Skip to content

A protective and Low Level Shellcode Loader that defeats modern EDR systems.

License

Notifications You must be signed in to change notification settings

shellcode-club/Alaris

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Alaris Shellcode Loader

Alaris

Build

Alaris is a new and sneaky shellcode loader capable of bypassing most EDR systems as of today (02/28/2021). It uses several known TTP’s that help protect the malware and it’s execution flow. Some of these features are:

  • Shellcode Encryption (AES-CBC 256)

  • Direct x86 Syscalls via @Jackson T’s new SyWhispers2

  • Prevents 3rd party (non-Microsoft Signed) DLL’s from hooking or injecting both the parent and child processes.

  • Parent Process ID spoofing

  • Overwrites it’s own shellcode after execution.

To get a full understanding on how Alaris works, see my post here.

Updates

As on February 28th, 2021, several changes have been made:

  1. You can now easily build Alaris with the Python3 builder.py tool.

  2. Moved from SysWhispers to SysWhispers2

  3. Key and IV are now dynamic for each build via PBKDF2

Building Alaris

The easiest method to build Alaris is with builder.py. I assume the following when you’re building a new Alaris loader:

  1. You are compiling on a Windows host. Preferably, Windows 10.

  2. You have Visual Studio 2019+ [Community, Professional] installed with C++ (See example here)

  3. You have Python3 installed and have pip install -r requirements.txt

usage: builder.py [-h] -s  -p  [-o]

optional arguments:
  -h, --help        show this help message and exit
  -s, --shellcode   Path to RAW shellcode file
  -p, --password    Encryption Passphrase
  -o, --out         Output Path for compiled binary
Example Syntax
# Output Compiled Binary to CWD
python3 builder.py -s C:\Users\admin\payload.bin -p example_password

# Output Compiled Binary to a path of your choosing.
python3 builder.py -s C:\Users\admin\payload.bin -p example_password -o C:\Users\admin\Desktop\my_alaris

Cobalt Strike Example

Generate x64 Shellcode for you Cobalt Strike Listener

Build


Use the builder.py to build the loader

Build


Executing the loader

Build


About

A protective and Low Level Shellcode Loader that defeats modern EDR systems.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 55.1%
  • Assembly 17.1%
  • C++ 14.8%
  • Python 12.3%
  • YARA 0.7%