# Payload生成分析后续补充 CS从4.1后Beacon修补措施发生了一些变化在这里进行一下补充 随便找一个4.1往后版本的Beacon.dll(需要提前解密,解密脚本在本文的git上)查看导出的反射函数ReflectiveLoader会发ReflectiveLoader函数相比较之前有所变化全部变成了nop或int3指令 ![](/files/-MeOF5fOYCKuPQ71hTmN) 这是因为在4.1以后cs会根据c2配置文件的allocator选项自动选择合适的反射加载器(Reflective Loader)然后对dll进行修补 根据调用的函数不同分为HeapAlloc、MapViewOfFile 和 VirtualAlloc这三种 原先cs是根据标志位在运行时判断使用哪个函数现在cs则是根据这三种函数编译出来的三种BOF(OBJ文件) ![](/files/-MeOJ6KP30_bDW-_cs98) 根据C2配置选择对应的反射加载器,默认为BeaconLoader.VA ![](/files/-MeOcivcwdOqjof00NiL) 注:因为反射函数本身就是一个shellcode所以修复obj时无需修复导入表也没有导入表,只需要修复重定有关这部分可以参考[Beacon Object File(BOF实现原理)](/cobalt-strike/cobalt-strike-yuan-li-jie-shao/untitled-3.md)不在说了 最后的BeaconLoader.VA和BeaconLoader并无太大区别只不过.VA带有一点内存解密会根据NumberOfSymbols判断是否需要解密 ![](/files/-MeOcKuemqP3k-XxSXkJ) 这样做也好自己也可以写OBJ文件修补加载器函数 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/payload-sheng-cheng-fen-xi-hou-xu-bu-chong.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.