TerraLdr: A Payload Loader Designed With Advanced Evasion Features

Details:

• no crt functions imported
• syscall unhooking using KnownDllUnhook
• api hashing using Rotr32 hashing algo
• payload encryption using rc4 - payload is saved in .rsrc
• process injection - targetting 'SettingSyncHost.exe'
• ppid spoofing & blockdlls policy using NtCreateUserProcess
• stealthy remote process injection - chunking
• using debugging & NtQueueApcThread for payload execution

Usage:

• use GenerateRsrc to update DataFile.terra that'll be the payload saved in the .rsrc section of the loader

Thanks For:

• https://offensivedefence.co.uk/posts/ntcreateuserprocess/
• https://github.com/vxunderground/VX-API

Notes:

• "SettingSyncHost.exe" isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
• it is possibly better to compile with "ISO C++20 Standard (/std:c++20)"

Profit:

Demo (by @ColeVanlanding1) :

Tested with cobalt strike && Havoc on windows 10