AceLdr - Cobalt Strike UDRL For Memory Scanner Evasion
2023-1-8 19:30:0 Author: www.kitploit.com(查看原文) 阅读量:41 收藏

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

  • Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

Other features and inspiration were taken from the following:

AceLdr - Cobalt Strike UDRL For Memory Scanner Evasion AceLdr - Cobalt Strike UDRL For Memory Scanner Evasion Reviewed by Zion3R on 8:30 AM Rating: 5


文章来源: http://www.kitploit.com/2023/01/aceldr-cobalt-strike-udrl-for-memory.html
如有侵权请联系:admin#unsafe.sh