Closed ghost closed 3 years ago
boku7
commented
3 years ago Hi Fendi1989, I have not tried it at all. If you want to give it a go that'd be awesome and let me know the results! I'd recommend uncommenting that line "// "int3 \n"". Then creating the beacon. Then open your beacon on a windows computer with x96dbg debugger. Then nop out the int3 breakpoint and run. If it hits the breakpoint, then you know its this reflective loader, and if it does/not work.
boku7
commented
3 years ago In theory this reflective loader should work fine with the artifact script. You can also have a bunch of scripts loaded into script manager at the same time, as long as they don't overlap/step on each other functionality wise.
ghost
commented
3 years ago ok because until now there is no real examples in cobalt strike's blog, to show how the artifact kit and User Defined Reflective Loader kit can be synchronized. i mean if the rdll_loader could generate exes, why using the artifact kit then ? i just know that the artifact kit is responsible of the threads. if we load both rdll_loader and artifact kit , even if i have the output in the console saying that the loader has generated an exe, it doesn't it mean that the artifact kit wouldn't add data or wrapper to the exe. it become complex, i need to debug everything.
boku7
commented
3 years ago Let me know how it goes! Interested. Going to close this issue for now :)
hello I just wanted to know if I should load the artifact kit(artifact template) and rdll_loader.cna in the same time. will cobaltstrike use the template cna or rdll_loader to create the final exe ??