NovaLdr: Threadless Module Stomping In Rust

NovaLdr

NovaLdr is a Threadless Module Stomping written in Rust, designed as a learning project while exploring the world of malware development. It uses advanced techniques like indirect syscalls and string encryption to achieve its functionalities. This project is not intended to be a complete or polished product but rather a journey into the technical aspects of malware, showcasing various techniques and features.

Features Overview

• Idirect Sycalls
• String encryption
• Shellcode encryption: simple XOR and converting the Shellcode bytes into MAC address
• Threadless Execution
  • Threadless inject: Writes a trampoline into a specified function within a given DLL and redirects it to load another DLL.
  • JMPThreadHijack: Hijack a thread without calling SetThreadContext. Still needs improvement because I’m lazy and haven’t implemented the whole thing well enough to maintain the original functionality of the thread. Just a quick and dirty PoC (Beware of payload execution control. Browsers tend to execute the payload multiple times)
• Module Unlink
  • Overwrites the DOS header magic bytes.
  • Clears the DLL base addresses from the target process.
  • Eliminates DLL name strings from the target process.
  • Unlinks a module from the module list
• Spawning Process: spawning suspended process with NtCreateUserProcess and Spoofing the PPID and Setting the process to Block DLL
• Ntdll Unhooking: Remote and local Ntdll Unhooking using Parun’s Fart technique
• No GetModuleHandleA & GetProcAddress: Custome Function that using NT functions
• Sleep Encrypt: custom sleep function that encrypts the stack during its sleep duration using a separate thread.

Download

git clone https://github.com/BlackSnufkin/NovaLdr.git

Use

• Generate Shellcode file: msfvenom -p windows/x64/messagebox TITLE=NovaLdr TEXT=’In memory of all those murdered in the Nova party massacre 7.10.2023′ ICON=WARNING EXITFUNC=thread -b ‘\xff\x00\x0b’ -f raw -e none -o Nova_MSG.bin
• Encrypt the shellcode file and convert it to MAC address format python bin2mac.py Nova_MSG.bin > nova_msg.txt
• Copy the content of the output file and paste it to the main.rs file
• Compile the program just run the file compile.bat

Copyright (C) 2023 BlackSnufkin 

Source: https://github.com/BlackSnufkin/