boku7 / bokuloader Goto Github PK

Thank you for this great project but then it seems doesnt work in windows env while generating the raw file from CS?
^no call back while executing the file

cs4.5 c2profile use sleep_mask=true can‘t work，Whatever userwx is set to

only step instead of the normal three

Used this fantastic project in the past without issues, but when I attempted to use it again on my current engagement, I just cannot get the generated executables to run no matter what I try.

Cobalt Strike is fully current at 4.8 and I'm using the most recent version of Bokuloader. I'm also (I believe) abiding by all the recommendations in the README. I've included my malleable C2 (based on the jQuery one listed in the README and scrubbed of incriminating data):

jquery-c2.4.7.txt

I also tried it with no malleable C2 loaded at all and got the same issue. I'm quite sure I'm doing something wrong, but I wanted to see if there was a known issue (perhaps with recent changes in Cobalt Strike).

Any help appreciated! Thanks very much for your time.

I discovered this wonderful project but I am not able to test its performance on my lab enviroment. The malleable c2 that I'm using is the recommended jquery-c2.4.7. The same malleable C2 works for other loaders without any issues so It might no be that. I don't know.

I'm running Cobalt Strike version 4.9.1 and I'm using the most recent version of Bokuloader. The script gave me back a "correct" output in the script console but when I try to run the .exe on the machine I got this error. AV is disabled for this test.

C2 profile

Any help appreciated! Thanks very much for your time and your amazing work.

Hi,

There seems to be two issues with the way the PrependBytes functionality works within the aggressor script:

• The prependBytes call is happening before the modification of the MZ header. As a result, the first 4 bytes prepended will always be overwritten
• When calling prependBytes, it seems to be breaking something within the way BokuLoader works, which results to the original reflective loader being loaded. For this one, not entirely sure why it happens as the code running after it doesn't seem to affect it.

How to replicate the issue:

1. Edit BokuLoader.cna
2. Go to line 1032 and uncomment the call to prependBytes
3. Go to line 431 and add 4 characters at the start of the $Nops variable (e.g. "AAAAPS[X"). This is due to the fact that they will be overwritten by the magic_mz
4. Compile and load the Agressor Script on CS
5. Create a Payload with the prepended bytes
6. Check the binary created for the existence of the original reflective loader (simplest way is to run the YARA rule for the Windows_Trojan_Cobaltsrike indicator by Elastic:
   https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_CobaltStrike.yar

Example output before and after uncommenting prepend:

hello I just wanted to know if I should load the artifact kit(artifact template) and rdll_loader.cna in the same time.
will cobaltstrike use the template cna or rdll_loader to create the final exe ??

Hi!

When I load your provided .o file it loads & works fine:

[14:43:03] ========== Running 'BEACON_RDLL_GENERATE' for DLL resources/beacon.x64.dll with architecture x64 ========== at rdll_loader.cna:44
[14:43:03] Loaded Length: 5555 at rdll_loader.cna:11
[14:43:03] Extracted Length: 3568 at rdll_loader.cna:20

But when I try to recompile it myself on Windows WSL linux (bash, using the same compile-x64.sh script provided) it breaks with the following:

[14:44:09] ========== Running 'BEACON_RDLL_GENERATE' for DLL resources/beacon.x64.dll with architecture x64 ========== at rdll_loader.cna:44
[14:44:09] Loaded Length: 5847 at rdll_loader.cna:11
[14:44:09] Function call &extract_reflective_loader failed: Can't parse rDLL loader file:
Unknown symbol '.rdata' from: .rdata
Unknown symbol '.rdata' from: .rdata
Unknown symbol '.rdata' from: .rdata
Unknown symbol '.rdata' from: .rdata
 at rdll_loader.cna:19
[14:44:09] Extracted Length: 0 at rdll_loader.cna:20
[14:44:09] Error loading reflective loader object file  - Reverting to using default Cobalt Strike Reflective Loader. at rdll_loader.cna:22

That's weird, but in fact IDA shows additional section named .rdata in my binary that has these contents:

