[]()
TerraLdr: A Payload Loader Designed With Advanced Evasion Features
### Details:
* no crt functions imported
* syscall unhooking using [KnownDllUnhook]( “KnownDllUnhook” )
* api hashing using Rotr32 hashing algo
* payload [encryption]( “encryption” ) using rc4 – payload is saved in .rsrc
* process [injection]( “injection” ) – targetting ‘SettingSyncHost.exe’
* ppid [spoofing]( “spoofing” ) & blockdlls policy using NtCreateUserProcess
* stealthy remote process injection – chunking
* using [debugging]( “debugging” ) & NtQueueApcThread for payload execution
### Usage:
* use [GenerateRsrc]( “GenerateRsrc” ) to update [DataFile.terra]( “DataFile.terra” ) that’ll be the payload saved in the .rsrc section of the loader
### Thanks For:
*
*
### Notes:
* “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a _must_ to change the process name to something else before testing
* it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”
### Profit:
[]( “A Payload Loader Designed With Advanced Evasion Features (10)” )[]() []( “A Payload Loader Designed With Advanced Evasion Features (11)” )[]()
### Demo (by [@ColeVanlanding1]( “@ColeVanlanding1” )) :
[]( “A Payload Loader Designed With Advanced Evasion Features (13)” )[]()
#### Tested with [cobalt strike]( “cobalt strike” ) && Havoc on windows 10
**[Download TerraLdr]( “Download TerraLdr” )**Read More