= Alaris Shellcode Loader Joshua Faust Joshua.Faust@sevrosecurity.com :toc:

== Alaris

+++

Build

+++

Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP's that help protect the malware and it's execution flow. Some of these features are:

Shellcode Encryption (AES-CBC 256)
Direct x86 Syscalls via https://twitter.com/Jackson_T[@Jackson T's] new https://github.com/jthuraisamy/SysWhispers2[SyWhispers2]
Prevents 3rd party (non-Microsoft Signed) DLL's from hooking or injecting both the parent and child processes.
Parent Process ID spoofing
Overwrites it's own shellcode after execution.

To get a full understanding on how Alaris works, https://sevrosecurity.com/2020/10/14/alaris-a-protective-loader/[see my post here].

=== Updates

As on February 28th, 2021, several changes have been made:

. You can now easily build Alaris with the Python3 builder.py tool. . Moved from https://github.com/jthuraisamy/SysWhispers[SysWhispers] to https://github.com/jthuraisamy/SysWhispers2[SysWhispers2] . Key and IV are now dynamic for each build via PBKDF2

== Building Alaris

The easiest method to build Alaris is with builder.py. I assume the following when you're building a new Alaris loader:

. You are compiling on a Windows host. Preferably, Windows 10. . You have Visual Studio 2019+ [Community, Professional] installed with C++ (https://github.com/cribdragg3r/Alaris/issues/2#issuecomment-749069975[See example here]) . You have Python3 installed and have pip install -r requirements.txt

[source, python]

usage: builder.py [-h] -s -p [-o]

optional arguments: -h, --help show this help message and exit -s, --shellcode Path to RAW shellcode file -p, --password Encryption Passphrase -o, --out Output Path for compiled binary

.Example Syntax [source, python]

Output Compiled Binary to CWD

python3 builder.py -s C:\Users\admin\payload.bin -p example_password

Output Compiled Binary to a path of your choosing.

python3 builder.py -s C:\Users\admin\payload.bin -p example_password -o C:\Users\admin\Desktop\my_alaris

=== Cobalt Strike Example

Generate x64 Shellcode for you Cobalt Strike Listener +++

Build

+++

Use the builder.py to build the loader +++

Build

+++

Executing the loader +++

Build

+++

joshfaust / Alaris

readme

[source, python]

optional arguments: -h, --help show this help message and exit -s, --shellcode Path to RAW shellcode file -p, --password Encryption Passphrase -o, --out Output Path for compiled binary

.Example Syntax [source, python]

Output Compiled Binary to CWD

Output Compiled Binary to a path of your choosing.

python3 builder.py -s C:\Users\admin\payload.bin -p example_password -o C:\Users\admin\Desktop\my_alaris