{"id":13840467,"url":"https://github.com/joshfaust/Alaris","last_synced_at":"2025-07-11T07:34:02.903Z","repository":{"id":37729442,"uuid":"242366703","full_name":"joshfaust/Alaris","owner":"joshfaust","description":"A protective and Low Level Shellcode Loader that defeats modern EDR systems.","archived":false,"fork":false,"pushed_at":"2024-03-20T15:50:57.000Z","size":1285,"stargazers_count":882,"open_issues_count":7,"forks_count":141,"subscribers_count":23,"default_branch":"master","last_synced_at":"2024-08-25T12:01:09.267Z","etag":null,"topics":["bypass-antivirus","shellcode-loader","syscalls"],"latest_commit_sha":null,"homepage":"https://sevrosecurity.com/2020/10/14/alaris-a-protective-loader/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joshfaust.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-22T15:42:37.000Z","updated_at":"2024-08-12T19:58:00.000Z","dependencies_parsed_at":"2024-05-01T03:42:54.599Z","dependency_job_id":"8d28d87c-5d6c-40fa-985a-6e273f972d11","html_url":"https://github.com/joshfaust/Alaris","commit_stats":null,"previous_names":["joshfaust/alaris","cribdragg3r/alaris"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshfaust%2FAlaris","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshfaust%2FAlaris/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshfaust%2FAlaris/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshfaust%2FAlaris/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joshfaust","download_url":"https://codeload.github.com/joshfaust/Alaris/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705468,"owners_count":17511306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-antivirus","shellcode-loader","syscalls"],"created_at":"2024-08-04T17:00:48.999Z","updated_at":"2024-11-21T09:31:36.996Z","avatar_url":"https://github.com/joshfaust.png","language":"C","readme":"= Alaris Shellcode Loader\nJoshua Faust \u003cJoshua.Faust@sevrosecurity.com\u003e\n:toc:\n\n== Alaris\n\n+++\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"docs/vt_scan.png\" alt=\"Build\" width=\"175%\" height=\"75%\"/\u003e\n\u003c/p\u003e\n+++\n\nAlaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP's that help protect the malware and it's execution flow. Some of these features are:\n\n* Shellcode Encryption (AES-CBC 256)\n* Direct x86 Syscalls via https://twitter.com/Jackson_T[@Jackson T's] new https://github.com/jthuraisamy/SysWhispers2[SyWhispers2]\n* Prevents 3rd party (non-Microsoft Signed) DLL's from hooking or injecting both the parent and child processes. \n* Parent Process ID spoofing\n* Overwrites it's own shellcode after execution. \n\nTo get a full understanding on how Alaris works, https://sevrosecurity.com/2020/10/14/alaris-a-protective-loader/[see my post here].\n\n=== Updates\n\nAs on February 28th, 2021, several changes have been made:\n\n. You can now easily build Alaris with the Python3 `builder.py` tool.\n. Moved from https://github.com/jthuraisamy/SysWhispers[SysWhispers] to https://github.com/jthuraisamy/SysWhispers2[SysWhispers2]\n. Key and IV are now dynamic for each build via PBKDF2\n\n== Building Alaris\n\nThe easiest method to build Alaris is with `builder.py`. I assume the following when you're building a new Alaris loader:\n\n. You are compiling on a Windows host. Preferably, Windows 10.\n. You have Visual Studio 2019+ [Community, Professional] installed with C++ (https://github.com/cribdragg3r/Alaris/issues/2#issuecomment-749069975[See example here])\n. You have Python3 installed and have `pip install -r requirements.txt`\n\n\n[source, python]\n----\nusage: builder.py [-h] -s  -p  [-o]\n\noptional arguments:\n  -h, --help        show this help message and exit\n  -s, --shellcode   Path to RAW shellcode file\n  -p, --password    Encryption Passphrase\n  -o, --out         Output Path for compiled binary\n----\n\n.Example Syntax\n[source, python]\n----\n# Output Compiled Binary to CWD\npython3 builder.py -s C:\\Users\\admin\\payload.bin -p example_password\n\n# Output Compiled Binary to a path of your choosing.\npython3 builder.py -s C:\\Users\\admin\\payload.bin -p example_password -o C:\\Users\\admin\\Desktop\\my_alaris\n----\n\n\n=== Cobalt Strike Example\n\n*Generate x64 Shellcode for you Cobalt Strike Listener*\n+++\n\u003cbr\u003e\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"docs/cobalt_example1.gif\" alt=\"Build\" width=\"100%\" height=\"100%\"/\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n+++\n\n*Use the `builder.py` to build the loader*\n+++\n\u003cbr\u003e\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"docs/build_example1.gif\" alt=\"Build\" width=\"100%\" height=\"100%\"/\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n+++\n\n*Executing the loader*\n+++\n\u003cbr\u003e\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"docs/cobalt_example2.gif\" alt=\"Build\" width=\"100%\" height=\"100%\"/\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n+++\n\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshfaust%2FAlaris","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoshfaust%2FAlaris","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshfaust%2FAlaris/lists"}