Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
- Based on Stephen Fewer's incredible Reflective Loader project:
- Created while working through Renz0h's Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course
- Different version of this User-Defined Reflective Loader project can be found in the versions folder
| Version | File | Description |
|---|---|---|
| 0.3 | ReflectiveLoader-v0_3.c | String obfuscation using new technique. |
| 0.2 | ReflectiveLoader-v0_2.c | Checks the Loader to see if dependent DLL's already exist to limit times LoadLibrary() is called, custom GetSymbolAddress function to reduce calls to GetProcAddress(), and code refactor. |
| 0.1 | ReflectiveLoader-v0_1.c | This is the original reflective loader created for this project. It includes the notes within the C file. This initial version was created with research and learning in mind. Little obfuscation and evasion techniques are used in this version. |
- Learn how Reflective Loader works.
- Write a Reflective Loader in Assembly.
- Compatible with Cobalt Strike.
- Cross compile from macOS/Linux.
- Implement Inline-Assembly into a C project.
- Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly.
- Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc.
- Write a decent Aggressor script.
- Support x86.
- Have different versions of reflective loader to choose from.
- Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc).
- Optimize the assembly code.
- Hash/obfuscate strings.
- Some kind of template language overlay that can modify/randomize the registers/methods.
- Start your Cobalt Strike Team Server with or without a profile
- At the moment I've only tested without a profile and with a few profiles generated from Tylous's epic SourcePoint project
#### This profile stuff below is optional, but this is the profile I tested this Reflective Loader with ####
# Install Go on Kali if you need it
sudo apt install golang-go -y
# Creating a Team Server Cobalt Strike profile with SourcePoint
## Clone the SourcePoint project
git clone https://github.com/Tylous/SourcePoint.git
## Build SourcePoint Go project
cd SourcePoint
go build SourcePoint.go
## Run it with some cool flags (look at the help menu for more info)
### This is the settings I have tested UD Reflective Loader with
./SourcePoint -PE_Clone 18 -PostEX_Name 13 -Sleep 3 -Profile 4 -Outfile myprofile.profile -Host <TeamServer> -Injector NtMapViewOfSection
## Start Team Server
cd ../
sudo ./teamserver <TeamServer> 'T3@Ms3Rv3Rp@$$w0RD' SourcePoint/myprofile.profile- Go to your Cobalt Strike GUI and import the rdll_loader.cna Agressor script
- Generate your x64 payload (Attacks -> Packages -> Windows Executable (S))
- Does not support x86 option. The x86 bin is the original Reflective Loader object file.
- Use the Script Console to make sure that the beacon created successfully with this User-Defined Reflective Loader
- If successful, the output in the Script Console will look like this:
- Run the compile-x64.sh shell script after installling required dependencies
# Install brew on macOS if you need it (https://brew.sh/)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install Ming using Brew
brew install mingw-w64
# Clone this Reflective DLL project from this github repo
git clone https://github.com/boku7/CobaltStrikeReflectiveLoader.git
# Compile the ReflectiveLoader Object file
cd CobaltStrikeReflectiveLoader/
cat compile-x64.sh
x86_64-w64-mingw32-gcc -c ReflectiveLoader.c -o ./bin/ReflectiveLoader.x64.o -shared -masm=intel
bash compile-x64.sh- Follow "Usage" instructions
- https://github.com/stephenfewer/ReflectiveDLLInjection
- 100% recommend these videos if you're interested in Reflective DLL: