Home

Awesome

BokuLoader : Cobalt Strike Reflective Loader

A proof-of-concept User-Defined Reflective Loader (UDRL) which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!

Contributors:

ContributorTwitterNotable Contributions
Bobby Cooke@0xBokuProject original author and maintainer
Santiago Pecin@s4ntiago_pReflective Loader major enhancements
Chris Spehn@ConsciousHackerAggressor scripting
Joshua Magri@passthehashbrwnIAT hooking
Dylan Tran@d_tranmanReflective Call Stack Spoofing
James Yeung@5cript1diotIndirect System Calls

UDRL Usage Considerations

The built-in Cobalt Strike reflective loader is robust, handling all Malleable PE evasion features Cobalt Strike has to offer. The major disadvantage to using a custom UDRL is Malleable PE evasion features may or may not be supported out-of-the-box.

The objective of the public BokuLoader project is to assist red teams in creating their own in-house Cobalt Strike UDRL. The project aims to support all worthwhile CS Malleable PE evasion features. Some evasion features leverage CS integration, others have been recreated completely, and some are unsupported.

Before using this project, in any form, you should properly test the evasion features are working as intended. Between the C code and the Aggressor script, compilation with different versions of operating systems, compilers, and Java may return different results.

Evasion Features

BokuLoader Specific Evasion Features

Supported Malleable PE Evasion Features

CommandOption(s)Supported
allocatorHeapAlloc, MapViewOfFile, VirtualAllocAll supported via BokuLoader implementation
module_x64string (DLL Name)Supported via BokuLoader implementation. Same DLL stomping requirements as CS implementation apply
obfuscatetrue/falseHTTP/S beacons supported via BokuLoader implementation. SMB/TCP is currently not supported for obfuscate true. Details in issue. Accepting help if you can fix :)
entry_pointRVA as decimal numberSupported via BokuLoader implementation
cleanuptrueSupported via CS integration
userwxtrue/falseSupported via BokuLoader implementation
sleep_mask(true/false) or (Sleepmask Kit+true)Supported. When using default "sleepmask true" (without sleepmask kit) set "userwx true". When using sleepmask kit which supports RX beacon.text memory (src47/Ekko) set "sleepmask true" && "userwx false".
magic_mz_x644 char stringSupported via CS integration
magic_pe2 char stringSupported via CS integration
transform-x64 prependescaped hex stringBokuLoader.cna Aggressor script modification
transform-x64 strrepstring stringBokuLoader.cna Aggressor script modification
stomppetrue/falseUnsupported. BokuLoader does not copy beacon DLL headers over. First 0x1000 bytes of virtual beacon DLL are 0x00
checksumnumberExperimental. BokuLoader.cna Aggressor script modification
compile_timedate-time stringExperimental. BokuLoader.cna Aggressor script modification
image_size_x64decimal valueUnsupported
namestringExperimental. BokuLoader.cna Aggressor script modification
rich_headerescaped hex stringExperimental. BokuLoader.cna Aggressor script modification
stringwstringUnsupported
stringstringUnsupported

Test

Project Origins

Usage

  1. Compile the BokuLoader Object file with make
  2. Start your Cobalt Strike Team Server
  3. Within Cobalt Strike, import the BokuLoader.cna Aggressor script
  4. Generate the x64 beacon (Attacks -> Packages -> Windows Executable (S))
  5. Use the Script Console to ensure BokuLoader was implemented in the beacon build

Detection Guidance

Hardcoded Strings

Original Cobalt Strike StringBokuLoader Cobalt Strike String
ReflectiveLoaderBokuLoader
Microsoft Base Cryptographic Provider v1.012367321236742382543232341241261363163151d
(admin)(tomin)
beaconbacons

Memory Allocators

DLL Module Stomping

Heap Allocation

Mapped Allocator

Sleepmask Detection

Indirect Syscalls

Virtual Beacon DLL Header

Source Code Available

Credits / References

Reflective Call Stack Spoofing

Reflective Loader

HalosGate SysCaller

HellsGate Syscaller

Aggressor Scripting

Cobalt Strike User Defined Reflective Loader

Great Resource for learning Intel ASM

ETW and AMSI Bypass

Implementing ASM in C Code with GCC

Cobalt Strike C2 Profiles