | HellsGate & HalosGate direct syscaller, replaced allot of ASM stubs, code refactor, and ~500 bytes smaller. Credit to @SEKTOR7net the jedi HalosGate creator & @smelly__vx & @am0nsec Creators/Publishers of the Hells Gate technique! |
| AMSI & ETW bypasses | AMSI & ETW bypasses baked into reflective loader. Can disable by commenting #define BYPASS line when compiling. Credit to @mariuszbit for the awesome idea. Credit to @_xpn_ + @offsectraining + @ajpc500 for their research and code |
| Custom GetProcAddress | Resolve APIs without calling GetProcAddress() |
| Malleable PE Support | @s4ntiago_p added support for loader options directly from the configured Cobalt Strike Malleable C2 profile. Options supported are stomppe,obfuscate,userwx, and sleep_mask |
| FREE_HEADERS | Loader will not copy headers over to beacon. Decommits the first memory page which would normally hold the headers. |
| STOMP_HEADERS | If stomppe: true in Cobalt Strike Malleable Profile is set, then the loader will stomp out the PE header |
userwx: false |
The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions |
- Start your Cobalt Strike Team Server with or without a profile.
- Unless you only generate RAW payloads, set the stagesize to 412256 on
build.shin the artifact kit.
- Load the
dist-template/artifact.cnaAggressor script.
- Go to your Cobalt Strike GUI and import the BokuLoader.cna Aggressor script.
- Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
- Does not support x86 option. The x86 bin is the original Reflective Loader object file.
- Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
- If successful, the output in the Script Console will look like this:
- Run the
makecommand after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ming using Brew
brew install mingw-w64
# Clone this Reflective DLL project from this github repo
git clone https://github.com/boku7/BokuLoader.git
# Compile the BokuLoader Object file
cd BokuLoader/
make- Follow "Usage" instructions
- https://github.com/stephenfewer/ReflectiveDLLInjection
- 100% recommend these videos if you're interested in Reflective DLL:
- Reenz0h from @SEKTOR7net
- Most of the C techniques I use are from Reenz0h's awesome courses and blogs
- Best classes for malware development out there.
- Creator of the halos gate technique. His work was the motivation for this work.
- Sektor7 HalosGate Blog
- @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- https://github.com/am0nsec/HellsGate
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
- @mariuszbit - for awesome idea to implement bypasses in reflective loader!
- @XPN Hiding Your .NET – ETW
- ajpc500/BOFs
- Offensive Security OSEP