[]()

TerraLdr: A Payload Loader Designed With Advanced Evasion Features

### Details:

* no crt functions imported
* syscall unhooking using [KnownDllUnhook]( “KnownDllUnhook” )
* api hashing using Rotr32 hashing algo
* payload [encryption]( “encryption” ) using rc4 – payload is saved in .rsrc
* process [injection]( “injection” ) – targetting ‘SettingSyncHost.exe’
* ppid [spoofing]( “spoofing” ) & blockdlls policy using NtCreateUserProcess
* stealthy remote process injection – chunking
* using [debugging]( “debugging” ) & NtQueueApcThread for payload execution

### Usage:

* use [GenerateRsrc]( “GenerateRsrc” ) to update [DataFile.terra]( “DataFile.terra” ) that’ll be the payload saved in the .rsrc section of the loader

### Thanks For:

*
*

### Notes:

* “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a _must_ to change the process name to something else before testing
* it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”

### Profit:

[]( “A Payload Loader Designed With Advanced Evasion Features (10)” )[]() []( “A Payload Loader Designed With Advanced Evasion Features (11)” )[]()

### Demo (by [@ColeVanlanding1]( “@ColeVanlanding1” )) :

[]( “A Payload Loader Designed With Advanced Evasion Features (13)” )[]()

#### Tested with [cobalt strike]( “cobalt strike” ) && Havoc on windows 10

**[Download TerraLdr]( “Download TerraLdr” )**Read More