laZzzy: shellcode loader
laZzzy
laZzzy is a shellcode loader that demonstrates different execution techniques commonly employed by malware. laZzzy was developed using different open-source header-only libraries.
Features
- Direct syscalls and native (Nt*) functions (not all functions but most)
- Import Address Table (IAT) evasion
- Encrypted payload (XOR and AES)
- Randomly generated key
- Automatic padding (if necessary) of payload with NOPS (\x90)
- Byte-by-byte in-memory decryption of the payload
- XOR-encrypted strings
- PPID spoofing
- Blocking of non-Microsoft-signed DLLs
- (Optional) Cloning of PE icon and attributes
- (Optional) Code signing with spoofed cert
Libraries Used
- kokke/tiny-AES-c
- skadro-official/skCrypter
- JustasMasiulis/lazy_importer
- JustasMasiulis/inline_syscall
Shellcode Execution Techniques
- Early-bird APC Queue (requires sacrificial process)
- Thread Hijacking (requires sacrificial process)
- KernelCallbackTable (requires sacrificial process that has a GUI)
- Section View Mapping
- Thread Suspension
- LineDDA Callback
- EnumSystemGeoID Callback
- Fiber Local Storage (FLS) Callback
- SetTimer
- Clipboard
Notes:
- Only works on Windows x64
- Debugging only works on Release mode
- Sometimes, KernelCallbackTable doesn’t work on the first run but will eventually work afterward
Install & Use
Copyright (c) 2022 Capt. Meelo
