BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Overview

BokuLoader - Cobalt Strike Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Versions

  • Different version of this User-Defined Reflective Loader project can be found in the versions folder
Version File Description
0.7 BokuLoader-v0_7.c Updated to work with Cobalt Strike v4.5!
0.6 ReflectiveLoader-v0_6.c NoRWX feature added! The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions
0.5 ReflectiveLoader-v0_5.c Added HellsGate & HalosGate direct syscaller, replaced allot of ASM stubs, code refactor, and ~500 bytes smaller. Credit to @SEKTOR7net the jedi HalosGate creator & @smelly__vx & @am0nsec Creators/Publishers of the Hells Gate technique! Credit to @ilove2pwn_ for recommending removing ASM Stubs! Haven't got all of them, but will keep working at it :)
0.4 ReflectiveLoader-v0_4.c AMSI & ETW bypasses baked into reflective loader. Can disable by commenting #define BYPASS line when compiling. Credit to @mariuszbit for the awesome idea. Credit to @_xpn_ + @offsectraining + @ajpc500 for their research and code
0.3.1 ReflectiveLoader-v0_3_1.c Changed strings from wchar to char and unpack them to unicode with MMX registers. Fixes linux compilation error discovered by @mariuszbit
0.3 ReflectiveLoader-v0_3.c String obfuscation using new technique.
0.2 ReflectiveLoader-v0_2.c Checks the Loader to see if dependent DLL's already exist to limit times LoadLibrary() is called, custom GetSymbolAddress function to reduce calls to GetProcAddress(), and code refactor.
0.1 ReflectiveLoader-v0_1.c This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version.

Usage

  1. Start your Cobalt Strike Team Server with or without a profile.
  2. Go to your Cobalt Strike GUI and import the BokuLoader.cna Agressor script.
  3. Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
  • Does not support x86 option. The x86 bin is the original Reflective Loader object file.
  1. Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
  • If successful, the output in the Script Console will look like this:

Build (Only tested from macOS at the moment)

  1. Run the compile-x64.sh shell script after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ming using Brew
brew install mingw-w64
# Clone this Reflective DLL project from this github repo
git clone https://github.com/boku7/BokuLoader.git
# Compile the BokuLoader Object file
cd BokuLoader/
cat compile-x64.sh
x86_64-w64-mingw32-gcc -c BokuLoader.c -o BokuLoader.o -shared -masm=intel
bash compile-x64.sh
  1. Follow "Usage" instructions

Credits / References

Reflective Loader

HalosGate SysCaller

  • Reenz0h from @SEKTOR7net
    • Most of the C techniques I use are from Reenz0h's awesome courses and blogs
    • Best classes for malware development out there.
    • Creator of the halos gate technique. His work was the motivation for this work.
    • Sektor7 HalosGate Blog

HellsGate Syscaller

Cobalt Strike User Defined Reflective Loader

Great Resource for learning Intel ASM

ETW and AMSI Bypass

Implementing ASM in C Code with GCC

Cobalt Strike C2 Profile Generator

Issues
  • Remove GetProcAddress + other stuff

    Remove GetProcAddress + other stuff

    Hello!

    The most relevant part of this PR, is that the API ntdll!GetProcAddress is not longer used, we now find all the import addresses "by hand" with xGetProcAddress.

    I found that the NOHEADERCOPY option was breaking Beacon for some reason, so what I did is to simply avoid writing the headers if that option was set (we no longer free the memory).
    Feel free to test this out and check if I am right!

    I noticed that if you search the address of an API that does not exist, it breaks. That could actually happen if you tried to bypass ETW on an old system, where ntdll!EtwEventWrite would not exist.
    This is now fixed and we simply return NULL and do nothing.

    I specified the size of the UDRL to 100K because if you enable all features, the 64-bit loader exceeds the 5K boundary.

