OdinLdr: Cobaltstrike UDRL with memory evasion

by ddos ·

OdinLdr

Cobaltstrike UDRL with memory evasion

Features:

  • Redirect all WININET calls over callstack crafting
  • Encrypt beacon during sleep
  • Encrypt beacon heap during sleep
  • Self delete of loader

EXECUTION OF LOADER

1 – Create heap for beacon usage

2 – Allocation of RWX area with beacon size + UDRL size

3 – Copy the UDRL at the end of beacon in allocated area

| 0x00 | beacon | 0xBEACON_SIZE | UDRL | 0xEND_Alloc

4 – Copy the ODIN structure (heap handle, beacon addr, alloc size) to the start of allocated area (no pe header is present)

5 – Copy beacon section

6 – Resolve beacon import and patch IAT (also set hook)

7 – Patch relocation table

8 – Init the beacon

9 – Create thread on TpReleaseCleanupGroupMembers+0x450 to spoof the thread start addr & beacon run

10 – Self delete the loader

BEACON RUN

  • All WININET function is hooked and use callstack crafting for all wininet call

  • Sleep is hooked:

    1 – XOR the heap (random key for each sleep)

    2 – Encrypt the beacon + udrl (remember this was copied at the end of beacon) with KrakenMask (ropchain, rwx->rw, encrypt, sleep, rw->rwx)

    3 – XOR the heap

  • ExitThread is hooked:

    1 – Destroy the beacon heap

    2 – Free the memory region with the beacon

    3 – Exit thread

Download & Use

Tags: Cobaltstrikememory evasion