Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique

Overview

Project Ares

Project Ares Injector

Project Ares Injector is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique. The loader injects a PE into a remote process and features:

  • PPID spoofing
  • CIG to block non-Microsoft-signed binaries
  • Dynamic function resolution without LoadLibrary() or GetProcAddress() APIs
  • API hashing
  • Unhooks NTDLL by refreshing the .text section with a clean version from disk
  • Minimized use of WIN32 APIs
  • Basic sandbox detection
  • AES256 CBC encrypted payload loaded from PE resources

The loader is currently only 64-bit and only supports 64-bit payloads.

Project Ares Cryptor

Cryptor is a basic console application meant to encrypt the payload before adding it as a PE resource to the Injector. It takes a single <filepath> argument to the payload on disk, which is then encrypted and written to disk as payload.bin.

Usage

  1. Change the encryption key in Injector/main.cpp at line 329 to a 16-byte value
  2. Change the encryption key in Cryptor/main.cpp at line 34 to match the encryption key in Injector

Optionally, the initialization vectors can be modified, they should be 16-bytes as well:

const uint8_t iv[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };
  1. Use Cryptor.exe to encrypt your x64 payload of choice
  2. Add payload.bin as a resource to Injector, make sure to name it payload_bin or modify Injector/main.cpp line 324 to match the given name:
HRSRC rc = FindResource(NULL, MAKEINTRESOURCE(IDR_PAYLOAD_BIN1), L"PAYLOAD_BIN");
  1. Profit

Note:

The default spawned process is svchost.exe The default spoofed parent process is explorer.exe

You might also like...
2048 written in C and compiled to WebAssembly

2048.wasm 2048 written in C and compiled to WebAssembly Play Use the arrow keys ( ᐊ ᐅ ᐃ ᐁ ) to slide the tiles. press n to play over. Usage Compile C

A simple web browser written for learning purposes in C++
A simple web browser written for learning purposes in C++

AWB: Abbix's web browser pls send help AWB is a simple web browser written for learning purposes in C++, it features a custom engine named orca render

Pipy is a tiny, high performance, highly stable, programmable proxy written in C++

Pipy is a tiny, high performance, highly stable, programmable proxy. Written in C++, built on top of Asio asynchronous I/O library, Pipy is extremely lightweight and fast, making it one of the best choices for service mesh sidecars.

A Hidden and Undetectable Remote Access Tool written in C++ and Server in Python3
A Hidden and Undetectable Remote Access Tool written in C++ and Server in Python3

Spyware-RAT A Hidden and Undetectable Remote Access Tool written in C++ and Server in Python3 This program utilizes the standard winsock library for s

zrp is a nat-passthrough reverse proxy written in modern c++.

zrp is a nat-passthrough reverse proxy written in modern c++. A major use case is to expose a local server via a remote server with public IP.

Professional ARP Spoofer written with C
Professional ARP Spoofer written with C

professional-arp-spoofer Professional ARP Spoofer written with C Note: You can sniff the traffic between any two machines in the network with the help

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.
Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.

Pushpin is a reverse proxy server written in C++ that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services. The project is unique among realtime push solutions in that it is designed to address the needs of API creators. Pushpin is transparent to clients and integrates easily into an API stack.

A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Comments
  • Weak encryption [ risk: medium ]

    Weak encryption [ risk: medium ]

    Very cool project, I have one suggestion.

    CBC mode has a risk of collision, considered a weak security mode for AES context; my suggestion is to use mode GCM instead of CBC. https://github.com/Cerbersec/Ares/blob/main/Ares/Cryptor/aes.c#L501

    Reference: https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_encryption_insecure_mode_of_operation

    wontfix 
    opened by CoolerVoid 1
An extensible, cross-platform, single-header C/C++ OpenGL loader library.

Simple OpenGL Loader An extensible, cross-platform, single-header C/C++ OpenGL loader library. Usage For Windows Win32 or Linux X11 applications, the

Tarek Sherif 77 Dec 12, 2022
A lightweight plugin loader for Bedorck Dedicated Server

LiteLoader 简体中文 Donate us(afdian) Forum A lightweight Bedorck Dedicated Server Plugin Loader Based on BedrockX Install Download LiteLoader from Releas

null 574 Jan 2, 2023
WslinkClient is a client intended to communicate with Wslink, which is a unique loader running as a server

WslinkClient WslinkClient is a client intended to communicate with Wslink, which is a unique loader running as a server and executing received modules

ESET 12 Apr 19, 2022
The C++ REST SDK is a Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design. This project aims to help C++ developers connect to and interact with services.

Welcome! The C++ REST SDK is a Microsoft project for cloud-based client-server communication in native code using a modern asynchronous C++ API design

Microsoft 7.2k Dec 30, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 291 Dec 30, 2022
tiny HTTP parser written in C (used in HTTP::Parser::XS et al.)

PicoHTTPParser Copyright (c) 2009-2014 Kazuho Oku, Tokuhiro Matsuno, Daisuke Murase, Shigeo Mitsunari PicoHTTPParser is a tiny, primitive, fast HTTP r

H2O 1.6k Jan 1, 2023
:hocho: Strictly RFC 3986 compliant URI parsing and handling library written in C89; moved from SourceForge to GitHub

uriparser uriparser is a strictly RFC 3986 compliant URI parsing and handling library written in C89 ("ANSI C"). uriparser is cross-platform, fast, su

uriparser 260 Dec 28, 2022
An easy to use and powerful open source websocket library written in C.

libwebsock Easy to use C library for websockets This library allows for quick and easy development of applications that use the websocket protocol, wi

Jonathan Hall 47 Nov 13, 2022
A network library for client/server games written in C++

yojimbo yojimbo is a network library for client/server games written in C++. It's designed around the networking requirements of competitive multiplay

The Network Protocol Company 2.2k Jan 1, 2023
BingBing 60 Dec 15, 2022