Search the Community

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. Based on Stephen Fewer’s incredible Reflective Loader project Created while working through Renz0h’s Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course Initial Project Goals Learn how Reflective Loader works. Write a Reflective Loader in Assembly. Compatible with Cobalt Strike. Cross compile from macOS/Linux. Implement Inline-Assembly into a C project. Future Project Goals Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. Write a decent Aggressor script. Support x86. Have different versions of the reflective loader to choose from. Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). Optimize the assembly code. Hash/obfuscate strings. Some kind of template language overlay that can modify/randomize the registers/methods. [hide][Hidden Content]]

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. Based on Stephen Fewer’s incredible Reflective Loader project Created while working through Renz0h’s Reflective DLL videos from the Sektor7 Malware Developer Intermediate (MDI) Course Initial Project Goals Learn how Reflective Loader works. Write a Reflective Loader in Assembly. Compatible with Cobalt Strike. Cross compile from macOS/Linux. Implement Inline-Assembly into a C project. Future Project Goals Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. Write a decent Aggressor script. Support x86. Have different versions of the reflective loader to choose from. Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). Optimize the assembly code. Hash/obfuscate strings. Some kind of template language overlay that can modify/randomize the registers/methods. [hide][Hidden Content]]

Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. Initial Project Goals Learn how Reflective Loader works. Write a Reflective Loader in Assembly. Compatible with Cobalt Strike. Cross compile from macOS/Linux. Implement Inline-Assembly into a C project. Future Project Goals Use the initial project as a template for more advanced evasion techniques leveraging the flexibility of Assembly. Implement Cobalt Strike options such as no RWX, stompPE, module stomping, changing the MZ header, etc. Write a decent Aggressor script. Support x86. Have different versions of reflective loader to choose from. Implement HellsGate/HalosGate for the initial calls that reflective loader uses (pNtFlushInstructionCache, VirtualAlloc, GetProcAddress, LoadLibraryA, etc). Optimize the assembly code. Hash/obfuscate strings. Some kind of template language overlay that can modify/randomize the registers/methods. [hide][Hidden Content]]

amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute itself like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products and application white-listing mitigations. If you want to learn more about the packing methodology used inside amber check out below. New Features x64 support added ! Support for MacOS and Windows (Currently supporting all major platforms) Assembly stubs rewritten External dependencies reduced to two C++ stubs converted to go All project converted into a go package [HIDE][Hidden Content]]

VFront version 0.99.5 suffers from multiple reflective cross site scripting vulnerabilities. View the full article