AtomLdr – A DLL Loader With Advanced Evasive Features

ce3346afb53d3c0fbfb3ef8ce28e942637e6d7fead0187ac976ebd71cf01d5e1


A DLL Loader With Advanced Evasive Features

Features:

  • CRT library independent.
  • The final DLL file, can run the payload by loading the DLL (executing its entry point), or by executing the exported "Atom" function via the command line.
  • DLL unhooking from \KnwonDlls\ directory, with no RWX sections.
  • The encrypted payload is saved in the resource section and retrieved via custom code.
  • AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I’ve encountered.
  • Aes Key & Iv Encryption.
  • Indirect syscalls, utilizing HellHall with ROP gadgets (for the unhooking part).
  • Payload injection using APC calls – alertable thread.
  • Payload execution using APC – alertable thread.
  • Api hashing using two different implementations of the CRC32 string hashing algorithm.
  • The total Size is 17kb + payload size (multiple of 16).

How Does The Unhooking Part Work

AtomLdr’s unhooking method looks like the following

e3920b28da106d53405eda9ff2b490175b68bbdf07aa318df41fecc09acc16a7

the program Unhooking from the \KnwonDlls\ directory is not a new method to bypass user-land hooks. However, this loader tries to avoid allocating RWX memory when doing so. This was obligatory to do in KnownDllUnhook for example, where RWX permissions were needed to replace the text section of the hooked modules, and at the same time allow execution of functions within these text sections.

This was changed in this loader, where it suspends the running threads, in an attempt to block any function from being called from within the targetted text sections, thus eliminating the need of having them marked as RWX sections before unhooking, making RW permissions a possible choice.

This approach, however, created another problem; when unhooking, NtProtectVirtualMemory syscall and others were using the syscall instruction inside of ntdll.dll module, as an indirect-syscall approach. Still, as mentioned above, the unhooked modules will be marked as RW sections, making it impossible to perform indirect syscalls, because the syscall instruction that we were jumping to, can’t be executed now, so we had to jump to another executable place, this is where win32u.dll was used.

win32u.dll contains some syscalls that are GUI-related functions, making it suitable to jump to instead of ntdll.dll. win32u.dll is loaded (statically), but not included in the unhooking routine, which is done to insure that win32u.dll can still execute the syscall instruction we are jumping to.

The suspended threads after that are resumed.

It is worth mentioning that this approach may not be that efficient, and can be unstable, that is due to the thread suspension trick used. However, it has been tested with multiple processes with positive results, in the meantime, if you encountered any problems, feel free to open an issue.


Usage

  • PayloadBuilder is compiled and executed with the specified payload, it will output a PayloadConfig.pc file, that contains the encrypted payload, and its encrypted key and iv.
  • The generated PayloadConfig.pc file will then replace this in the AtomLdr project.
  • Compile the AtomLdr project as x64 Release.
  • To enable debug mode, uncomment this here.

Demo (1)

  • Executing AtomLdr.dll using rundll32.exe, running Havoc payload, and capturing a screenshot

b3ff2990cc5c81eb317cbdbf60d8b4d7d87b4befdea3b018fb713b8bfdc5c54e

  • AtomLdr.dll‘s Import Address Table

39e13e7d7837674bd20fbf9a2cc054515c6e6695b29018712cd4362cbbfc9172


Demo – Debug Mode(2)

  • Running PayloadBuilder.exe, to encrypt demon[111].bin – a Havoc payload file

e0816aebd6411e6defc2d05a2b851ea1c1a68629a9a7c553ffb28a0bb96b0f49


  • Running AtomLdr.dll using rundll32.exe

8ae9efedfc8831873a2c4ba57cb82e8abe3bf25226c0ee687dd45a6b69fe326b

34407421fe31fe343e7096d241da939bd491d910166df70dddb758b15858452b


  • Havoc capturing a screenshot, after payload execution

9b02bb435a85dcf19b815ad224b50f6621326de0c84c97d48cd185c3d3d7d446


Based on




Original Source


 


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn