Skip to content

A Payload Loader Designed With Advanced Evasion Features

License

Notifications You must be signed in to change notification settings

NUL0x4C/TerraLdr

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TerraLdr: A Payload Loader Designed With Advanced Evasion Features


Details:

  • no crt functions imported
  • syscall unhooking using KnownDllUnhook
  • api hashing using Rotr32 hashing algo
  • payload encryption using rc4 - payload is saved in .rsrc
  • process injection - targetting 'SettingSyncHost.exe'
  • ppid spoofing & blockdlls policy using NtCreateUserProcess
  • stealthy remote process injection - chunking
  • using debugging & NtQueueApcThread for payload execution

Usage:

Thanks For:

Notes:

  • "SettingSyncHost.exe" isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
  • it is possibly better to compile with "ISO C++20 Standard (/std:c++20)"

Profit:

ph2 havoc

Demo (by @ColeVanlanding1) :

EmpireC2 TerraLDR vs AntiVirus



Tested with cobalt strike && Havoc on windows 10

About

A Payload Loader Designed With Advanced Evasion Features

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages