OdinLdr: Cobaltstrike UDRL with memory evasion
OdinLdr
Cobaltstrike UDRL with memory evasion
Features:
- Redirect all WININET calls over callstack crafting
- Encrypt beacon during sleep
- Encrypt beacon heap during sleep
- Self delete of loader
EXECUTION OF LOADER
1 – Create heap for beacon usage
2 – Allocation of RWX area with beacon size + UDRL size
3 – Copy the UDRL at the end of beacon in allocated area
| 0x00 | beacon | 0xBEACON_SIZE | UDRL | 0xEND_Alloc
4 – Copy the ODIN structure (heap handle, beacon addr, alloc size) to the start of allocated area (no pe header is present)
5 – Copy beacon section
6 – Resolve beacon import and patch IAT (also set hook)
7 – Patch relocation table
8 – Init the beacon
9 – Create thread on TpReleaseCleanupGroupMembers+0x450 to spoof the thread start addr & beacon run
10 – Self delete the loader
BEACON RUN
-
All WININET function is hooked and use callstack crafting for all wininet call
-
Sleep is hooked:
1 – XOR the heap (random key for each sleep)
2 – Encrypt the beacon + udrl (remember this was copied at the end of beacon) with KrakenMask (ropchain, rwx->rw, encrypt, sleep, rw->rwx)
3 – XOR the heap
-
ExitThread is hooked:
1 – Destroy the beacon heap
2 – Free the memory region with the beacon
3 – Exit thread
