AceLdr

// Memory Evasion Masterclass

Modules

Language

ASM

Assembly

Difficulty Tiers

Deep dive into reflective DLL loading, return address spoofing, IAT hooking, and the FOLIAGE sleep mask. Master Windows memory internals from PE parsing to full evasion chains. By kyleavery — presented at DEF CON 30.

01 Beginner

Windows Memory 101

Virtual memory, page protections, memory APIs, the Windows heap, and why scanners care about RWX.

02 Beginner

The PE File Format

DOS headers, NT headers, sections, the IAT, and base relocations. Everything AceLdr manually parses.

03 Beginner

PEB Walking & API Hashing

Finding any Windows API at runtime without a single import. PEB traversal and DJB2 hashing.

04 Intermediate

Reflective DLL Loading

Loading a DLL without Windows knowing. Thread hijacking, section mapping, and Beacon initialization.

05 Intermediate

Position-Independent Code

GetIp trick, OFFSET macro, linker scripts, and the ACELDR end marker. Code that works at any address.

06 Intermediate

IAT Hooking & Heap Redirection

Intercepting 6 function calls by rewriting the IAT. Private heap isolation from scanners.

07 Advanced

Return Address Spoofing

JMP [RBX] gadgets, trampoline chains, and making API calls look legitimate on the stack.

08 Advanced

FOLIAGE Sleep Masking

The crown jewel: 10-step APC chain, RC4 encryption, thread context spoofing during sleep.

09 Advanced

Full Chain & CS Integration

Build pipeline, Aggressor scripts, malleable C2 profiles, and the complete lifecycle.

References & Resources

AceLdr Repository — github.com/kyleavery/AceLdr
FOLIAGE (SecIdiot) — github.com/SecIdiot/FOLIAGE
TitanLdr (SecIdiot) — github.com/SecIdiot/TitanLdr
Moneta — github.com/forrest-orr/moneta
PE-sieve — github.com/hasherezade/pe-sieve
BeaconEye — github.com/CCob/BeaconEye
Hunt-Sleeping-Beacons — github.com/thefLink/Hunt-Sleeping-Beacons
Patriot — github.com/joe-desimone/patriot