1. Independent CRT library;
2. The final DLL file can run the Payload by loading the DLL (executing its entry point) or by executing the exported 'Atom' function via the command line;
3. The DLL unhooks from the \KnwonDlls directory and does not have an RWX field;
4. The encrypted Payload is stored in the resource field and can be retrieved through custom code;
5. The Payload is encrypted using AES256-CBC;
6. AES key and IV encryption;
7. Indirect system calls are used with ROP gadgetsHellHall;
8. Payload injection is implemented using APC call;
9. Payload execution is implemented using APC;
10. Two different CRC32 string hash algorithms are used to implement API hash;
11. The entire tool code mentions very little;
Working mechanism
Tool download
Researchers can use the following command to clone the source code of this project locally:
git clone https://github.com/NUL0x4C/AtomLdr.git
Tool usage
1.PayloadBuilderIt needs to compile and execute with the specified Payload, which will output a PayloadConfig.pc file containing the encrypted Payload and its encryption key and IV;
2. The generated PayloadConfig.pc file needs to replace the【PayloadConfig.pc】;
3. Compile the AtomLdr project into an x64 version;
4. To enable debug mode, please select【Here】Uncomment here;
Tool usage examples
Example 1
Execute AtomLdr.dll, run rundll32.exe, runHavocPayload, the tool interface is shown as follows:
Import address table of AtomLdr.dll:
Example 2 - Debug Mode
Run PayloadBuilder.exe, encrypt demon[111].bin (a Havoc Payload file):
Run AtomLdr.dll using rundll32.exe:
After Payload execution, Havoc captures the screen shot:
license agreement
The development and release of this project followApache-2.0Open source license agreement.
Project address
AtomLdr:【GitHub Gateway】
Reference materials
https://github.com/NUL0x4C/AtomLdr/blob/main/maldevacademy.com
https://github.com/bitcoin-core/ctaes
https://github.com/Maldev-Academy/HellHall
https://www.x86matthew.com/view_post?id=writeprocessmemory_apc
评论已关闭