34

GitHub - boku7/CobaltStrikeReflectiveLoader: Cobalt Strike User-Defined Reflecti...

 3 years ago
source link: https://github.com/boku7/CobaltStrikeReflectiveLoader
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Cobalt Strike User-Defined Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Versions

  • Different version of this User-Defined Reflective Loader project can be found in the versions folder
Version File Description 0.1 ReflectiveLoader-v0_1.c This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version.

Initial Project Goals

  • Learn how Reflective Loader works.
  • Write a Reflective Loader in Assembly.
  • Compatible with Cobalt Strike.
  • Cross compile from macOS/Linux.
  • Implement Inline-Assembly into a C project.

Future Project Goals

  • Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly.
  • Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc.
  • Write a decent Aggressor script.
  • Support x86.
  • Have different versions of reflective loader to choose from.
  • Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc).
  • Optimize the assembly code.
  • Hash/obfuscate strings.
  • Some kind of template language overlay that can modify/randomize the registers/methods.

Usage

  1. Start your Cobalt Strike Team Server with or without a profile
#### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with ####
# Install Go on Kali if you need it
sudo apt install golang-go -y
# Creating a Team Server Cobalt Strike profile with SourcePoint
## Clone the SourcePoint project
git clone https://github.com/Tylous/SourcePoint.git
## Build SourcePoint Go project
cd SourcePoint
go build SourcePoint.go
## Run it with some cool flags (look at the help menu for more info)
### This is the settings I have tested UD Reflective Loader with
./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host <TeamServer> -Injector NtMapViewOfSection
## Start Team Server
cd ../
sudo ./teamserver  <TeamServer> 'T3@Ms3Rv3Rp@$$w0RD' SourcePoint/myprofile.profile
  1. Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script
  2. Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
  • Does not support x86 option. The x86 bin is the original Reflective Loader object file.
  1. Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
  • If successful, the output in the Script Console will look like this:

Build (Only tested from macOS at the moment)

  1. Run the compile-x64.sh shell script after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ming using Brew
brew install mingw-w64
# Clone this Reflective DLL project from this github repo
git clone https://github.com/boku7/CobaltStrikeReflectiveLoader.git
# Compile the ReflectiveLoader Object file
cd CobaltStrikeReflectiveLoader/
cat compile-x64.sh
x86_64-w64-mingw32-gcc -c ReflectiveLoader.c -o ./bin/ReflectiveLoader.x64.o -shared -masm=intel
bash compile-x64.sh
  1. Follow "Usage" instructions

Credits / References

Reflective Loader

Cobalt Strike User Defined Reflective Loader

Great Resource for learning Intel ASM

Implementing ASM in C Code with GCC

Cobalt Strike C2 Profile Generator


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK