A proof-of-concept User-Defined Reflective Loader (UDRL) which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
UDRL Usage Considerations
The built-in Cobalt Strike reflective loader is robust, handling all Malleable PE evasion features Cobalt Strike has to offer. The major disadvantage to using a custom UDRL is Malleable PE evasion features may or may not be supported out-of-the-box.
The objective of the public BokuLoader project is to assist red teams in creating their own in-house Cobalt Strike UDRL. The project aims to support all worthwhile CS Malleable PE evasion features. Some evasion features leverage CS integration, others have been recreated completely, and some are unsupported.
Before using this project, in any form, you should properly test the evasion features are working as intended. Between the C code and the Aggressor script, compilation with different versions of operating systems, compilers, and Java may return different results.
Evasion Features
BokuLoader Specific Evasion Features
Reflective callstack spoofing via synthetic frames.
Custom ASM/C reflective loader code
Indirect NT syscalls via HellsGate & HalosGate techniques
All memory protection changes for all allocation options are done via indirect syscall to NtProtectVirtualMemory
obfuscate "true" with custom UDRL Aggressor script implementation.
NOHEADERCOPY
Loader will not copy headers raw beacon DLL to virtual beacon DLL. First 0x1000 bytes will be nulls.
XGetProcAddress for resolving symbols
Does not use Kernel32.GetProcAddress
xLoadLibrary for resolving DLL's base address & DLL Loading
For loaded DLLs, gets DLL base address from TEB->PEB->PEB_LDR_DATA->InMemoryOrderModuleList
Does not use Kernel32.LoadLibraryA
Caesar Cipher for string obfuscation
100k UDRL Size
Import DLL names and import entry name strings are stomped in virtual beacon DLL.
Supported Malleable PE Evasion Features
Command Option(s) Supported
allocator HeapAlloc, MapViewOfFile, VirtualAlloc All supported via BokuLoader implementation
module_x64 string (DLL Name) Supported via BokuLoader implementation. Same DLL stomping requirements as CS implementation apply
obfuscate true/false HTTP/S beacons supported via BokuLoader implementation. SMB/TCP is currently not supported for obfuscate true. Details in issue. Accepting help if you can fix :)
entry_point RVA as decimal number Supported via BokuLoader implementation
cleanup true Supported via CS integration
userwx true/false Supported via BokuLoader implementation
sleep_mask (true/false) or (Sleepmask Kit+true) Supported. When using default "sleepmask true" (without sleepmask kit) set "userwx true". When using sleepmask kit which supports RX beacon.text memory (src47/Ekko) set "sleepmask true" && "userwx false".
magic_mz_x64 4 char string Supported via CS integration
magic_pe 2 char string Supported via CS integration
transform-x64 prepend escaped hex string BokuLoader.cna Aggressor script modification
transform-x64 strrep string string BokuLoader.cna Aggressor script modification
stomppe true/false Unsupported. BokuLoader does not copy beacon DLL headers over. First 0x1000 bytes of virtual beacon DLL are 0x00
checksum number Experimental. BokuLoader.cna Aggressor script modification
compile_time date-time string Experimental. BokuLoader.cna Aggressor script modification
image_size_x64 decimal value Unsupported
name string Experimental. BokuLoader.cna Aggressor script modification
rich_header escaped hex string Experimental. BokuLoader.cna Aggressor script modification
stringw string Unsupported
string string Unsupported
POC DOWNLOAD @https://t.me/crackvaultde
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
