A stealthy and modular Windows loader developed by xec412.
This project is for educational and research purposes only.
Unauthorized use against systems you do not own is illegal.
XeraLdr is a custom loader designed to execute payloads with high stealth against modern EDR solutions.
Tested Against: Microsoft Defender for Endpoint (MDE)
Result: No alerts appeared after several hours of activity.
Video Demonstration: Bypassing MDE - XeraLdr Showcase
Payload Used: Custom written reverse TCP shellcode
- Why? Most memory scanners focus on newly allocated private memory regions. By stomping a legitimate system DLL, we operate inside an image-backed trusted memory space.
- Strength: Very strong against memory scanners and heuristic detection.
- Why? Many EDRs monitor suspicious Import Address Tables and API resolutions.
- Strength: Provides excellent protection against static and behavioral analysis.
- Why? Direct API calls are heavily monitored. Using proxy functions helps evade behavioral detection.
- Strength: Reduces suspicious API call patterns.
- Why? Prevents execution in virtual machines, debuggers, and sandboxes.
- Strength: Protects the loader during initial execution phase.
- Reference: Sandbox-Detection-Techniques
- Why? Strong encryption makes static signature detection significantly harder.
- Strength: Payload remains encrypted until runtime.
- Reference: LibTomCrypt
- Why? Removes dependency on the Visual C++ Runtime, resulting in a smaller binary with a minimal Import Address Table (IAT). This reduces static signatures commonly flagged by EDRs and AVs.
- Why? Classic
Sleep()is easily detected. UsingSystemFunction040/041(RtlEncryptMemory / RtlDecryptMemory) for heap encryption + stack duplication makes sleep periods much stealthier. - ** - Warning: If you are using a transient payload like
calc.exe, the process will execute the payload and immediately invokeExitThread. As a result, the sleep obfuscation mechanism will not trigger. For this technique to work as intended, ensure you are using a persistent payload (e.g., a reverse shell) that keeps the thread execution flow alive. - Reference: C5pider's Tweet
-
Clone the repository:
git clone https://github.com/xec412/XeraLdr.git
-
Open the solution file
XeraLdr.slnxwith Visual Studio. -
Select Release | x64 configuration.
-
Go to Build -> Rebuild Solution.
All necessary build settings are already configured in the project. No additional changes are required.
If you find the engineering choices or the implementation useful, dropping a star on the repository would be highly appreciated! ⭐
This project is licensed under the GPL-3.0 License.
See the LICENSE file for details.



