TerraLdr is a Payload Loader Designed With Advanced Evasion Features.
Details
- no crt functions imported
- syscall unhooking using KnownDllUnhook
- api hashing using Rotr32 hashing algo
- payload encryption using rc4 – payload is saved in .rsrc
- process injection – targetting ‘SettingSyncHost.exe’
- ppid spoofing & blockdlls policy using NtCreateUserProcess
- stealthy remote process injection – chunking
- using debugging & NtQueueApcThread for payload execution
Usage
- use GenerateRsrc to update DataFile.terra that’ll be the payload saved in the .rsrc section of the loader
Thanks For
Notes
- “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
- it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”