A proof-of-concept Consumer-Outlined Reflective Loader (UDRL) which goals to recreate, combine, and improve Cobalt Strike’s evasion options!
Contributors:
UDRL Utilization Concerns
The built-in Cobalt Strike reflective loader is strong, dealing with all Malleable PE evasion options Cobalt Strike has to supply. The foremost drawback to utilizing a customized UDRL is Malleable PE evasion options could or is probably not supported out-of-the-box.
The target of the general public BokuLoader undertaking is to help crimson groups in creating their very own in-house Cobalt Strike UDRL. The undertaking goals to help all worthwhile CS Malleable PE evasion options. Some evasion options leverage CS integration, others have been recreated utterly, and a few are unsupported.
Earlier than utilizing this undertaking, in any kind, you must correctly check the evasion options are working as meant. Between the C code and the Aggressor script, compilation with totally different variations of working programs, compilers, and Java could return totally different outcomes.
Evasion Options
BokuLoader Particular Evasion Options
- Reflective callstack spoofing through artificial frames.
- Customized ASM/C reflective loader code
- Oblique NT syscalls through HellsGate & HalosGate strategies
- All reminiscence safety adjustments for all allocation choices are performed through oblique syscall to
NtProtectVirtualMemory
obfuscate "true"
with customized UDRL Aggressor script implementation.- NOHEADERCOPY
- Loader is not going to copy headers uncooked beacon DLL to digital beacon DLL. First
0x1000
bytes might be nulls. XGetProcAddress
for resolving symbols- Doesn’t use
Kernel32.GetProcAddress
xLoadLibrary
for resolving DLL’s base handle & DLL Loading- For loaded DLLs, will get DLL base handle from
TEB->PEB->PEB_LDR_DATA->InMemoryOrderModuleList
- Doesn’t use
Kernel32.LoadLibraryA
- Caesar Cipher for string obfuscation
- 100k UDRL Measurement
- Import DLL names and import entry identify strings are stomped in digital beacon DLL.
Supported Malleable PE Evasion Options
Command | Choice(s) | Supported |
---|---|---|
allocator |
HeapAlloc, MapViewOfFile, VirtualAlloc | All supported through BokuLoader implementation |
module_x64 |
string (DLL Title) | Supported through BokuLoader implementation. Similar DLL stomping necessities as CS implementation apply |
obfuscate |
true/false | HTTP/S beacons supported through BokuLoader implementation. SMB/TCP is at the moment not supported for obfuscate true. Particulars in difficulty. Accepting assist when you can repair 🙂 |
entry_point |
RVA as decimal quantity | Supported through BokuLoader implementation |
cleanup |
true | Supported through CS integration |
userwx |
true/false | Supported through BokuLoader implementation |
sleep_mask |
(true/false) or (Sleepmask Package+true) | Supported. When utilizing default “sleepmask true” (with out sleepmask equipment) set “userwx true”. When utilizing sleepmask equipment which helps RX beacon.textual content reminiscence (src47/Ekko ) set “sleepmask true” && “userwx false”. |
magic_mz_x64 |
4 char string | Supported through CS integration |
magic_pe |
2 char string | Supported through CS integration |
transform-x64 prepend |
escaped hex string | BokuLoader.cna Aggressor script modification |
transform-x64 strrep |
string string | BokuLoader.cna Aggressor script modification |
stomppe |
true/false | Unsupported. BokuLoader doesn’t copy beacon DLL headers over. First 0x1000 bytes of digital beacon DLL are 0x00 |
checksum |
quantity | Experimental. BokuLoader.cna Aggressor script modification |
compile_time |
date-time string | Experimental. BokuLoader.cna Aggressor script modification |
image_size_x64 |
decimal worth | Unsupported |
identify |
string | Experimental. BokuLoader.cna Aggressor script modification |
rich_header |
escaped hex string | Experimental. BokuLoader.cna Aggressor script modification |
stringw |
string | Unsupported |
string |
string | Unsupported |
Check
Mission Origins
Utilization
- Compile the BokuLoader Object file with
make
- Begin your Cobalt Strike Crew Server
- Inside Cobalt Strike, import the
BokuLoader.cna
Aggressor script - Generate the x64 beacon (Assaults -> Packages -> Home windows Executable (S))
-
Use the
Script Console
to make sure BokuLoader was carried out within the beacon construct -
Doesn’t help x86 possibility. The x86 bin is the unique Reflective Loader object file.
- Producing
RAW
beacons works out of the field. When utilizing the Artifact Package for the beacon loader, thestagesize
variable have to be bigger than the default. - See the Cobalt Strike Consumer-Outlined Reflective Loader documenation for added info
Detection Steerage
Hardcoded Strings
- BokuLoader adjustments some generally detected strings to new hardcoded values. These strings can be utilized to signature BokuLoader:
Authentic Cobalt Strike String | BokuLoader Cobalt Strike String |
---|---|
ReflectiveLoader | BokuLoader |
Microsoft Base Cryptographic Supplier v1.0 | 12367321236742382543232341241261363163151d |
(admin) | (tomin) |
beacon | bacons |
Reminiscence Allocators
DLL Module Stomping
- The
Kernel32.LoadLibraryExA
is named to map the DLL from disk - The third argument to
Kernel32.LoadLibraryExA
isDONT_RESOLVE_DLL_REFERENCES (0x00000001)
- the system doesn’t name DllMain
- Doesn’t resolve addresses in LDR PEB entry as detailed by MDSec right here
- Detectable by scanning course of reminiscence with pe-sieve software
Heap Allocation
- Executable
RX
orRWX
reminiscence will exist within the heap if sleepmask equipment is just not used.
Mapped Allocator
- The
Kernel32.CreateFileMappingA
&Kernel32.MapViewOfFile
is named to allocate reminiscence for the digital beacon DLL.
Sleepmask Detection
Oblique Syscalls
- BokuLoader calls the next NT systemcalls to setup the loaded executable beacon reminiscence:
NtAllocateVirtualMemory
,NtProtectVirtualMemory
- These are known as not directly from the BokuLoader executable reminiscence.
- Setting userland hooks in
ntdll.dll
is not going to detect these systemcalls. - It might be doable to register kernelcallbacks utilizing a kernel driver to observe for the above system calls and detect their utilization.
- The BokuLoader itself will comprise the
mov eax, r11d; mov r11, r10; mov r10, rcx; jmp r11
meeting directions inside its executable reminiscence.
Digital Beacon DLL Header
- The primary
0x1000
bytes of the digital beacon DLL are zeros.
Supply Code Out there
- The BokuLoader supply code is offered throughout the repository and can be utilized to create reminiscence signatures.
- If in case you have further detection steering, please be at liberty to contribute by submitting a pull request.
Credit / References
Reflective Name Stack Spoofing
Reflective Loader
HalosGate SysCaller
- Reenz0h from @SEKTOR7net
- Checkout Reenz0h’s superior programs and blogs!
- Greatest courses for malware improvement I’ve taken.
- Creator of the halos gate approach. His work was initially the motivation for this work.
- Sektor7 HalosGate Weblog
HellsGate Syscaller
Aggressor Scripting
Cobalt Strike Consumer Outlined Reflective Loader
- https://www.cobaltstrike.com/help-user-defined-reflective-loader
Nice Useful resource for studying Intel ASM
ETW and AMSI Bypass
Implementing ASM in C Code with GCC
- https://outflank.nl/weblog/2020/12/26/direct-syscalls-in-beacon-object-files/
- https://www.cs.uaf.edu/2011/fall/cs301/lecture/10_12_asm_c.html
- http://gcc.gnu.org/onlinedocs/gcc-4.0.2/gcc/Prolonged-Asm.html#Prolonged-Asm
Cobalt Strike C2 Profiles