Malware

ChaiLdr – AV Evasive Payload Loader : Unveiling Next-Gen Evasion Capabilities

ChaiLdr – AV Evasive Payload Loader represents a cutting-edge approach in malware development, blending innovative evasion techniques to bypass modern antivirus solutions.

Crafted with advanced concepts learned in malware engineering, this tool introduces a new level of sophistication in delivering payloads undetected.

From indirect syscalls and API hammering to HTTP/S shellcode staging, ChaiLdr sets a new benchmark in the realm of cybersecurity threats.

A simple shellcode loader built with the concepts of Malware development I have learnt till now.

Features

  • Indirect syscalls with SysWhispers3 – jumper_randomized
  • QueueUserAPC Injection
  • HTTP/S shellcode staging
  • Execution delay using API Hammering
  • IAT Camouflage
  • API Hashing

Testing With Havoc And The Latest Windows Defender

NOTE

CRT Library Removal : I tried a lot to get the payload working with CRT Library removed and make it independent with custom intrinsic functions for – memcpy, memset, rand, stand, etc, but ended up with a lot of crashes and after hours of debugging couldn’t get it working, I’ll incorporate it into a dev branch soon enough.

I have used minicrt, MiniCRT, etc for references but still couldn’t get it to work.

Shellcode Encryption : The shellcode is fetched from a remote server, providing SSL support. I haven’t incorporated any shellcode encryption, when used with Havoc, Havoc provides Sleep encryption.

Why not HellsGate? : HellGate incorporated only direct syscalls, HellsHall uses indirect syscalls, but I’m still learning that and will build my custom implementation of it in the future

EDR Evasion? : This is a simple shellcode payload loader, it can bypass a lot of antivirus software and some EDRs but the techniques it incorporates aren’t the best, so as I keep learning I’ll make better loaders!

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Bash For Loop Examples Explained Simply for Beginners

If you are new to Bash scripting or Linux shell scripting, one of the most…

3 hours ago

How Does a Firewall Work Step by Step

How Does a Firewall Work Step by Step? What Is a Firewall and How Does…

2 days ago

ROADTools: The Modern Azure AD Exploration Framework

ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…

5 days ago

How to Enumerate Microsoft 365 Groups Using PowerShell and Python

Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…

5 days ago

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

6 days ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

6 days ago