Hacking Tools

BokuLoader : Cobalt Strike Reflective Loader

BokuLoader is a User-Defined Reflective Loader (UDRL) designed to enhance the evasion capabilities of Cobalt Strike, a popular penetration testing and red-teaming tool.

Created as a proof-of-concept, BokuLoader aims to recreate and improve upon the evasion features of Cobalt Strike’s built-in reflective loader while supporting red teams in developing their own custom UDRLs. Below is an overview of its functions and features.

Key Functions Of BokuLoader

  1. Reflective Call Stack Spoofing
    BokuLoader employs synthetic frames to spoof call stacks, enhancing its ability to evade detection during reflective DLL injection.
  2. Indirect System Calls
    Using techniques like HellsGate and HalosGate, BokuLoader performs indirect NT system calls, bypassing userland hooks in ntdll.dll. This is particularly useful for memory protection changes (e.g., NtProtectVirtualMemory).
  3. Custom Reflective Loader Code
    The loader includes custom assembly and C code for reflective loading, ensuring better control over the process and improved evasion.
  4. Obfuscation Techniques
    • String Obfuscation: Uses Caesar Cipher for obfuscating strings.
    • DLL Loading: Resolves DLL base addresses and symbols without relying on traditional Windows API functions like Kernel32.LoadLibraryA or Kernel32.GetProcAddress.
  5. Memory Management Enhancements
    BokuLoader supports various memory allocation methods (HeapAlloc, VirtualAlloc, etc.) and implements header-less beacon DLLs by nullifying the first 0x1000 bytes of the virtual beacon DLL.
  6. Integration with Cobalt Strike Features
    While some Malleable PE evasion features are fully supported (e.g., allocator options, sleep masks), others may require additional configuration or are unsupported.

To use BokuLoader effectively:

  • Compile the object file and integrate it with Cobalt Strike via its Aggressor script.
  • Test the loader thoroughly across different operating systems, compilers, and configurations to ensure compatibility.
  • Note that it does not support x86 binaries and requires adjustments when using certain Artifact Kit configurations.

BokuLoader incorporates several advanced techniques to evade detection:

  • Hardcoded string changes to avoid signature-based detection.
  • Indirect system calls that bypass userland hooks.
  • Obfuscation of import names and entry points.

However, detection methods like scanning process memory or monitoring system calls may still identify its activities. BokuLoader is a sophisticated tool for enhancing Cobalt Strike’s evasion capabilities.

While it provides powerful features for red teams, it requires careful implementation and testing to ensure effectiveness in real-world scenarios.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

8 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

19 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

20 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

20 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

20 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

21 hours ago