- Joined
- Jan 8, 2019
- Messages
- 56,623
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,455
- Points
- 2,313
- Credits
- 32,750
6 Years of Service
76%
A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.
Features
Easy to Use
Import a single CNA script before generating shellcode.
Dynamic Memory Encryption
Creates a new heap for any allocations from Beacon and encrypts entries before sleep.
Code Obfuscation and Encryption
Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).
Return Address Spoofing at Execution
Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).
Sleep Without Sleep
Delayed execution using WaitForSingleObjectEx.
RC4 Encryption
All encryption is performed with SystemFunction032.
Known Issues
Not compatible with loaders that rely on the shellcode thread staying alive.