Skip to content
forked from emdnaia/OdinLdr

Cobaltstrike UDRL with memory evasion

Notifications You must be signed in to change notification settings

djayaGit/OdinLdr

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 

Repository files navigation

OdinLdr

Cobaltstrike UDRL

Features:

  • Redirect all WININET calls over callstack crafting
  • Encrypt beacon during sleep
  • Encrypt beacon heap during sleep
  • Self delete of loader

Callstack exemples:

CreateThread:

alt text

InternetOpenA:

alt text

WaitForSingleObject:

alt text

EXECUTION OF LOADER

1 - Create heap for beacon usage

2 - Allocation of RWX area with beacon size + UDRL size

3 - Copy the UDRL at the end of beacon in allocated area

| 0x00 | beacon | 0xBEACON_SIZE | UDRL | 0xEND_Alloc

4 - Copy the ODIN structure (heap handle, beacon addr, alloc size) to the start of allocated area (no pe header is present)

5 - Copy beacon section

6 - Resolve beacon import and patch IAT (also set hook)

7 - Patch relocation table

8 - Init the beacon

9 - Create thread on TpReleaseCleanupGroupMembers+0x450 to spoof the thread start addr & beacon run

10 - Self delete the loader

BEACON RUN

  • All WININET function is hooked and use callstack crafting for all wininet call

  • Sleep is hooked:

    1 - XOR the heap (random key for each sleep)

    2 - Encrypt the beacon + udrl (remember this was copied at the end of beacon) with KrakenMask (ropchain, rwx->rw, encrypt, sleep, rw->rwx)

    3 - XOR the heap

  • ExitThread is hooked:

    1 - Destroy the beacon heap

    2 - Free the memory region with the beacon

    3 - Exit thread

HOW TO USE

Compile the loader and load the cna script (odin.cna)

About the cna, you need to edit path of variable $loader_path at line 11 & 38

COBALTSTRIKE PROFILE NEEDED

http-beacon {
    set library "wininet";
	
}

stage {
	set smartinject "false";
	set sleep_mask "false";
}

WARNING

It's a POC, be careful when using this UDRL

If you happen to have a crash, you can dm on twitter or open github issues, please send:

- Cobaltstrike profil

- Debugger screen with callstack

You need to have python on your windows machine, you have post-ex build to run python script.

Python script uses two libraries: sys and pefile

MEMORY SCANNER

Moneta:

alt text

Pe-Sieve:

alt text

HuntSleepingBeacons:

alt text

CREDIT

For code:

For idea:

Thanks to:

  • chatGPT, Bakki, Caracal & CobaltAD : For debug and somes help

About

Cobaltstrike UDRL with memory evasion

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 81.4%
  • C++ 16.5%
  • Assembly 1.7%
  • Python 0.4%