NovaLdr: Threadless Module Stomping In Rust

by ddos · Published · Updated

NovaLdr

NovaLdr is a Threadless Module Stomping written in Rust, designed as a learning project while exploring the world of malware development. It uses advanced techniques like indirect syscalls and string encryption to achieve its functionalities. This project is not intended to be a complete or polished product but rather a journey into the technical aspects of malware, showcasing various techniques and features.

Features Overview

  • Idirect Sycalls
  • String encryption
  • Shellcode encryption: simple XOR and converting the Shellcode bytes into MAC address
  • Threadless Execution
    • Threadless inject: Writes a trampoline into a specified function within a given DLL and redirects it to load another DLL.
    • JMPThreadHijack: Hijack a thread without calling SetThreadContext. Still needs improvement because I’m lazy and haven’t implemented the whole thing well enough to maintain the original functionality of the thread. Just a quick and dirty PoC (Beware of payload execution control. Browsers tend to execute the payload multiple times)
  • Module Unlink
    • Overwrites the DOS header magic bytes.
    • Clears the DLL base addresses from the target process.
    • Eliminates DLL name strings from the target process.
    • Unlinks a module from the module list
  • Spawning Process: spawning suspended process with NtCreateUserProcess and Spoofing the PPID and Setting the process to Block DLL
  • Ntdll Unhooking: Remote and local Ntdll Unhooking using Parun’s Fart technique
  • No GetModuleHandleA & GetProcAddress: Custome Function that using NT functions
  • Sleep Encrypt: custom sleep function that encrypts the stack during its sleep duration using a separate thread.

Download

git clone https://github.com/BlackSnufkin/NovaLdr.git

Use

  • Generate Shellcode file: msfvenom -p windows/x64/messagebox TITLE=NovaLdr TEXT=’In memory of all those murdered in the Nova party massacre 7.10.2023′ ICON=WARNING EXITFUNC=thread -b ‘\xff\x00\x0b’ -f raw -e none -o Nova_MSG.bin
  • Encrypt the shellcode file and convert it to MAC address format python bin2mac.py Nova_MSG.bin > nova_msg.txt
  • Copy the content of the output file and paste it to the main.rs file
  • Compile the program just run the file compile.bat

Copyright (C) 2023 BlackSnufkin 

Source: https://github.com/BlackSnufkin/

Tags: NovaLdrThreadless Module Stomping