Cobalt Strike User-Defined Reflective Loader
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
- Based on Stephen Fewer's incredible Reflective Loader project:
- Created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
- Different version of this User-Defined Reflective Loader project can be found in the versions folder
|0.1||ReflectiveLoader-v0_1.c||This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version.|
Initial Project Goals
- Learn how Reflective Loader works.
- Write a Reflective Loader in Assembly.
- Compatible with Cobalt Strike.
- Cross compile from macOS/Linux.
- Implement Inline-Assembly into a C project.
Future Project Goals
- Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly.
- Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc.
- Write a decent Aggressor script.
- Support x86.
- Have different versions of reflective loader to choose from.
- Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc).
- Optimize the assembly code.
- Hash/obfuscate strings.
- Some kind of template language overlay that can modify/randomize the registers/methods.
- Start your Cobalt Strike Team Server with or without a profile
- At the moment I've only tested without a profile and with a few profiles generated from Tylous's epic SourcePoint project
#### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with #### # Install Go on Kali if you need it sudo apt install golang-go -y # Creating a Team Server Cobalt Strike profile with SourcePoint ## Clone the SourcePoint project git clone https://github.com/Tylous/SourcePoint.git ## Build SourcePoint Go project cd SourcePoint go build SourcePoint.go ## Run it with some cool flags (look at the help menu for more info) ### This is the settings I have tested UD Reflective Loader with ./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host <TeamServer> -Injector NtMapViewOfSection ## Start Team Server cd ../ sudo ./teamserver <TeamServer> '[email protected]@$$w0RD' SourcePoint/myprofile.profile
- Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script
- Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
- Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
Build (Only tested from macOS at the moment)
- Run the compile-x64.sh shell script after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/) /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install Ming using Brew brew install mingw-w64 # Clone this Reflective DLL project from this github repo git clone https://github.com/boku7/CobaltStrikeReflectiveLoader.git # Compile the ReflectiveLoader Object file cd CobaltStrikeReflectiveLoader/ cat compile-x64.sh x86_64-w64-mingw32-gcc -c ReflectiveLoader.c -o ./bin/ReflectiveLoader.x64.o -shared -masm=intel bash compile-x64.sh
- Follow "Usage" instructions
Credits / References
- 100% recommend these videos if you're interested in Reflective DLL:
Cobalt Strike User Defined Reflective Loader
Great Resource for learning Intel ASM
Implementing ASM in C Code with GCC