https://github.com/Krypteria/AtlasLdr

Reflective x64 PE/DLL Loader implemented using Dynamic Indirect Syscalls

Atlas is a reflective x64 loader that has the following features:

Features

• Retrieve of DLL and PE from a remote server
• Manual Mapping on a remote process
• Position independent code
• Use of indirect Syscalls
  • ZwAllocateVirtualMemory
  • ZwProtectVirtualMemory
  • ZwQuerySystemInformation
  • ZwFreeVirtualMemory
  • ZwCreateThreadEx
• Single stub for all Syscalls
  • Dynamic SSN retrieve
  • Dynamic Syscall address resolution
• Atlas also uses
  • LdrLoadDll
  • NtWriteVirtualMemory
• Custom implementations of
  • GetProcAddress
  • GetModuleHandle
• API hashing
• Cleanup on error
• Variable EntryPoint

Usage

Compilation

Atlas needs to be compiled using x86_64-w64-mingw32-g++, once you have it on your system, just execute make (or mingw32-make.exe) on the project folder

Future work

• Improve the way the syscalls are made
• x86 support
• Give more flexibility to the HTTP client
• Implement some form of encryption on the remote connection

Disclaimer

There are improvements that could be made such as modifying the way syscalls are executed with a consistent and error-proof assembly code. In the future this could be implemented.