TerraLdr - A Payload Loader Designed With Advanced Evasion Features

TerraLdr – A Payload Loader Designed With Advanced Evasion Features

TerraLdr: A Payload Loader Designed With Advanced Evasion Features

Details:

  • no crt functions imported
  • syscall unhooking using KnownDllUnhook
  • api hashing using Rotr32 hashing algo
  • payload encryption using rc4 – payload is saved in .rsrc
  • process injection – targetting ‘SettingSyncHost.exe’
  • ppid spoofing & blockdlls policy using NtCreateUserProcess
  • stealthy remote process injection – chunking
  • using debugging & NtQueueApcThread for payload execution

Usage:

Thanks For:

Notes:

  • “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
  • it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”

Profit:

Demo (by @ColeVanlanding1) :

Tested with cobalt strike && Havoc on windows 10

Leave a Reply

Your email address will not be published. Required fields are marked *

Special Offer for Hackers!Sign up to get your $5 Coupon code, weekly deals and latest hacking tools straight to your inbox!
X