• Stars
    star
    883
  • Rank 51,702 (Top 2 %)
  • Language
    C
  • License
    Apache License 2.0
  • Created almost 5 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A protective and Low Level Shellcode Loader that defeats modern EDR systems.

Alaris Shellcode Loader

Alaris

Build

Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow. Some of these features are:

  • Shellcode Encryption (AES-CBC 256)

  • Direct x86 Syscalls via @Jackson T’s new SyWhispers2

  • Prevents 3rd party (non-Microsoft Signed) DLL’s from hooking or injecting both the parent and child processes.

  • Parent Process ID spoofing

  • Overwrites it’s own shellcode after execution.

To get a full understanding on how Alaris works, see my post here.

Updates

As on February 28th, 2021, several changes have been made:

  1. You can now easily build Alaris with the Python3 builder.py tool.

  2. Moved from SysWhispers to SysWhispers2

  3. Key and IV are now dynamic for each build via PBKDF2

Building Alaris

The easiest method to build Alaris is with builder.py. I assume the following when you’re building a new Alaris loader:

  1. You are compiling on a Windows host. Preferably, Windows 10.

  2. You have Visual Studio 2019+ [Community, Professional] installed with C++ (See example here)

  3. You have Python3 installed and have pip install -r requirements.txt

usage: builder.py [-h] -s  -p  [-o]

optional arguments:
  -h, --help        show this help message and exit
  -s, --shellcode   Path to RAW shellcode file
  -p, --password    Encryption Passphrase
  -o, --out         Output Path for compiled binary
Example Syntax
# Output Compiled Binary to CWD
python3 builder.py -s C:\Users\admin\payload.bin -p example_password

# Output Compiled Binary to a path of your choosing.
python3 builder.py -s C:\Users\admin\payload.bin -p example_password -o C:\Users\admin\Desktop\my_alaris

Cobalt Strike Example

Generate x64 Shellcode for you Cobalt Strike Listener

Build


Use the builder.py to build the loader

Build


Executing the loader

Build