Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/joshfaust/Alaris
A protective and Low Level Shellcode Loader that defeats modern EDR systems.
https://github.com/joshfaust/Alaris
bypass-antivirus shellcode-loader syscalls
Last synced: about 1 month ago
JSON representation
A protective and Low Level Shellcode Loader that defeats modern EDR systems.
- Host: GitHub
- URL: https://github.com/joshfaust/Alaris
- Owner: joshfaust
- License: apache-2.0
- Created: 2020-02-22T15:42:37.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2024-03-20T15:50:57.000Z (6 months ago)
- Last Synced: 2024-05-02T05:17:20.140Z (5 months ago)
- Topics: bypass-antivirus, shellcode-loader, syscalls
- Language: C
- Homepage: https://sevrosecurity.com/2020/10/14/alaris-a-protective-loader/
- Size: 1.23 MB
- Stars: 870
- Watchers: 23
- Forks: 139
- Open Issues: 7
-
Metadata Files:
- Readme: README.adoc
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - joshfaust/Alaris - A protective and Low Level Shellcode Loader that defeats modern EDR systems. (C)
README
= Alaris Shellcode Loader
Joshua Faust
:toc:
== Alaris
+++
+++
Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP's that help protect the malware and it's execution flow. Some of these features are:
* Shellcode Encryption (AES-CBC 256)
* Direct x86 Syscalls via https://twitter.com/Jackson_T[@Jackson T's] new https://github.com/jthuraisamy/SysWhispers2[SyWhispers2]
* Prevents 3rd party (non-Microsoft Signed) DLL's from hooking or injecting both the parent and child processes.
* Parent Process ID spoofing
* Overwrites it's own shellcode after execution.
To get a full understanding on how Alaris works, https://sevrosecurity.com/2020/10/14/alaris-a-protective-loader/[see my post here].
=== Updates
As on February 28th, 2021, several changes have been made:
. You can now easily build Alaris with the Python3 `builder.py` tool.
. Moved from https://github.com/jthuraisamy/SysWhispers[SysWhispers] to https://github.com/jthuraisamy/SysWhispers2[SysWhispers2]
. Key and IV are now dynamic for each build via PBKDF2
== Building Alaris
The easiest method to build Alaris is with `builder.py`. I assume the following when you're building a new Alaris loader:
. You are compiling on a Windows host. Preferably, Windows 10.
. You have Visual Studio 2019+ [Community, Professional] installed with C++ (https://github.com/cribdragg3r/Alaris/issues/2#issuecomment-749069975[See example here])
. You have Python3 installed and have `pip install -r requirements.txt`
[source, python]
----
usage: builder.py [-h] -s -p [-o]
optional arguments:
-h, --help show this help message and exit
-s, --shellcode Path to RAW shellcode file
-p, --password Encryption Passphrase
-o, --out Output Path for compiled binary
----
.Example Syntax
[source, python]
----
# Output Compiled Binary to CWD
python3 builder.py -s C:\Users\admin\payload.bin -p example_password
# Output Compiled Binary to a path of your choosing.
python3 builder.py -s C:\Users\admin\payload.bin -p example_password -o C:\Users\admin\Desktop\my_alaris
----
=== Cobalt Strike Example
*Generate x64 Shellcode for you Cobalt Strike Listener*
+++
+++
*Use the `builder.py` to build the loader*
+++
+++
*Executing the loader*
+++
+++