Feature Request: Custom Reflective Loader Support #228
Description
When deploying beacon agents in mature environments with EDR/AV solutions, the default reflective loader often becomes a detection point. The security community has developed various advanced loaders with different evasion techniques to address this challenge.
Cobalt Strike introduced the User-Defined Reflective Loader (UDRL) feature, which allows operators to replace the default loader with custom implementations. This has enabled projects like:
- BokuLoader - Features indirect syscalls (HellsGate), IAT hooking, call stack spoofing, and multiple memory allocation methods
- AceLdr - Cobalt Strike UDRL with advanced evasion
- TitanLdr - Another popular alternative loader
The key aspects of CS's UDRL implementation:
- The loader is a position-independent shellcode blob that receives the beacon DLL appended to it
- Configuration options (allocator type, memory protection, etc.) are passed via unused fields in the beacon DLL's DOS/PE header
- Operators can select and configure loaders through the UI
Reference: Cobalt Strike UDRL Documentation
It would be valuable if AdaptixC2 could support custom reflective loaders in some capacity. This would allow operators to:
- Adapt to different target environments
- Leverage community-developed loaders
- Customize their OPSEC posture
I understand this may require significant architectural consideration. I'm simply raising this as a feature that would greatly benefit the project's flexibility and evasion capabilities.
Thank you for your excellent work on AdaptixC2!