.rdata:0000000000000E90 ; ===========================================================================
.rdata:0000000000000E90
.rdata:0000000000000E90 ; Segment type: Pure data
.rdata:0000000000000E90 ; Segment permissions: Read
.rdata:0000000000000E90 _rdata          segment para public 'DATA' use64
.rdata:0000000000000E90                 assume cs:_rdata
.rdata:0000000000000E90                 ;org 0E90h
.rdata:0000000000000E90 unk_E90         db  6Eh ; n             ; DATA XREF: ReflectiveLoader+E3↑r
.rdata:0000000000000E91                 db    0
.rdata:0000000000000E92                 db  74h ; t
.rdata:0000000000000E93                 db    0
.rdata:0000000000000E94                 db  64h ; d
.rdata:0000000000000E95                 db    0
.rdata:0000000000000E96                 db  6Ch ; l
.rdata:0000000000000E97                 db    0
.rdata:0000000000000E98 unk_E98         db    0                 ; DATA XREF: ReflectiveLoader+EE↑r
.rdata:0000000000000E99                 db    0
.rdata:0000000000000E9A unk_E9A         db  4Bh ; K             ; DATA XREF: ReflectiveLoader+1F2↑r
.rdata:0000000000000E9B                 db    0
.rdata:0000000000000E9C                 db  45h ; E
.rdata:0000000000000E9D                 db    0
.rdata:0000000000000E9E                 db  52h ; R
.rdata:0000000000000E9F                 db    0
.rdata:0000000000000EA0                 db  4Eh ; N
.rdata:0000000000000EA1                 db    0
.rdata:0000000000000EA2 word_EA2        dw 0                    ; DATA XREF: ReflectiveLoader+1FD↑r
.rdata:0000000000000EA4                 align 10h
.rdata:0000000000000EA4 _rdata          ends
.rdata:0000000000000EA4

Being referenced here:

.text:00000000000000CD                 mov     [rbp+210h+var_A8], 0Ch
.text:00000000000000D8                 mov     [rbp+210h+var_B0], 0
.text:00000000000000E3                 mov     rax, cs:qword_E90
.text:00000000000000EA                 mov     [rbp+210h+var_254], rax
.text:00000000000000EE                 movzx   eax, cs:word_E98                     ; <<<------- HERE
.text:00000000000000F5                 mov     [rbp+210h+var_24C], ax
.text:00000000000000F9                 lea     rax, [rbp+210h+var_254]
.text:00000000000000FD                 mov     rcx, rax
.text:0000000000000100                 call    crawlLdrDllList

Any idea what's going on, have you experienced anything like this befor? :-)

Cheers,
Mariusz.

1. hello boku, why all of those options are not used in the rdlloader.cna : pe_insert_rich_header, pe_mask, pe_mask_section and all of the rest here https://www.cobaltstrike.com/help-user-defined-reflective-loader.

2. its seems that rdlloader is ignoring what is the malleable c2 , its using the default beacon of the default profile. its completely bypassing the profile I have chosen.

3. gets detected by defender even when trying with different versions you add on the versions directory.

as a mesure i unloaded the artifact.cna to test without it , but same problem gets detected.

if you can please provide help about how to use all the options and params https://www.cobaltstrike.com/help-user-defined-reflective-loader. thx for advance

Please port this tool so it can be used against Windows 11 environments.

Not sure if it is just me... but when trying to inject or spawn pivot beacon (SMB or TCP), the CS client crashes when BokuLoader.cna is loaded on Windows? Like full on freeze and have to kill javaw.exe to continue...

Has anyone else experienced this?

./Makefile: line 1: CC_x64: command not found
./Makefile: line 2: CFLAGS: command not found
./Makefile: line 2: CFLAGS: command not found
./Makefile: line 3: CFLAGS: command not found
./Makefile: line 3: CFLAGS: command not found
./Makefile: line 5: bokuloader:: command not found
./Makefile: line 6: CC_x64: command not found
./Makefile: line 6: CFLAGS: command not found
./Makefile: line 6: -c: command not found
./Makefile: line 7: clean:: command not found