AceLdr: Cobalt Strike UDRL for memory scanner evasion
AceLdr – Avoid Memory Scanners
A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.
Features
Easy to Use
Import a single CNA script before generating shellcode.
Dynamic Memory Encryption
Creates a new heap for any allocations from Beacon and encrypts entries before sleep.
Code Obfuscation and Encryption
Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).
Return Address Spoofing at Execution
Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).
Sleep Without Sleep
Delayed execution using WaitForSingleObjectEx.
RC4 Encryption
All encryption is performed with SystemFunction032.
Known Issues
- Not compatible with loaders that rely on the shellcode thread staying alive.
Download
Copyright (c) 2022 Kyle Avery