    Also:

    • we now check for NTSTATUS error codes
    • removed many casts
    • search DLLs with name in ASCII instead of wide string
    • check machine type of rdll, so we don't inject a 32-bit PE into a 64-bit process or vise-versa
    • when no syscalls are used, removed Virtual* APIs, use Nt* instead
    • getSyscallNumber is now coded in asm
    • some other very minor changes here and there

    I think this is a very robust and reliable UDRL 😄 Cheers!

    opened by S4ntiagoP 4
  • fix some malleable C2 incompatibilities

    fix some malleable C2 incompatibilities

    So I have been reading the UDRL documentation (about time, right?) and noticed that there are some edge cases we are not supporting.

    changes:

    • If the Malleable C2 enables both sleep_mask and userwx, we now use RWX instead of RX (so that beacon doesn't crash)
    • If both sleep_mask and obfuscate are set, we free the headers (yes, this would be the old NOHEADERCOPY feature we used to have)
    • If stomppe is is set, we don't copy the headers (but we don't free them either)

    Note that now all the behavior involving the headers is entirely defined in the Malleable C2, not by commenting or uncommenting a define in the code.
    The syscalls and bypass options are still defined this way.

    Also, we now compile all the possible combinations of flags and configs in the new dist folder and load the correct one by parsing the Malleable C2 config at runtime in the .cna file

    Links:

    • https://www.cobaltstrike.com/blog/user-defined-reflective-loader-udrl-update-in-cobalt-strike-4-5/
    • https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_pe-memory-indicators.htm
    • https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm?cshid=1054

    Thanks to @vestjoe for beacon_health_check where I found the trick to read the Malleable C2 profile programatically 😄

    opened by S4ntiagoP 2
  • Add 32 bit support

    Add 32 bit support

    Hey there!

    I added a few changes:

    • added 32 bit support
    • made getRdllBase a little more efficient by reducing the number of iterations
    • the DLLs are now searched by their full name, case insensitive (not just the first chars)
    • fixed a bug in which the DLLs needed by beacon were not properly found when already loaded (because the name was not in unicode)
    • other small bug fixes and small improvements

    Given that I had to change a loot of code to make the 32-bit version work, I created a separate file.
    Using only one file and separating arch-dependent code with #ifdef _WIN64 would make the file very hard to read, in my opinion.
    The 32-bit version also supports syscalls, modifying Halo's gate for 32-bit was quite fun.
    If you don't use syscalls, then the 32-bit version works in WoW64, which is pretty cool if you ask me 😛

    Hope you like it!

    opened by S4ntiagoP 2
  • update Usage instructions

    update Usage instructions

    Remember when you asked about the size of the UDRL and the artifact kit?
    Well turned out your where right 😄

    You need to update the artifact kit with this new size. I did not noticed it because I use RAW payloads.... ooops!

    I simply included the instructions in the readme.

    Cheers!

    opened by S4ntiagoP 1
  • Add syscalls + bypass fix

    Add syscalls + bypass fix

    Hello again 😄

    I added syscalls using the same method as in version 0.6 (really cool syscall implementation btw, very elegant approach) I also added a small fix in bypass, where the memory regions were not first changed to RWX and also made sure that EtwEventWrite and AmsiOpenSession exist (mainly for older systems support). Lastly, a very very small change to getRdllBase. The instructions:

    xor rbx, rbx
    mov ebx, 0x5A4D
    

    were called on a loop while searching for the base of the DLL (with around 20k iterations), that is now "fixed".

    Cheers!

    opened by S4ntiagoP 1
  • find .text section by name + add Makefile

    find .text section by name + add Makefile

    Hey man, awesome project!

    I just made a small change so that the .text section is found by name, it is no longer assumed that it is the first section.
    Also, I added a Makefile, which not only compiles but also strips the resulting object file. It only reduces its size by 500 bytes but it is something 😛

    Hope you find it useful.

    opened by S4ntiagoP 1
Owner
Bobby Cooke
OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
anthemtotheego 330 Jul 1, 2022
KaynLdr is a Reflective Loader written in C/ASM

KaynLdr About KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It era

C5pider 355 Jun 30, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 81 Jun 19, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 610 Jun 27, 2022
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t

Mariusz Banach 513 Jul 3, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.3k Jun 24, 2022
Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Sarita Singh 5 May 11, 2022
Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window

Asm-Dude Assembly syntax highlighting and code assistance for assembly source files and the disassembly window for Visual Studio 2015, 2017 and 2019.

Henk-Jan Lebbink 3.9k Jun 25, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 329 Jun 27, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 292 Jun 24, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 May 12, 2022
Collection of BOFs for Cobalt Strike

Collection of BOFs for Cobalt Strike

null 22 Jun 20, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 86 Jun 15, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 75 Jun 15, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

null 28 Jun 10, 2022
A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Securify 137 Jun 23, 2022
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Bobby Cooke 57 Jun 10, 2022