BokuLoader - Cobalt Strike Reflective Loader
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
- Based on Stephen Fewer's incredible Reflective Loader project:
- Created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
- Different version of this User-Defined Reflective Loader project can be found in the versions folder
|0.7||BokuLoader-v0_7.c||Updated to work with Cobalt Strike v4.5!|
|0.6||ReflectiveLoader-v0_6.c||NoRWX feature added! The Reflective loader writes beacon with Read & Write permissions and after resolving Beacons Import Table & Relocations, changes the .TEXT code section of Beacon to Read & Execute permissions|
|0.5||ReflectiveLoader-v0_5.c||Added HellsGate & HalosGate direct syscaller, replaced allot of ASM stubs, code refactor, and ~500 bytes smaller. Credit to @SEKTOR7net the jedi HalosGate creator & @smelly__vx & @am0nsec Creators/Publishers of the Hells Gate technique! Credit to @ilove2pwn_ for recommending removing ASM Stubs! Haven't got all of them, but will keep working at it :)|
|0.4||ReflectiveLoader-v0_4.c||AMSI & ETW bypasses baked into reflective loader. Can disable by commenting #define BYPASS line when compiling. Credit to @mariuszbit for the awesome idea. Credit to @_xpn_ + @offsectraining + @ajpc500 for their research and code|
|0.3.1||ReflectiveLoader-v0_3_1.c||Changed strings from wchar to char and unpack them to unicode with MMX registers. Fixes linux compilation error discovered by @mariuszbit|
|0.3||ReflectiveLoader-v0_3.c||String obfuscation using new technique.|
|0.2||ReflectiveLoader-v0_2.c||Checks the Loader to see if dependent DLL's already exist to limit times LoadLibrary() is called, custom GetSymbolAddress function to reduce calls to GetProcAddress(), and code refactor.|
|0.1||ReflectiveLoader-v0_1.c||This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version.|
- Start your Cobalt Strike Team Server with or without a profile.
- Go to your Cobalt Strike GUI and import the BokuLoader.cna Agressor script.
- Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
- Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
Build (Only tested from macOS at the moment)
- Run the compile-x64.sh shell script after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/) /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # Install Ming using Brew brew install mingw-w64 # Clone this Reflective DLL project from this github repo git clone https://github.com/boku7/BokuLoader.git # Compile the BokuLoader Object file cd BokuLoader/ cat compile-x64.sh x86_64-w64-mingw32-gcc -c BokuLoader.c -o BokuLoader.o -shared -masm=intel bash compile-x64.sh
- Follow "Usage" instructions
Credits / References
- 100% recommend these videos if you're interested in Reflective DLL:
- Reenz0h from @SEKTOR7net
- Most of the C techniques I use are from Reenz0h's awesome courses and blogs
- Best classes for malware development out there.
- Creator of the halos gate technique. His work was the motivation for this work.
- Sektor7 HalosGate Blog
- @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )
- Could not have made my implementation of HellsGate without them :)
- Awesome work on this method, really enjoyed working through it myself. Thank you!
- Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
Cobalt Strike User Defined Reflective Loader
Great Resource for learning Intel ASM
ETW and AMSI Bypass
- @mariuszbit - for awesome idea to implement bypasses in reflective loader!
- @XPN Hiding Your .NET – ETW
- Offensive Security OSEP
Implementing ASM in C Code with GCC