DojoLoader: Generic PE loader for fast prototyping evasion techniques
DojoLoader
DojoLoader is a generic PE loader initially created to prototype sleep obfuscation techniques with Cobalt Strike UDRL-less raw Beacon payload, in an attempt to reduce debugging time with UDRLs.
DojoLoader borrows the MemoryModule implementation of the DynamicDllLoader project by ORCA000 and expands on that adding modularity and the following features:
- download and execution of (xored) shellcode from HTTP of from file
- dynamic IAT hooking for Sleep function
- Three different Sleep obfuscation techniques are implemented in the Hook library
- RW->RX
- MemoryBouncing
- MemoryHopping
Rw->RX sleep obfuscation is a classic RW -> encrypt -> Sleep -> decrypt -> RX -> RW -> encrypt scheme.
MemoryBouncing is a different (from publicly available techniques) sleep obfuscation that aims to evade public RX->RW detections and involves the following steps:
- Copy mapped PE to a buffer and encrypt it
- Free mapped PE address
- do sleep time (e.g. SleepEx)
- Allocate RWX address on the same address where PE was mapped
- decrypt the buffer and copy it over the RWX memory
RX->RW detection is evaded by avoiding VirtualProtect and hiding the payload during sleep by freeing the payload memory area.
MemoryHopping is another different (from publicly available techniques) sleep obfuscation that aims to evade public RX->RW detections and involves the following steps:
- save the return address
- copy the mapped PE bytes to a buffer and optionally encrypt it
- Free the memory of the mapped payload
- allocate RWX memory on a different address
- calculate the delta and adjust the return address accordingly
- copy bytes from the buffer to the newly created memory region
- perform relocations on the copied bytes
- resume execution from the adjusted return address