TerraLdr: A Payload Loader Designed With Advanced Evasion Features
Details:
- no crt functions imported
- syscall unhooking using KnownDllUnhook
- api hashing using Rotr32 hashing algo
- payload encryption using rc4 – payload is saved in .rsrc
- process injection – targetting ‘SettingSyncHost.exe’
- ppid spoofing & blockdlls policy using NtCreateUserProcess
- stealthy remote process injection – chunking
- using debugging & NtQueueApcThread for payload execution
Usage:
Thanks For:
Notes:
- “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
- it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”
Profit:
Demo (by @ColeVanlanding1) :
