TLDR:

• reflective loader
• ret addr spoofs in its IAT hooks
  • foliage sleep obf
  • heap encryption
• copies beacon and its hooks into a separate memory.
  • the start of the separate memory contains a sort of config struct
  • separate memory block initially divided as a RX/RW chunk
    • Foliage turns this all into RWX in runtime

Sections

• A - Start asm function
• B - Reflective Loader functions
• C - Stub, a 3 QWORD struct
• D - FOLIAGE functions and spoof gate hooks
• E - UTIL functions
• RDATA - rata lol
• F - GetIp, get_ret_ptr, and Leave

Foliage

• main beacon thread calls ntwaitforsingleobject() and is context spoofed via apc to have rip=RUTS+0x21
• worker thread starts suspended, signaled via NtAlertResumeThread and runs the apc queued ntcontinue + contexts in the same thread
• worker thread is created with a comedically large stack so contexts can use 0x1000 rsp increments.
• workerthread rsp is set to nttestalert; to alert the apc once execution is finished

Reflective Loading Process

• Entrypoint is a call to Ace