• Stars
    star
    865
  • Rank 52,730 (Top 2 %)
  • Language
    C
  • License
    MIT License
  • Created over 2 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cobalt Strike UDRL for memory scanner evasion.

AceLdr - Avoid Memory Scanners

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. AceLdr Demo

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

  • Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

Other features and inspiration were taken from the following: