ChaiLdr – AV Evasive Payload Loader represents a cutting-edge approach in malware development, blending innovative evasion techniques to bypass modern antivirus solutions.
Crafted with advanced concepts learned in malware engineering, this tool introduces a new level of sophistication in delivering payloads undetected.
From indirect syscalls and API hammering to HTTP/S shellcode staging, ChaiLdr sets a new benchmark in the realm of cybersecurity threats.
A simple shellcode loader built with the concepts of Malware development I have learnt till now.
Features
- Indirect syscalls with SysWhispers3 – jumper_randomized
- QueueUserAPC Injection
- HTTP/S shellcode staging
- Execution delay using API Hammering
- IAT Camouflage
- API Hashing
Testing With Havoc And The Latest Windows Defender
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikR3h3QnqOMkm70qpg-LOqshlOTN9NpwX23VCp6pm4gSK0NhVBFI424tmVjurn1-O_YCUsZgP0VfdIER0oHv74DZd29EBZ_WcY_UKIqGg3Enxp4zX-1Ky4ZOMWNu6-SiTqYir4EfYrZOMMoFWhY_8rk9Nd1nwZ7jGQX2DEmSrD1Mi2xJgT_qX_FCwN7TnH/s16000/win10.webp)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC3ccflX4SEt3hZ-f3Xwx_F_YQxbbq3_Y-kjzc6zXKppIrpRgpsO0OYxhuTZANutEoLvnrTA_pchNiogXwspWn6Q3U5nTa7KdxbiQAXURBOtGuMA1VnGA7jOG-qh60CZtRot3uQn6cNNspu9NeB60ilqRBUaQn0w_kRoxNphvQtEo7WLJEmqz4NsNZutY9/s16000/shell.webp)
NOTE
CRT Library Removal : I tried a lot to get the payload working with CRT Library removed and make it independent with custom intrinsic functions for – memcpy, memset, rand, stand, etc, but ended up with a lot of crashes and after hours of debugging couldn’t get it working, I’ll incorporate it into a dev branch soon enough.
I have used minicrt, MiniCRT, etc for references but still couldn’t get it to work.
Shellcode Encryption : The shellcode is fetched from a remote server, providing SSL support. I haven’t incorporated any shellcode encryption, when used with Havoc, Havoc provides Sleep encryption.
Why not HellsGate? : HellGate incorporated only direct syscalls, HellsHall uses indirect syscalls, but I’m still learning that and will build my custom implementation of it in the future
EDR Evasion? : This is a simple shellcode payload loader, it can bypass a lot of antivirus software and some EDRs but the techniques it incorporates aren’t the best, so as I keep learning I’ll make better loaders!