Update README.md

README.md

@@ -1,2 +1,66 @@
+[![Twitter](https://img.shields.io/twitter/follow/naksyn?label=naksyn&style=social)](https://twitter.com/intent/follow?screen_name=naksyn)
+
 # DojoLoader
+
 Generic PE loader for fast prototyping evasion techniques
+
+![immagine](https://github.com/naksyn/DojoLoader/assets/59816245/af9abb9e-f731-4cf9-a11f-03e99d5f3262)
+
+# What is it
+
+DojoLoader is a generic PE loader initially created to prototype sleep obfuscation techniques with Cobalt Strike UDRL-less raw Beacon payload, in an attempt to reduce debugging time with UDRLs.
+
+[You can read this blog post for more insight on the journey](https://www.naksyn.com/cobalt%20strike/2024/04/15/raising-beacons-without-UDRLs-teaching-how-to-sleep.html).
+
+DojoLoader borrows MemoryModule implementation of the [DynamicDllLoader](https://gitlab.com/ORCA000/dynamicdllloader) project by ORCA000 and expands on that adding modularity and the following features:
+ 1. download and execution of (xored) shellcode from HTTP of from file
+ 2. dynamic IAT hooking for Sleep function
+ 3. Three different Sleep obfuscation techinques implemented in the hook library
+ * RW->RX
+ * MemoryBouncing
+ * MemoryHopping 
+
+**Rw->RX** sleep obfuscation is a classic RW -> encrypt -> Sleep -> decrypt -> RX -> RW -> encrypt scheme.
+
+**MemoryBouncing** is a diferent (from publicly available techniques) sleep obfuscation that aims to evade public RX->RW detections and involves the following steps:
+
+1. Copy mapped PE to a buffer and encrypt it
+2. Free mapped PE address
+3. do sleep time (e.g. SleepEx)
+4. Allocate RWX address on the same address were PE was mapped
+5. deecrypt the buffer and copy it over the RWX memory
+
+RX->RW detection is evaded by avoiding VirtualProtect and hiding the payload during sleep by freeing the payload memory area.
+
+https://github.com/naksyn/DojoLoader/assets/59816245/30c092ac-dc2f-4842-980e-8d38f54d5027
+
+
+**MemoryHopping** is another different (from publicly available techniques) sleep obfuscation that aims to evade public RX->RW detections and involves the following steps:
+
+ 1. save the return address
+ 2. copy the mapped PE bytes to a buffer and optionally encrypt it
+ 3. Free the memory of the mapped payload
+ 4. allocate RWX memory on a different address
+ 5. calculate delta and adjust the return address accordingly
+ 6. copy bytes from the buffer to the newly created memory region
+ 7. perform relocations on the copied bytes
+ 8. resume execution form the adjusted return address
+
+https://github.com/naksyn/DojoLoader/assets/59816245/2111a6b4-0f7c-46b6-8f69-54ba79a96c04
+
+# Usage
+To use the loader with Cobalt Strike Beacon, generate first a UDRL-less payload using the cna in the Utils folder and -beacon flag with the loader.
+
+```
+Usage: -d <url> | -f <file> [-k <key>] [-s <function>] [-beacon]
+Options:
+ -d -download <url> Load PE from the specified URL
+ -f -file <file> Load PE from the specified file
+ -k -key <key> XOR the payload with the specified key
+ -s -sleep <1 (membounce),2 (memhop),3 (RWRX)> Sleep Obfuscation techniques:
+ 1 or membounce for MemoryBouncing
+ 2 or memhop for Memory Hopping (choose a compatible payload)
+ 3 or RWRX for classic RW->RX
+ -beacon use Cobalt Strike UDRL-les Beacon payload execution method
+ -h print this help
+```