通过替换 cobaltstrikes 中自带 loader 进行免杀

原因

For the artifact generated by cobaltstrike, our commonly used method is to generate shellcode, and then implement a loader to load shellcode by yourself. When I read the cobaltstrike code to generate artifact, I thought the method was very interesting. The author first wrote a loader, and then generated artifact by patching the generated shellcode into the loader.

To kill soft and statically check this virus, the first thing is to find the feature points of shellcode and the feature points of artifact template. So if we write a loader ourselves to replace the loader that comes with cobaltstrike, we can achieve a kill-free effect.

The focus of the article is not to over-kill the soft-soft, but only proof of concept. The technology used is to implement the loader yourself and then simply xor the shellcode to bypass the feature detection and killing of shellcode.

工具介绍

web dogs are always curious about binary. The way artifact is learned when reading cobaltstrike. This software is just for proof of concept. I copied a lot of source code of cs, mainly because I thought the form of patch is very interesting. The source code will be uploaded to github together when writing the second article. The jar package can be decompiled by itself without any confusion. I will try it yourself first, refer to the source code and write the loader by myself, replace resource/artifact.exe to let the artifact.exe generated by cobaltstrike be free of kill by default.

Select script console

Then enter :

1

x transform(shellcode('your Listener name','x86',false),'array')

Open chaos:

Copy into the text box and click generate:

Select a folder to save

Click to go online :