TerraLdr – A Payload Loader Designed With Advanced Evasion Features
TerraLdr: A Payload Loader Designed With Advanced Evasion Features
Details:
- no crt functions imported
- syscall unhooking using KnownDllUnhook
- api hashing using Rotr32 hashing algo
- payload encryption using rc4 – payload is saved in .rsrc
- process injection – targetting ‘SettingSyncHost.exe’
- ppid spoofing & blockdlls policy using NtCreateUserProcess
- stealthy remote process injection – chunking
- using debugging & NtQueueApcThread for payload execution
Usage:
- use GenerateRsrc to update DataFile.terra that’ll be the payload saved in the .rsrc section of the loader
Thanks For:
Notes:
- “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
- it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”
Profit:
Demo (by @ColeVanlanding1) :
Tested with cobalt strike && Havoc on windows 10
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon using the button below
To keep up to date follow us on the below channels.
