kapla0011/KaplaStrike

# Crystal-Palace UDRL A Cobalt Strike Reflective Loader built with [Crystal Palace](https://tradecraftgarden.org). Some components are based or taken from [Crystal-Kit](https://github.com/rasta-mouse/Crystal-Kit) by [@_RastaMouse](https://twitter.com/_RastaMouse). Credit to him for the sleep masking implementation and significant portions of the loader architecture. Go check out his work and his CRTL course. For a full breakdown of every technique implemented here, read the accompanying blog post: [Bypassing EDR in a Crystal Clear Way](https://lorenzomeacci.com/bypassing-edr-in-a-crystal-clear-way) ## What this does - Module overloading via `NtCreateSection` + `NtMapViewOfSection` (no `LoadLibrary`, no CFG) - `.pdata` registration via `RtlAddFunctionTable` for clean beacon call stack frames - `NtContinue` entry transfer with synthetic `BaseThreadInitThunk` / `RtlUserThreadStart` frames - API call stack spoofing for loader setup via Draugr - XOR-encrypted beacon DLL at build time - Sleep masking via `addhook` IAT hooking and per-section XOR encryption - Crystal Palace YARA signature removal via `ised` ## Setup ### 1. Malleable C2 profile stage { set cleanup "true"; set sleep_mask "false"; set obfuscate "false"; } post-ex { set cleanup "true"; } Sleep masking is handled entirely by the loader. Do not enable it in the profile. ### 2. CNA script set BEACON_RDLL_SIZE { warn("Running 'BEACON_RDLL_SIZE' for DLL " .$1. " with architecture " .$2); return "0"; } set BEACON_RDLL_GENERATE { local('$arch $beacon $fileHandle $ldr $path $payload'); $beacon = $2; $arch = $3; return $beacon; } ### 3. Build make x64 ./link spec/loader.spec cobalt_strike_raw.dll output.bin `output.bin` is the final PIC blob. Execute it with any shellcode loader. ## Disclaimer This tool is for authorised security testing and research purposes only.

标签：客户端加密