fix some malleable C2 incompatibilities

[S4ntiagoP]

So I have been reading the UDRL documentation (about time, right?) and noticed that there are some edge cases we are not supporting.

changes:

• If the Malleable C2 enables both sleep_mask and userwx, we now use RWX instead of RX (so that beacon doesn't crash)
• If both sleep_mask and obfuscate are set, we free the headers (yes, this would be the old NOHEADERCOPY feature we used to have)
• If stomppe is is set, we don't copy the headers (but we don't free them either)

Note that now all the behavior involving the headers is entirely defined in the Malleable C2, not by commenting or uncommenting a define in the code.
The syscalls and bypass options are still defined this way.

Also, we now compile all the possible combinations of flags and configs in the new dist folder and load the correct one by parsing the Malleable C2 config at runtime in the .cna file

Links:

• https://www.cobaltstrike.com/blog/user-defined-reflective-loader-udrl-update-in-cobalt-strike-4-5/
• https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_pe-memory-indicators.htm
• https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm?cshid=1054

Thanks to @vestjoe for beacon_health_check where I found the trick to read the Malleable C2 profile programatically 😄

[boku7]

🔥🔥🔥

[vestjoe]

Very nice !!!! This is a really good idea.

[funnybananas]

"If the Malleable C2 enables both sleep_mask and userwx, we now use RWX instead of RX (so that beacon doesn't crash)"

This seems related to an issue I've been having with the latest version. Seems that now, when sleep_mask and userwx are set to true, the beacon crashes when it attempts to mask itself (so right after callback).

Looks like this line forces memory protection of the loaded .text to RX, which causes beacon to crash if userwx and sleepmask are set to true in the C2 profile. Manually changing this line to PAGE_EXECUTE_READWRITE fixes the beacon crashing.

https://github.com/boku7/BokuLoader/blob/c6d67d66697f18cc3c143323f9e011161f804c3d/src/BokuLoader.c#L93

[boku7]

I tested on CS 4.7.2 and with those options it works (at least in my test environment). Currently userwx is ignored by bokuloader. From my testing even though sleep mask is true, it is ignored by beacon. Previously we had different versions compiled which would be used for each case. I've moved it to one loader and have the aggressor script modifying the beacon. I will be releasing future versions which handle your specific configuration you mentioned. This will happen after the first blog post about UDRL I have scheduled for release. To avoid this issue with your setup, I recommend using the sleep mask kit with bokuloader. Specifically the src47 version with the Ekko implementation, as it can handle sleepmasking beacon when the .text section is RX.

[boku7]

What you did with the memory as RWX in the code is a good patch for getting it to work with that config you want for now, until I release the version that can properly handle the RWX option from the C2 profile