An evasive shellcode loader with indirect syscalls, thread name-calling allocation, and PoolParty injection.
--
/--\
/----\
| |
| |
| |
| |
| |
| |
| |
| |----------------------------------------------
| / \ #
| / \ *#""
| / \ ##"
| |----------------------------------------------------| #"
| | | #"
| | [||] [||] [||] [||] [||] [||] [||] | **"
| | |
| | [||] [||] [||] [||] [||] [||] [||] | < EVADE! >
| | _____ _ _ __ _ | /
@ | | | _ | |___ ___| |_ ___ ___ ___| | _| |___ | -- @@$
@ ++++| | | | _| .'| _| _| .'|- _| |__| . | _| |╹_╹ ) @
@ +| |__|__|_|___|__,|_| |_| |__,|___|_____|___|_| |⊂ノ @@
@ | | @@
@@ ------------------------------------------------------ @@
@@ @@@
@@ @@@
@@ @@@@
@@ @ @@@@@
@@@@ @@ @@@@@@@@@@@@ @@ @@@@@@@@@
@@@@@@@@@@@@@@ @@@@@@@@@@@@@
- AV/EDR Evasion: Utilizes shellcode encoding and indirect syscalls through the Hell's Gate technique.
- Remote Process Injection: Inject shellcode into remote processes via the Thread name-calling method.
- Shellcode Execution: Executes shellcode via the PoolParty technique (Direct I/O).
-
Clone the repository:
git clone https://github.com/aniko33/AlcatrazLdr.git --recurse-submodules cd AlcatrazLdr -
Run the AlcatrazLdr builder (ensure Python 3 is installed):
python alcatrazLdr.py --help
usage: AlcatrazLdr [-h] [--target-process TARGET_PROCESS] [--quiet] [--debug]
[--docker]
file
Evasive shellcode loader with indirect syscalls, Thread name-calling
allocation, PoolParty injection
positional arguments:
file File to embed into the loader
options:
-h, --help show this help message and exit
--target-process, -tp TARGET_PROCESS
Target process name to inject
--quiet, -q No banner
--debug, -d Debug flag
--docker, -dk Docker flag
To create a new executable:
python alcatrazLdr.py <path_to_shellcode.bin>To create a new executable with custom target process (default: notepad.exe):
python alcatrazLdr.py <path_to_shellcode.bin> --target-process <target.exe>To create a new executable with Docker support:
python alcatrazLdr.py <path_to_shellcode.bin> --dockerTo create a new executable with the debug flag enabled:
python alcatrazLdr.py <path_to_shellcode.bin> --debugTo suppress the banner output:
python alcatrazLdr.py <path_to_shellcode.bin> --quiet- The shellcode size is limited to 65532 bytes due to the
RtlInitUnicodeStringExfunction.