Cobalt Strike User-Defined Reflective Loader v1.0 releases

Cobalt Strike User-Defined Reflective Loader

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

• Based on Stephen Fewer’s incredible Reflective Loader project
• Created while working through Renz0h’s Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course

Initial Project Goals

• Learn how Reflective Loader works.
• Write a Reflective Loader in Assembly.
• Compatible with Cobalt Strike.
• Cross compile from macOS/Linux.
• Implement Inline-Assembly into a C project.

Future Project Goals

• Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly.
• Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc.
• Write a decent Aggressor script.
• Support x86.
• Have different versions of the reflective loader to choose from.
• Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc).
• Optimize the assembly code.
• Hash/obfuscate strings.
• Some kind of template language overlay that can modify/randomize the registers/methods.

Usage

1. Start your Cobalt Strike Team Server with or without a profile

• At the moment I’ve only tested without a profile and with a few profiles generated from Tylous’s epic SourcePoint project

  #### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with ####
  
  # Install Go on Kali if you need it
  
  sudo apt install golang-go -y
  
  # Creating a Team Server Cobalt Strike profile with SourcePoint
  
  ## Clone the SourcePoint project
  
  git clone https://github.com/Tylous/SourcePoint.git
  
  ## Build SourcePoint Go project
  
  cd SourcePoint
  
  go build SourcePoint.go
  
  ## Run it with some cool flags (look at the help menu for more info)
  
  ### This is the settings I have tested UD Reflective Loader with
  
  ./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host <TeamServer> -Injector NtMapViewOfSection
  
  ## Start Team Server
  
  cd ../
  
  sudo ./teamserver  <TeamServer> 'T3@Ms3Rv3Rp@$$w0RD' SourcePoint/myprofile.profile

   

   

   

2. Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script
3. Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))

• Does not support the x86 option. The x86 bin is the original Reflective Loader object file.

4. Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader

• If successful, the output in the Script Console will look like this:

Change log v1.0

Massive update from @s4ntiago_p! New 32bit loader with WOW64 support, 32bit Halos&HellsGate, code optimizations & bug fixes!

Install