TerraLdr: Payload Loader Designed With Advanced Evasion Features

TerraLdr: A Payload Loader Designed With Advanced Evasion Features

• no crt functions imported
• syscall unhooking using KnownDllUnhook
• api hashing using Rotr32 hashing algo
• payload encryption using rc4 – payload is saved in .rsrc
• process injection – targetting ‘SettingSyncHost.exe’
• ppid spoofing & blockdlls policy using NtCreateUserProcess
• stealthy remote process injection – chunking
• using debugging & NtQueueApcThread for payload execution

Notes:

• “SettingSyncHost.exe” isn’t found on windows 11 machine, while i didn’t tested with w11, its a must to change the process name to something else before testing
• it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”

Use

• use GenerateRsrc to update DataFile.terra that’ll be the payload saved in the .rsrc section of the loader

Demo

Download

Copyright (C) 2022 ORCx41