Support indirect syscall

boku7 / BokuLoader

A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!

MIT License

1.26k stars 244 forks source link

Support indirect syscall #28

Closed ScriptIdiot closed 1 year ago

ScriptIdiot commented 1 year ago

Support indirect syscall since it is quite common nowadays. Sorry for mistakes if any!

boku7 commented 1 year ago

Hey man, great work, sorry it took me so long to reply 😅 Only issue is r15 is a nonvolatile register, I don’t see it being saved or restored either. This code would probably work in an exe or DLL loader but would likely cause a crash if injected into a running process because it would clobber r15. If you can fix it so that r15 doesn’t get clobbered I will accept the pull request, thank you!

ScriptIdiot commented 1 year ago

Thanks for pointing that out! Eliminated the usage of r15 and now should be using volatile registers only. Tested with generating .bin and injection and they worked for me. Thanks again!