Draugr: CobaltStrike BOF with Synthetic Stackframe

Draugr-Template

CobaltStrike BOF Template to easily perform a synthetic stack frame in BOF. The spoofer is based on LoudSunRun.

For each API call, a gadget is randomly used inside KERNELBASE.DLL.

Nowadays, some EDRs analyze the stack frame for sensitive API calls, such as memory usage. If the origin of the API call comes from an executable region that is not backed by the disk, it follows the typical shellcode pattern, and you may be detected by the EDR.

It is possible to spoof the return address to evade detection, but your stack frame may still appear suspicious because, after the gadget, there is nothing left. With this implementation, return address spoofing is used, and after the gadget, two frames are pushed to mimic a thread start.

The advantage of a synthetic stack frame is its execution speed and the ability to retrieve the return value of an API call unlike thread pool techniques, which are slower and do not allow retrieving function return values.

Draugr-Strike

Example of usage of Draugr-Template with BOF to perform remote process injection.

!! WARNING !!

Sometimes the injection fails. This code is just a PoC to demonstrate how to use the template. Use it with precaution !

This example uses kernel32 with a synthetic stack frame to execute shellcode in a remote process.

• Allocate memory with RW permissions with.

• Write shellcode into the remote process.

• Change memory protection to RX.

• Threadspoof :

  • Create a spoofed thread at RtlUserThreadStart+0x21.
  • Resume the thread.

• Earlybird :

  • Add an APC on created thread to execute shellcode
  • Resume thread

Compilation :

• build thradspoof
• build earlybird

Support implicit and explicit injction

More information.

Download