Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Related tags

Miscellaneous CobaltStrikeReflectiveLoader
Overview

Cobalt Strike User-Defined Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Versions

  • Different version of this User-Defined Reflective Loader project can be found in the versions folder
Version File Description
0.1 ReflectiveLoader-v0_1.c This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version.

Initial Project Goals

  • Learn how Reflective Loader works.
  • Write a Reflective Loader in Assembly.
  • Compatible with Cobalt Strike.
  • Cross compile from macOS/Linux.
  • Implement Inline-Assembly into a C project.

Future Project Goals

  • Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly.
  • Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc.
  • Write a decent Aggressor script.
  • Support x86.
  • Have different versions of reflective loader to choose from.
  • Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc).
  • Optimize the assembly code.
  • Hash/obfuscate strings.
  • Some kind of template language overlay that can modify/randomize the registers/methods.

Usage

  1. Start your Cobalt Strike Team Server with or without a profile
#### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with ####
# Install Go on Kali if you need it
sudo apt install golang-go -y
# Creating a Team Server Cobalt Strike profile with SourcePoint
## Clone the SourcePoint project
git clone https://github.com/Tylous/SourcePoint.git
## Build SourcePoint Go project
cd SourcePoint
go build SourcePoint.go
## Run it with some cool flags (look at the help menu for more info)
### This is the settings I have tested UD Reflective Loader with
./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host <TeamServer> -Injector NtMapViewOfSection
## Start Team Server
cd ../
sudo ./teamserver  <TeamServer> '[email protected]@$$w0RD' SourcePoint/myprofile.profile
  1. Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script
  2. Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
  • Does not support x86 option. The x86 bin is the original Reflective Loader object file.
  1. Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
  • If successful, the output in the Script Console will look like this:

Build (Only tested from macOS at the moment)

  1. Run the compile-x64.sh shell script after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ming using Brew
brew install mingw-w64
# Clone this Reflective DLL project from this github repo
git clone https://github.com/boku7/CobaltStrikeReflectiveLoader.git
# Compile the ReflectiveLoader Object file
cd CobaltStrikeReflectiveLoader/
cat compile-x64.sh
x86_64-w64-mingw32-gcc -c ReflectiveLoader.c -o ./bin/ReflectiveLoader.x64.o -shared -masm=intel
bash compile-x64.sh
  1. Follow "Usage" instructions

Credits / References

Reflective Loader

Cobalt Strike User Defined Reflective Loader

Great Resource for learning Intel ASM

Implementing ASM in C Code with GCC

Cobalt Strike C2 Profile Generator

Comments
  • Remove GetProcAddress + other stuff

    Remove GetProcAddress + other stuff

    Hello!

    The most relevant part of this PR, is that the API ntdll!GetProcAddress is not longer used, we now find all the import addresses "by hand" with xGetProcAddress.

    I found that the NOHEADERCOPY option was breaking Beacon for some reason, so what I did is to simply avoid writing the headers if that option was set (we no longer free the memory).
    Feel free to test this out and check if I am right!

    I noticed that if you search the address of an API that does not exist, it breaks. That could actually happen if you tried to bypass ETW on an old system, where ntdll!EtwEventWrite would not exist.
    This is now fixed and we simply return NULL and do nothing.

    I specified the size of the UDRL to 100K because if you enable all features, the 64-bit loader exceeds the 5K boundary.

    Also:

    • we now check for NTSTATUS error codes
    • removed many casts
    • search DLLs with name in ASCII instead of wide string
    • check machine type of rdll, so we don't inject a 32-bit PE into a 64-bit process or vise-versa
    • when no syscalls are used, removed Virtual* APIs, use Nt* instead
    • getSyscallNumber is now coded in asm
    • some other very minor changes here and there

    I think this is a very robust and reliable UDRL 😄 Cheers!

    opened by S4ntiagoP 4
  • fix some malleable C2 incompatibilities

    fix some malleable C2 incompatibilities

    So I have been reading the UDRL documentation (about time, right?) and noticed that there are some edge cases we are not supporting.

    changes:

    • If the Malleable C2 enables both sleep_mask and userwx, we now use RWX instead of RX (so that beacon doesn't crash)
    • If both sleep_mask and obfuscate are set, we free the headers (yes, this would be the old NOHEADERCOPY feature we used to have)
    • If stomppe is is set, we don't copy the headers (but we don't free them either)

    Note that now all the behavior involving the headers is entirely defined in the Malleable C2, not by commenting or uncommenting a define in the code.
    The syscalls and bypass options are still defined this way.

