issues
search
NUL0x4C
/
TerraLdr
A Payload Loader Designed With Advanced Evasion Features
Apache License 2.0
497
stars
83
forks
source link
edrs
loader
payload
readme
TerraLdr: A Payload Loader Designed With Advanced Evasion Features
Details:
no crt functions imported
syscall unhooking using
KnownDllUnhook
api hashing using Rotr32 hashing algo
payload encryption using rc4 - payload is saved in .rsrc
process injection - targetting 'SettingSyncHost.exe'
ppid spoofing & blockdlls policy using NtCreateUserProcess
stealthy remote process injection - chunking
using debugging & NtQueueApcThread for payload execution
Usage:
use
GenerateRsrc
to update
DataFile.terra
that'll be the payload saved in the .rsrc section of the loader
Thanks For:
https://offensivedefence.co.uk/posts/ntcreateuserprocess/
https://github.com/vxunderground/VX-API
Notes:
"SettingSyncHost.exe" isnt found on windows 11 machine, while i didnt tested with w11, its a
must
to change the process name to something else before testing
it is possibly better to compile with "ISO C++20 Standard (/std:c++20)"
Profit:
Demo (by
@ColeVanlanding1
) :
Tested with cobalt strike && Havoc on windows 10