TerraLdr : A Payload Loader Designed With Advanced Evasion Features

TerraLdr is a Payload Loader Designed With Advanced Evasion Features.

Details

• no crt functions imported
• syscall unhooking using KnownDllUnhook
• api hashing using Rotr32 hashing algo
• payload encryption using rc4 – payload is saved in .rsrc
• process injection – targetting ‘SettingSyncHost.exe’
• ppid spoofing & blockdlls policy using NtCreateUserProcess
• stealthy remote process injection – chunking
• using debugging & NtQueueApcThread for payload execution

Usage

• use GenerateRsrc to update DataFile.terra that’ll be the payload saved in the .rsrc section of the loader

Thanks For

• https://offensivedefence.co.uk/posts/ntcreateuserprocess/
• https://github.com/vxunderground/VX-API

Notes

• “SettingSyncHost.exe” isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
• it is possibly better to compile with “ISO C++20 Standard (/std:c++20)”

Profit

Demo (by @ColeVanlanding1) :

Tested with cobalt strike && Havoc on windows 10