PaulzePirate/IORI_Loader

UUID shellcode Loader with dynamic indirect syscall implementation, syscall number/instruction get resolved dynamicaly at runtime, and the syscall number/instruction get unhooked using Halosgate technique. Function address get resolved from the PEB by offsets and comparaison by hashes

IORI_Loader - Bypass EDRs

Description

FUD advanced Loader implementing dynamic indirect syscall with syscall number and syscall instruction Unhooking with Halosgate technic. Shellcode in UUIDs format to avoid static analysis, syscall instructions and syscall number don't exist in the binary opcode which makes it avoid static analysis and they get resolved at run time. also it gets the API addresses from the PEB by offsets and the comparison is done by hashing.

Credits / References

@smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )

• https://github.com/am0nsec/HellsGate
• The Original Paper

Reenz0h from @SEKTOR7net (Creator of the HalosGate technique )

• https://blog.sektor7.net/#!res/2021/halosgate.md
• https://institute.sektor7.net/rto-win-evasion