boku7 / bokuloader Goto Github PK
View Code? Open in Web Editor NEWA proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
License: MIT License
A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
License: MIT License
Hi!
When I load your provided .o
file it loads & works fine:
[14:43:03] ========== Running 'BEACON_RDLL_GENERATE' for DLL resources/beacon.x64.dll with architecture x64 ========== at rdll_loader.cna:44
[14:43:03] Loaded Length: 5555 at rdll_loader.cna:11
[14:43:03] Extracted Length: 3568 at rdll_loader.cna:20
But when I try to recompile it myself on Windows WSL linux (bash, using the same compile-x64.sh
script provided) it breaks with the following:
[14:44:09] ========== Running 'BEACON_RDLL_GENERATE' for DLL resources/beacon.x64.dll with architecture x64 ========== at rdll_loader.cna:44
[14:44:09] Loaded Length: 5847 at rdll_loader.cna:11
[14:44:09] Function call &extract_reflective_loader failed: Can't parse rDLL loader file:
Unknown symbol '.rdata' from: .rdata
Unknown symbol '.rdata' from: .rdata
Unknown symbol '.rdata' from: .rdata
Unknown symbol '.rdata' from: .rdata
at rdll_loader.cna:19
[14:44:09] Extracted Length: 0 at rdll_loader.cna:20
[14:44:09] Error loading reflective loader object file - Reverting to using default Cobalt Strike Reflective Loader. at rdll_loader.cna:22
That's weird, but in fact IDA shows additional section named .rdata
in my binary that has these contents:
.rdata:0000000000000E90 ; ===========================================================================
.rdata:0000000000000E90
.rdata:0000000000000E90 ; Segment type: Pure data
.rdata:0000000000000E90 ; Segment permissions: Read
.rdata:0000000000000E90 _rdata segment para public 'DATA' use64
.rdata:0000000000000E90 assume cs:_rdata
.rdata:0000000000000E90 ;org 0E90h
.rdata:0000000000000E90 unk_E90 db 6Eh ; n ; DATA XREF: ReflectiveLoader+E3↑r
.rdata:0000000000000E91 db 0
.rdata:0000000000000E92 db 74h ; t
.rdata:0000000000000E93 db 0
.rdata:0000000000000E94 db 64h ; d
.rdata:0000000000000E95 db 0
.rdata:0000000000000E96 db 6Ch ; l
.rdata:0000000000000E97 db 0
.rdata:0000000000000E98 unk_E98 db 0 ; DATA XREF: ReflectiveLoader+EE↑r
.rdata:0000000000000E99 db 0
.rdata:0000000000000E9A unk_E9A db 4Bh ; K ; DATA XREF: ReflectiveLoader+1F2↑r
.rdata:0000000000000E9B db 0
.rdata:0000000000000E9C db 45h ; E
.rdata:0000000000000E9D db 0
.rdata:0000000000000E9E db 52h ; R
.rdata:0000000000000E9F db 0
.rdata:0000000000000EA0 db 4Eh ; N
.rdata:0000000000000EA1 db 0
.rdata:0000000000000EA2 word_EA2 dw 0 ; DATA XREF: ReflectiveLoader+1FD↑r
.rdata:0000000000000EA4 align 10h
.rdata:0000000000000EA4 _rdata ends
.rdata:0000000000000EA4
Being referenced here:
.text:00000000000000CD mov [rbp+210h+var_A8], 0Ch
.text:00000000000000D8 mov [rbp+210h+var_B0], 0
.text:00000000000000E3 mov rax, cs:qword_E90
.text:00000000000000EA mov [rbp+210h+var_254], rax
.text:00000000000000EE movzx eax, cs:word_E98 ; <<<------- HERE
.text:00000000000000F5 mov [rbp+210h+var_24C], ax
.text:00000000000000F9 lea rax, [rbp+210h+var_254]
.text:00000000000000FD mov rcx, rax
.text:0000000000000100 call crawlLdrDllList
Any idea what's going on, have you experienced anything like this befor? :-)
Cheers,
Mariusz.
Please port this tool so it can be used against Windows 11 environments.
Hi,
There seems to be two issues with the way the PrependBytes functionality works within the aggressor script:
hello boku, why all of those options are not used in the rdlloader.cna : pe_insert_rich_header, pe_mask, pe_mask_section and all of the rest here https://www.cobaltstrike.com/help-user-defined-reflective-loader.
its seems that rdlloader is ignoring what is the malleable c2 , its using the default beacon of the default profile. its completely bypassing the profile I have chosen.
gets detected by defender even when trying with different versions you add on the versions directory.
as a mesure i unloaded the artifact.cna to test without it , but same problem gets detected.
if you can please provide help about how to use all the options and params https://www.cobaltstrike.com/help-user-defined-reflective-loader. thx for advance
I discovered this wonderful project but I am not able to test its performance on my lab enviroment. The malleable c2 that I'm using is the recommended jquery-c2.4.7. The same malleable C2 works for other loaders without any issues so It might no be that. I don't know.
I'm running Cobalt Strike version 4.9.1 and I'm using the most recent version of Bokuloader. The script gave me back a "correct" output in the script console but when I try to run the .exe on the machine I got this error. AV is disabled for this test.
Any help appreciated! Thanks very much for your time and your amazing work.
./Makefile: line 1: CC_x64: command not found
./Makefile: line 2: CFLAGS: command not found
./Makefile: line 2: CFLAGS: command not found
./Makefile: line 3: CFLAGS: command not found
./Makefile: line 3: CFLAGS: command not found
./Makefile: line 5: bokuloader:: command not found
./Makefile: line 6: CC_x64: command not found
./Makefile: line 6: CFLAGS: command not found
./Makefile: line 6: -c: command not found
./Makefile: line 7: clean:: command not found
Used this fantastic project in the past without issues, but when I attempted to use it again on my current engagement, I just cannot get the generated executables to run no matter what I try.
Cobalt Strike is fully current at 4.8 and I'm using the most recent version of Bokuloader. I'm also (I believe) abiding by all the recommendations in the README. I've included my malleable C2 (based on the jQuery one listed in the README and scrubbed of incriminating data):
I also tried it with no malleable C2 loaded at all and got the same issue. I'm quite sure I'm doing something wrong, but I wanted to see if there was a known issue (perhaps with recent changes in Cobalt Strike).
Any help appreciated! Thanks very much for your time.
Thank you for this great project but then it seems doesnt work in windows env while generating the raw file from CS?
^no call back while executing the file
hello I just wanted to know if I should load the artifact kit(artifact template) and rdll_loader.cna in the same time.
will cobaltstrike use the template cna or rdll_loader to create the final exe ??
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.