itsMe Posted June 9, 2023 Share Posted June 9, 2023 This is the hidden content, please Sign In or Sign Up Features: CRT library independent. The final DLL file, can run the payload by loading the DLL (executing its entry point), or by executing the exported "Atom" function via the command line. DLL unhooking from \KnwonDlls\ directory, with no RWX sections. The encrypted payload is saved in the resource section and retrieved via custom code. AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered. Aes Key & Iv Encryption. Indirect syscalls, utilizing HellHall with ROP gadgets (for the unhooking part). Payload injection using APC calls - alertable thread. Payload execution using APC - alertable thread. Api hashing using two different implementations of the CRC32 string hashing algorithm. The total Size is 17kb + payload size (multiple of 16). This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts