TerraLdr: Payload Loader Designed With Advanced Evasion Features

Advanced Evasion Payload

TerraLdr: A Payload Loader Designed With Advanced Evasion Features

  • no crt functions imported
  • syscall unhooking using KnownDllUnhook
  • api hashing using Rotr32 hashing algo
  • payload encryption using rc4 – payload is saved in .rsrc
  • process injection – targetting ‘SettingSyncHost.exe’
  • ppid spoofing & blockdlls policy using NtCreateUserProcess
  • stealthy remote process injection – chunking
  • using debugging & NtQueueApcThread for payload execution

Notes:

  • “SettingSyncHost.exe” isn’t found on windows 11 machine, while i didn’t tested with w11, its a must to change the process name to something else before testing
  • it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”

Use

Demo

Download

Copyright (C) 2022 ORCx41