    Also, we now compile all the possible combinations of flags and configs in the new dist folder and load the correct one by parsing the Malleable C2 config at runtime in the .cna file

    Links:

    • https://www.cobaltstrike.com/blog/user-defined-reflective-loader-udrl-update-in-cobalt-strike-4-5/
    • https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_pe-memory-indicators.htm
    • https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm?cshid=1054

    Thanks to @vestjoe for beacon_health_check where I found the trick to read the Malleable C2 profile programatically 😄

    opened by S4ntiagoP 2
  • Add 32 bit support

    Add 32 bit support

    Hey there!

    I added a few changes:

    • added 32 bit support
    • made getRdllBase a little more efficient by reducing the number of iterations
    • the DLLs are now searched by their full name, case insensitive (not just the first chars)
    • fixed a bug in which the DLLs needed by beacon were not properly found when already loaded (because the name was not in unicode)
    • other small bug fixes and small improvements

    Given that I had to change a loot of code to make the 32-bit version work, I created a separate file.
    Using only one file and separating arch-dependent code with #ifdef _WIN64 would make the file very hard to read, in my opinion.
    The 32-bit version also supports syscalls, modifying Halo's gate for 32-bit was quite fun.
    If you don't use syscalls, then the 32-bit version works in WoW64, which is pretty cool if you ask me 😛

    Hope you like it!

    opened by S4ntiagoP 2
  • update Usage instructions

    update Usage instructions

    Remember when you asked about the size of the UDRL and the artifact kit?
    Well turned out your where right 😄

    You need to update the artifact kit with this new size. I did not noticed it because I use RAW payloads.... ooops!

    I simply included the instructions in the readme.

    Cheers!

    opened by S4ntiagoP 1
  • Add syscalls + bypass fix

    Add syscalls + bypass fix

    Hello again 😄

    I added syscalls using the same method as in version 0.6 (really cool syscall implementation btw, very elegant approach) I also added a small fix in bypass, where the memory regions were not first changed to RWX and also made sure that EtwEventWrite and AmsiOpenSession exist (mainly for older systems support). Lastly, a very very small change to getRdllBase. The instructions:

    xor rbx, rbx
mov ebx, 0x5A4D

    were called on a loop while searching for the base of the DLL (with around 20k iterations), that is now "fixed".

    Cheers!

    opened by S4ntiagoP 1
  • find .text section by name + add Makefile

    find .text section by name + add Makefile

    Hey man, awesome project!

    I just made a small change so that the .text section is found by name, it is no longer assumed that it is the first section.
    Also, I added a Makefile, which not only compiles but also strips the resulting object file. It only reduces its size by 500 bytes but it is something 😛

    Hope you find it useful.

    opened by S4ntiagoP 1
Owner
Bobby Cooke
SpiderLabs | OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
GitHub
InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module

InlineExecute-Assembly InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process

anthemtotheego 402 Dec 26, 2022
KaynLdr is a Reflective Loader written in C/ASM

KaynLdr About KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It era

C5pider 414 Dec 28, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 104 Aug 21, 2022
Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp

Mariusz B. 761 Jan 9, 2023
An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t

Mariusz Banach 619 Dec 27, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.4k Jan 3, 2023
Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Sarita Singh 4 Oct 5, 2022
Little Computer 3, or LC-3, is a type of computer educational programming language, an assembly language, which is a type of low-level programming language. It features a relatively simple instruction set, but can be used to write moderately complex assembly programs, and is a viable target for a C compiler. It has a simplified instruction set compared to 'x86', but contains all the main ideas used in modern CPUs.

Little-Computer-3-LC-3 What is LC-3? Little Computer 3, or LC-3, is a type of computer educational programming language, an assembly language, which i

Shreyas Srivastava 1 Oct 25, 2021
Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window

Asm-Dude Assembly syntax highlighting and code assistance for assembly source files and the disassembly window for Visual Studio 2015, 2017 and 2019.

Henk-Jan Lebbink 4k Jan 6, 2023
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 349 Dec 1, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 307 Dec 28, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022
Collection of BOFs for Cobalt Strike

Collection of BOFs for Cobalt Strike

null 22 Jul 27, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 91 Dec 28, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

null 32 Oct 29, 2022
A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Securify 163 Dec 28, 2022
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Bobby Cooke 65 Nov 9, 2022