• Stars
    star
    1,119
  • Rank 41,529 (Top 0.9 %)
  • Language
    C
  • License
    MIT License
  • Created about 3 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!

BokuLoader : Cobalt Strike Reflective Loader

A proof-of-concept User-Defined Reflective Loader (UDRL) which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!

Contributors:

Contributor Twitter Notable Contributions
Bobby Cooke @0xBoku Project original author and maintainer
Santiago Pecin @s4ntiago_p Reflective Loader major enhancements
Chris Spehn @ConsciousHacker Aggressor scripting
Joshua Magri @passthehashbrwn IAT hooking

UDRL Usage Considerations

The built-in Cobalt Strike reflective loader is robust, handling all Malleable PE evasion features Cobalt Strike has to offer. The major disadvantage to using a custom UDRL is Malleable PE evasion features may or may not be supported out-of-the-box.

The objective of the public BokuLoader project is to assist red teams in creating their own in-house Cobalt Strike UDRL. The project aims to support all worthwhile CS Malleable PE evasion features. Some evasion features leverage CS integration, others have been recreated completely, and some are unsupported.

Before using this project, in any form, you should properly test the evasion features are working as intended. Between the C code and the Aggressor script, compilation with different versions of operating systems, compilers, and Java may return different results.

Evasion Features

BokuLoader Specific Evasion Features

  • Custom ASM/C reflective loader code
  • Direct NT syscalls via HellsGate & HalosGate techniques
    • All memory protection changes for all allocation options are done via direct syscall to NtProtectVirtualMemory
  • obfuscate "true" with custom UDRL Aggressor script implementation.
  • NOHEADERCOPY
    • Loader will not copy headers raw beacon DLL to virtual beacon DLL. First 0x1000 bytes will be nulls.
  • XGetProcAddress for resolving symbols
    • Does not use Kernel32.GetProcAddress
  • xLoadLibrary for resolving DLL's base address & DLL Loading
    • For loaded DLLs, gets DLL base address from TEB->PEB->PEB_LDR_DATA->InMemoryOrderModuleList
    • Does not use Kernel32.LoadLibraryA
  • Caesar Cipher for string obfuscation
  • 100k UDRL Size
  • Import DLL names and import entry name strings are stomped in virtual beacon DLL.

Supported Malleable PE Evasion Features

Command Option(s) Supported
allocator HeapAlloc, MapViewOfFile, VirtualAlloc All supported via BokuLoader implementation
module_x64 string (DLL Name) Supported via BokuLoader implementation. Same DLL stomping requirements as CS implementation apply
obfuscate true/false HTTP/S beacons supported via BokuLoader implementation. SMB/TCP is currently not supported for obfuscate true. Details in issue. Accepting help if you can fix :)
entry_point RVA as decimal number Supported via BokuLoader implementation
cleanup true Supported via CS integration
userwx true/false Supported via BokuLoader implementation
sleep_mask (true/false) or (Sleepmask Kit+true) Supported. When using default "sleepmask true" (without sleepmask kit) set "userwx true". When using sleepmask kit which supports RX beacon.text memory (src47/Ekko) set "sleepmask true" && "userwx false".
magic_mz_x64 4 char string Supported via CS integration
magic_pe 2 char string Supported via CS integration
transform-x64 prepend escaped hex string BokuLoader.cna Aggressor script modification
transform-x64 strrep string string BokuLoader.cna Aggressor script modification
stomppe true/false Unsupported. BokuLoader does not copy beacon DLL headers over. First 0x1000 bytes of virtual beacon DLL are 0x00
checksum number Experimental. BokuLoader.cna Aggressor script modification
compile_time date-time string Experimental. BokuLoader.cna Aggressor script modification
image_size_x64 decimal value Unsupported
name string Experimental. BokuLoader.cna Aggressor script modification
rich_header escaped hex string Experimental. BokuLoader.cna Aggressor script modification
stringw string Unsupported
string string Unsupported

Test

Project Origins

Usage

  1. Compile the BokuLoader Object file with make
  2. Start your Cobalt Strike Team Server
  3. Within Cobalt Strike, import the BokuLoader.cna Aggressor script
  4. Generate the x64 beacon (Attacks -> Packages -> Windows Executable (S))
  5. Use the Script Console to ensure BokuLoader was implemented in the beacon build
  • Does not support x86 option. The x86 bin is the original Reflective Loader object file.
  • Generating RAW beacons works out of the box. When using the Artifact Kit for the beacon loader, the stagesize variable must be larger than the default.

Detection Guidance

Hardcoded Strings

  • BokuLoader changes some commonly detected strings to new hardcoded values. These strings can be used to signature BokuLoader:
Original Cobalt Strike String BokuLoader Cobalt Strike String
ReflectiveLoader BokuLoader
Microsoft Base Cryptographic Provider v1.0 12367321236742382543232341241261363163151d
(admin) (tomin)
beacon bacons

Memory Allocators

DLL Module Stomping

  • The Kernel32.LoadLibraryExA is called to map the DLL from disk
  • The 3rd argument to Kernel32.LoadLibraryExA is DONT_RESOLVE_DLL_REFERENCES (0x00000001)
    • the system does not call DllMain
  • Does not resolve addresses in LDR PEB entry as detailed by MDSec here
  • Detectable by scanning process memory with pe-sieve tool

Heap Allocation

  • Executable RX or RWX memory will exist in the heap if sleepmask kit is not used.

