OdinLdr (
)
Feature :
• Redirect all WININET call over callstack crafting
• Encrypt beacon during sleep
• Encrypt beacon heap during sleep
• Self delete of loader
Execution of loader:
1 - Create heap for beacon usage
2 - Allocation of RWX area with beacon size + UDRL size
3 - Copy the UDRL at the end of beacon in allocated area
| 0x00 | beacon | 0xBEACON_SIZE | UDRL | 0xEND_Alloc
4 - Copy the ODIN structure (heap handle, beacon addr, alloc size) to the start of allocated area (no pe header is present)
5 - Copy beacon section
6 - Resolve beacon import and patch IAT (also set hook)
7 - Patch relocation table
8 - Init the beacon
9 - Create thread on TpReleaseCleanupGroupMembers+0x450 to spoof the thread start addr & beacon run
10 - Self delete the loader
Feature :
• Redirect all WININET call over callstack crafting
• Encrypt beacon during sleep
• Encrypt beacon heap during sleep
• Self delete of loader
Execution of loader:
1 - Create heap for beacon usage
2 - Allocation of RWX area with beacon size + UDRL size
3 - Copy the UDRL at the end of beacon in allocated area
| 0x00 | beacon | 0xBEACON_SIZE | UDRL | 0xEND_Alloc
4 - Copy the ODIN structure (heap handle, beacon addr, alloc size) to the start of allocated area (no pe header is present)
5 - Copy beacon section
6 - Resolve beacon import and patch IAT (also set hook)
7 - Patch relocation table
8 - Init the beacon
9 - Create thread on TpReleaseCleanupGroupMembers+0x450 to spoof the thread start addr & beacon run
10 - Self delete the loader