Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/RtlDallas/OdinLdr
Cobaltstrike UDRL with memory evasion
https://github.com/RtlDallas/OdinLdr
Last synced: 6 days ago
JSON representation
Cobaltstrike UDRL with memory evasion
- Host: GitHub
- URL: https://github.com/RtlDallas/OdinLdr
- Owner: RtlDallas
- Created: 2024-05-16T15:29:04.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2024-05-21T11:17:37.000Z (6 months ago)
- Last Synced: 2024-08-02T15:06:17.350Z (3 months ago)
- Language: C
- Homepage:
- Size: 317 KB
- Stars: 180
- Watchers: 2
- Forks: 23
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# OdinLdr
Cobaltstrike UDRL
Features:
- Redirect all WININET calls over callstack crafting
- Encrypt beacon during sleep
- Encrypt beacon heap during sleep
- Self delete of loaderCallstack exemples:
CreateThread:
![alt text](https://raw.githubusercontent.com/RtlDallas/OdinLdr/main/img/createthread_callstack.PNG)
InternetOpenA:
![alt text](https://raw.githubusercontent.com/RtlDallas/OdinLdr/main/img/internetopa_callstack.PNG)
WaitForSingleObject:
![alt text](https://raw.githubusercontent.com/RtlDallas/OdinLdr/main/img/wfso_scalltack.png)
# EXECUTION OF LOADER
1 - Create heap for beacon usage2 - Allocation of RWX area with beacon size + UDRL size
3 - Copy the UDRL at the end of beacon in allocated area
| 0x00 | beacon | 0xBEACON_SIZE | UDRL | 0xEND_Alloc
4 - Copy the ODIN structure (heap handle, beacon addr, alloc size) to the start of allocated area (no pe header is present)5 - Copy beacon section
6 - Resolve beacon import and patch IAT (also set hook)
7 - Patch relocation table
8 - Init the beacon
9 - Create thread on TpReleaseCleanupGroupMembers+0x450 to spoof the thread start addr & beacon run
10 - Self delete the loader
# BEACON RUN
- All WININET function is hooked and use callstack crafting for all wininet call
- Sleep is hooked:
1 - XOR the heap (random key for each sleep)
2 - Encrypt the beacon + udrl (remember this was copied at the end of beacon) with KrakenMask (ropchain, rwx->rw, encrypt, sleep, rw->rwx)
3 - XOR the heap- ExitThread is hooked:
1 - Destroy the beacon heap
2 - Free the memory region with the beacon
3 - Exit thread# HOW TO USE
Compile the loader and load the cna script (odin.cna)
About the cna, you need to edit path of variable $loader_path at line 11 & 38# COBALTSTRIKE PROFILE NEEDED
```
http-beacon {
set library "wininet";
}stage {
set smartinject "false";
set sleep_mask "false";
}
```# WARNING
It's a POC, be careful when using this UDRL
If you happen to have a crash, you can dm on twitter or open github issues, please send:
- Cobaltstrike profil
- Debugger screen with callstack
You need to have python on your windows machine, you have post-ex build to run python script.
Python script uses two libraries: sys and pefile
# MEMORY SCANNER
Moneta:
![alt text](https://raw.githubusercontent.com/RtlDallas/OdinLdr/main/img/moneta.PNG)
Pe-Sieve:
![alt text](https://raw.githubusercontent.com/RtlDallas/OdinLdr/main/img/pe-sieve.PNG)
HuntSleepingBeacons:
![alt text](https://raw.githubusercontent.com/RtlDallas/OdinLdr/main/img/HuntSleepingBeacons.PNG)
# CREDIT
For code:
- Callstack craffting : https://github.com/susMdT/LoudSunRun
- Some parts of code : https://www.cobaltstrike.com/product/features/user-defined-reflective-loaderFor idea:
- AceLdr : https://github.com/kyleavery/AceLdr
- BokuLdr : https://github.com/boku7/BokuLoader
- KaynStrike : https://github.com/Cracked5pider/KaynStrikeThanks to:
- chatGPT, Bakki, Caracal & CobaltAD : For debug and somes help