If you ever built a line following robot, you’ll be nostalgic about [Jeremy’s] light-seeking robot. It is a very simple build since there is no CPU and, therefore, also no software.

The trick, of course, is a pair of photo-sensitive resistors. A pair of motors turns the robot until one of the sensors detects light, then moves it forward.

This is a classic beginner project made even easier with a 3D printer and PCB to hold the components. You might consider using an adjustable resistor to let you tune the sensitivity more easily. In addition, we’ve found that black tubes around the light sensors in this sort of application give you a better directional reading, which can help.

The robot only has two wheels, but a third skid holds the thing up. A freely-rotating wheel might work better, but for a simple demonstration like this, the skid plate is perfectly fine.

This is a good reminder that not every project has to be fantastically complex or require an RTOS and high-speed multi-core CPUs. You can do a lot with just a handful of simple components.

If you want to follow a line, the basic idea is usually the same, with perhaps some different sensors. Usually, but not always.

Details:

• no crt functions imported
• syscall unhooking using KnownDllUnhook
• api hashing using Rotr32 hashing algo
• payload encryption using rc4 - payload is saved in .rsrc
• process injection - targetting 'SettingSyncHost.exe'
• ppid spoofing & blockdlls policy using NtCreateUserProcess
• stealthy remote process injection - chunking
• using debugging & NtQueueApcThread for payload execution

Usage:

• use GenerateRsrc to update DataFile.terra that'll be the payload saved in the .rsrc section of the loader

Thanks For:

• https://offensivedefence.co.uk/posts/ntcreateuserprocess/
• https://github.com/vxunderground/VX-API

Notes:

• "SettingSyncHost.exe" isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
• it is possibly better to compile with "ISO C++20 Standard (/std:c++20)"

Profit:

Demo (by @ColeVanlanding1) :

Tested with cobalt strike && Havoc on windows 10

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. 

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

• Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

• FOLIAGE
• x64 return address spoofing (source + explanation)

Other features and inspiration were taken from the following:

• https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
• https://github.com/secidiot/TitanLdr
• https://github.com/JLospinoso/gargoyle
• https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
• https://www.arashparsa.com/hook-heaps-and-live-free/
• https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/
• https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures

Details:

• no crt functions imported
• syscall unhooking using KnownDllUnhook
• api hashing using Rotr32 hashing algo
• payload encryption using rc4 - payload is saved in .rsrc
• process injection - targetting 'SettingSyncHost.exe'
• ppid spoofing & blockdlls policy using NtCreateUserProcess
• stealthy remote process injection - chunking
• using debugging & NtQueueApcThread for payload execution

Usage:

• use GenerateRsrc to update DataFile.terra that'll be the payload saved in the .rsrc section of the loader

Thanks For:

• https://offensivedefence.co.uk/posts/ntcreateuserprocess/
• https://github.com/vxunderground/VX-API

Notes:

• "SettingSyncHost.exe" isnt found on windows 11 machine, while i didnt tested with w11, its a must to change the process name to something else before testing
• it is possibly better to compile with "ISO C++20 Standard (/std:c++20)"

Profit:

Demo (by @ColeVanlanding1) :

Tested with cobalt strike && Havoc on windows 10

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. 

Features

Easy to Use

Import a single CNA script before generating shellcode.

Dynamic Memory Encryption

Creates a new heap for any allocations from Beacon and encrypts entries before sleep.

Code Obfuscation and Encryption

Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).

Return Address Spoofing at Execution

Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).

Sleep Without Sleep

Delayed execution using WaitForSingleObjectEx.

RC4 Encryption

All encryption performed with SystemFunction032.

Known Issues

• Not compatible with loaders that rely on the shellcode thread staying alive.

References

This project would not have been possible without the following:

• FOLIAGE
• x64 return address spoofing (source + explanation)

Other features and inspiration were taken from the following:

• https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/
• https://github.com/secidiot/TitanLdr
• https://github.com/JLospinoso/gargoyle
• https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
• https://www.arashparsa.com/hook-heaps-and-live-free/
• https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/
• https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures