This UDRL and Sleepmask Development course, created by Alex Reid and Zero-Point Security, teaches students how to apply low-level Windows knowledge and offensive tradecraft in the writing and development of Cobalt Strike’s User-Defined Reflective Loader and Sleepmask components. 

Training Content 

1. Welcome

  • Introduction 
  • Author’s Note 
  • Software Requirements 

3. UDRL: Extending Stardust

  • Introduction to Stardust 
  • API Resolution Via Macros 
  • Debug Output 
  • Supporting Forwarded APIs 
  • Pointer Arithmetic 
  • Custom User Data 
  • Global Variables Without NtProtectVirtualMemory 
  • Removing Padding 

5. Sleepmask: Basic Ekko Implementation

  • Integrating Common Assets 
  • Preparing sleep_mask 
  • Masking Heap Memory 
  • Understanding Ekko 
  • Implementing Ekko 

7.  Module Stomping

  • Introduction to Module Stomping 
  • Identifying Sacrifical DLLs 
  • Basic Implementation 

9.  Common: Control Flow Guard

  • Understanding Control Flow Guard 
  • Enumerating CFG and Modifying the Bitmap 

11.  Evasion: Cleaning the LitterBox

  • Introduction to LitterBox and Underlying Tools 
  • Patriot: Hiding Suspicious CONTEXTs 
  • Moneta: Freeing the Initial Allocation 
  • YARA: Addressing Static Signatures 
  • PE-sieve: Avoiding Entropy Checks 

12.  Evasion: Assorted Tradecraft and Code Cleanup

  • Extending BeaconGate for Unsupported APIs 
  • Exception Handling via Wow64PrepareForException 
  • Exiting Beacon Gracefully 
  • Ekko via Threadpool Timers 
  • Code Cleanup and Bug Fixes 

2. Introduction to UDRL and Sleepmask 
Development

  • Defining the Problem 
  • Component Requirements 
  • Project setup 
  • Build Automation 
  • Testing Payloads 

4. UDRL: Basic Reflective Loading

  • Parsing PE Headers 
  • Mapping Sections 
  • Populating the Import Address Table 
  • Processing Relocations 
  • Transferring Execution 

6.  Sleepmask: Through the BeaconGate With Ekko

  • Understanding the Problem 
  • Passing Stack Parameters 
  • Storing Return Values 
  • Integrating BeaconGate 

8.  UDRL: Advanced Module Stomping

  • Background Research 
  • Manipulating Section Handles 
  • Replacing LoadLibraryEx 
  • Mapping Beacon’s Unwind Info 
  • Finding and Fixing Sleepmask and BOF Unwind Info 

10.  Evasion: Call Stack Spoofing

  • Introduction to Hunt Sleeping Beacons and Call Stack Detection 
  • Exposing Timer Functionality to the UDRL 
  • Beacon Entry via NtContinue 
  • Concealing the Main Thread’s Call Stack During Timer Execution 
  • Disguising Timer Stacks with ROP and JOP 
  • Suspicious Timers and Where to Hide Them 

13.  Course Completion

  • Areas for Future Exploration 
  • Closing 
  • Course Evaluation 
  • Certificate of Completion 

PRODUCT SUMMARY

Key Features

  • Author: Alex Reid 
  • Level: Certified
  • Study time: 9 hours 

Ready to Get Started?

BUY NOW