Mapped Allocator

  • The Kernel32.CreateFileMappingA & Kernel32.MapViewOfFile is called to allocate memory for the virtual beacon DLL.

Sleepmask Detection

Direct Syscalls

  • BokuLoader calls the following NT systemcalls to setup the loaded executable beacon memory: NtAllocateVirtualMemory, NtProtectVirtualMemory, NtFreeVirtualMemory
  • These are called directly from the BokuLoader executable memory. These system calls are not backed by NTDLL memory.
  • Setting userland hooks in ntdll.dll will not detect these systemcalls.
  • It may be possible to register kernelcallbacks using a kernel driver to monitor for the above system calls and detect their usage when they are not called from ntdll.dll.
  • The BokuLoader itself will contain the mov eax, r11d; syscall; ret assembly instructions within its executable memory.

Virtual Beacon DLL Header

  • The first 0x1000 bytes of the virtual beacon DLL are zeros.

Source Code Available

  • The BokuLoader source code is provided within the repository and can be used to create memory signatures.
  • If you have additional detection guidance, please feel free to contribute by submitting a pull request.

Credits / References

Reflective Loader

HalosGate SysCaller

  • Reenz0h from @SEKTOR7net
    • Checkout Reenz0h's awesome courses and blogs!
    • Best classes for malware development I have taken.
    • Creator of the halos gate technique. His work was initially the motivation for this work.
    • Sektor7 HalosGate Blog

HellsGate Syscaller

Aggressor Scripting

Cobalt Strike User Defined Reflective Loader

Great Resource for learning Intel ASM

ETW and AMSI Bypass

Implementing ASM in C Code with GCC

Cobalt Strike C2 Profiles

More Repositories

1

azureOutlookC2

Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.
C
456
star
2

Ninja_UUID_Runner

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
C
425
star
3

spawn

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
C
412
star
4

injectAmsiBypass

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
C
366
star
5

injectEtwBypass

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
C
258
star
6

HOLLOW

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
C
240
star
7

AsmHalosGate

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks
C
167
star
8

whereami

Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
C
153
star
9

winx64-InjectAllProcessesMeterpreter-Shellcode

64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
Assembly
129
star
10

HellsGatePPID

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process
C
99
star
11

Nobelium-PdfDLRunAesShellcode

A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn
C
99
star
12

halosgate-ps

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes
C
93
star
13

XSS-Clientside-Attacks

A repository of JavaScript XSS attacks against client browsers
JavaScript
86
star
14

xPipe

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions
C
75
star
15

x64win-DynamicNoNull-WinExec-PopCalc-Shellcode

64bit WIndows 10 shellcode dat pops dat calc - Dynamic & Null Free
Assembly
34
star
16

x64win-AddRdpAdminShellcode

64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups Administrators & "Remote Desktop Users"
Assembly
33
star
17

tailorMS-rXSS-Keylogger

Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing.
Python
25
star
18

StockManagement-XSS-Login-CredHarvester

Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Stock Management System v1.0 allows remote attackers to harvest login credentials & session cookie via unauthenticated victim clicking malicious URL and entering credentials.
Python
20
star
19

gsSMTP-Csrf2Xss2RCE

Python
17
star
20

gsCMS-CustomJS-Csrf2Xss2Rce

GetSimple CMS Custom JS Plugin Exploit RCE Chain
Python
13
star
21

LibreHealth-authRCE

LibreHealth v2.0.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the hosting webserver via uploading a maliciously crafted image.
Python
11
star
22

CVE-2020-23839

Public PoC Disclosure for CVE-2020-23839 - GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal
Python
10
star
23

onlineCourseReg-RCE

From 0 to Remote Code Execution - exploit development files for Online Course Registration Web Application RCE
Python
8
star
24

BikeRental-FU-RCE

Python
8
star
25

slae64

Repo for SLAE64 Exam
Assembly
7
star
26

GetSimple-SmtpPlugin-CSRF2RCE

GetSimple CMS My SMTP Contact Plugin <= v1.1.1 - CSRF to RCE
Python
7
star
27

boku7.github.io

Blog
HTML
6
star
28

homeRent-SQLi-RCE

House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers to execute arbitrary code on the hosting webserver via sending a malicious POST request.
Python
5
star
29

fuzzingFTP

Python scripts for fuzzing FTP servers, with percision, over TCP
Python
4
star
30

slae32

Repo for all SLAE32 Exam Assignments
Assembly
3
star
31

burp-jars

3
star
32

aCal-RCE

Exploit Development files for aCal web application - reflected XSS to RCE.
Python
3
star
33

BarracudaDrivev6.5-LocalPrivEsc

Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5 allows local attackers to escalate privileges to admin via replacing the bd.exe file and restarting the computer where it will be run as 'LocalSystem' on the next startup automatically.
2
star
34

AV_Bypass-Splitter

Splitter script to identify Anti-Virus signature of an executable
Shell
1
star
35

xdev-templates

Random helpful xdev templates
Python
1
star
36

domQuestPro-SEH-BOF

Python
1
star