Project Ares Injector is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. The loader injects a PE into a remote process and features:
- PPID spoofing
- CIG to block non-Microsoft-signed binaries
- Dynamic function resolution without
LoadLibrary()orGetProcAddress()APIs - API hashing
- Unhooks NTDLL by refreshing the
.textsection with a clean version from disk - Minimized use of WIN32 APIs
- Basic sandbox detection
- AES256 CBC encrypted payload loaded from PE resources
The loader is currently only 64-bit and only supports 64-bit payloads.
Cryptor is a basic console application meant to encrypt the payload before adding it as a PE resource to the Injector.
It takes a single <filepath> argument to the payload on disk, which is then encrypted and written to disk as payload.bin.
- Change the encryption key in Injector/main.cpp at line 329 to a 16-byte value
- Change the encryption key in Cryptor/main.cpp at line 34 to match the encryption key in Injector
Optionally, the initialization vectors can be modified, they should be 16-bytes as well:
const uint8_t iv[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };- Use
Cryptor.exeto encrypt your x64 payload of choice - Add
payload.binas a resource to Injector, make sure to name itpayload_binor modify Injector/main.cpp line 324 to match the given name:
HRSRC rc = FindResource(NULL, MAKEINTRESOURCE(IDR_PAYLOAD_BIN1), L"PAYLOAD_BIN");- Profit
Note:
The default spawned process is
svchost.exeThe default spoofed parent process isexplorer.exe