Founding: The Next-Gen Loader Generator for Advanced Evasion

by ddos · December 23, 2025

Founding is a tool that processes shellcode in .bin, .exe, or .dll formats, applying advanced obfuscation or encryption techniques to generate stealthy binaries with sophisticated execution methods.

Features

Core Features (Applied in Every Compilation)

Dynamic API Hashing
Generates unique hash values for API functions at runtime to evade detection.
IAT Camouflage
Invokes select Windows API functions to enhance binary legitimacy.
Minimal CRT
Removes the CRT Library for precise control over the Import Address Table.
Watermark
Embeds custom watermarks in DOS Stub, Checksum, PE Section, or file overlay.
Resource File
Embeds file properties resembling cleanmgr.exe for authenticity.
Preamble 0xFC 0x48
Prepends xFCx48 to shellcode to bypass static analysis.

Encryption and Obfuscation

Supports IPv4/IPv6/MAC/UUID obfuscation.
Offers XOR, RC4, and AES encryption.
Includes payload padding for extra obfuscation.
Generates random encryption keys per run.

Generators Types

Raw
Directly processes .bin payloads.
Donut
Uses Donut to create .bin without AMSI bypass.
Clematis
Employs Clematis for .bin with garble obfuscation and compression.
Powershell-donut
Converts .exe to .bin using PS2EXE and Donut.

Execution types

APC
Executes via Asynchronous Procedure Calls.
Early-Bird-Debug
Uses APC with a remote debug or suspended process.
EnumThreadWindows
Leverages the EnumThreadWindows callback function.
Local-Mapping-Inject
Performs local mapping with a suspended thread.
Early-Cascade
Hooks ntdll!SE_DllLoaded for payload execution.
Fibers
Switches execution contexts without new threads.
Process-Hypnosis
Runs payload in a debugged child process, then detaches.
Tp-Alloc
Queues shellcode using Thread Pool API (TpAllocWait/TpSetWait).
Local-Hollowing
Duplicates and runs PE in a suspended main thread.

Optional features

Indirect Syscalls

Hells-Hall
Change all implementation to Indirect Syscalls (HellsHall) including optional flags.
Syswhispers3
Change all implementation to Indirect Syscalls (SysWhispers3) including optional flags.

Compiler

Clang-LLVM
Use Clang-LLVM obfuscation to evade static analysis.

AMSI Bypasses

Amsi-Opensession
Patch AmsiOpenSession to return invalid argument.
Amsi-Scanbuffer
Patch AmsiScanBuffer to return invalid argument.
Amsi-Signature
Patch AmsiSignature to return invalid string corrupting the signature value.
Amsi-Codetrust
Patch WldpQueryDynamicCodeTrust to return invalid argument.

Unhooking

Unhooking-Createfile
Unhook all functions from ntdll.dll mapped with CreateFileMappingA.
Unhooking-Knowndlls
Unhook all functions from ntdll.dll from KnownDlls directory.
Unhooking-Debug
Unhook all functions from ntdll.dll copying the new NTDLL from a new debug process.
Hookchain
Modifies the IAT to reroute function calls, allowing it to intercept and handle them.

ETW Bypasses

Etw-Eventwrite
Patch EtwEventWriteFull, EtwEventWrite, and EtwEventWriteEx to blind EDR telemetry.
Etw-Trace-Event
Patch NtTraceEvent to blind EDR telemetry.
Etw-pEventWriteFull
Patch private function EtwpEventWriteFull to return invalid parameters to blind EDR telemetry.

Sandbox Bypasses

Api-Hammering
Creates a random file, reads/writes random data, delaying execution for 10 sec.
Delay-Mwfmoex
Use MsgWaitForMultipleObjectsEx delaying execution for 10 sec.
Fibonacci
Calculate Fibonacci delaying execution for 10 sec.
Mouse-Clicks
Logs clicks for 20 seconds; if fewer than 1 click, assumes sandboxed environment.
Resolution
Checks resolution for sandbox environments.
Processes
Checks if the system is running less than 50 processes; assumes sandboxed environment.
Hardware
Checks if the system has less than 2 processors, 2 GB RAM, and 2 USBs mounted; assumes sandboxed environment.

Payload Control

Check-Running
Check if the executable is already running; if so, prevent duplicate execution.
Self-Delete
Ensure the payload deletes itself during execution; if deletion fails, deletes file content reducing its size to zero bytes.

Miscellaneous

Dll
Create a DLL with optional export function name (default: runme), runs rundll32 in background.
Dll-Stealthy
Create a stealthier DLL with optional export function name (default: runme).
Service
Create an executable to be run as a service.
Inflate
Inflate the executable with random Portuguese words to increase its size.
Sign
Sign the final executable with a certificate.
No-Window
Run without opening a terminal window.
No-Print
Run without printing any output, remove all printfs from implementation.
Decoy
Embed a decoy file (e.g., PDF) to be executed alongside the payload.

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal