This is your work, valued

VirtualAllocEx

Elite
@VirtualAlllocEx

Founder RedOps | Red Team

DEFCON-31-Syscalls-Workshop. Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

765

Payload-Download-Cradles. This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.

258

Create-Thread-Shellcode-Fetcher. This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.

257

Direct-Syscalls-vs-Indirect-Syscalls. The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

242

Direct-Syscalls-A-journey-from-high-to-low. Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

147

HWBP-DEP-Bypass. Educational proof-of-concept demonstrating DEP/NX bypass using hardware breakpoints, vectored exception handling, and instruction emulation on Windows x64. For security research and learning purposes only.

100

CS-EDR-Enumeration. Cobalt Strike Aggressor Script for identifying security products on Windows hosts — six enumeration methods rated by noise level, from silent in-process BOF to full PowerShell/WMI.

90

Taskschedule-Persistence-Download-Cradles. Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged

89

DSC_SVC_REMOTE. This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

55

Create_Thread_Inline_Assembly_x86. This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly

20

Shell-we-Assembly. Shellcode execution via x86 inline assembly based on MSVC syntax

17

Create_Thread-Inline_Assembly_x86_Fibers. This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers

8

WinMalDev. Various methods of executing shellcode

8

Ghost. Evasive shellcode loader

8

Windows-Local-Privilege-Escalation-Cookbook. Windows Local Privilege Escalation Cookbook

7

Conference-Slides.

7

UnlinkDLL. DLL Unlinking from InLoadOrderModuleList, InMemoryOrderModuleList, InInitializationOrderModuleList, and LdrpHashTable

6

NtRemoteLoad. Remote Shellcode Injector

5

CallstackSpoofingPOC. C++ self-Injecting dropper based on various EDR evasion techniques.

5

EDR-Preloader. An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer

5

Advanced-Process-Injection-Workshop. C++

5

esi-certificate-verify. Keep track of participants from the workshop "Endpoint Security Insights: Shellcode Loaders & Evasion"

3

learning-malware-analysis. This repository contains sample programs that mimick behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to worry about handling live malware.

3

OSCP-Tricks-2023. OSCP 2023 Preparation Guide | Courses, Tricks, Tutorials, Exercises, Machines

3

HookDump. Security product hook detection

3

Tartarus-TpAllocInject. C++

3

Conferences_OtterHacker. C

3

NovaLdr. Threadless Module Stomping In Rust with some features (In memory of those murdered in the Nova party massacre)

3

learning-reverse-engineering. This repository contains sample programs written primarily in C and C++ for learning native code reverse engineering.

2

SysWhispers3. SysWhispers on Steroids - AV/EDR evasion via direct system calls.

2

Blindside. Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms

2

Voidgate. A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.

2

Jomungand. Shellcode Loader with memory evasion

1

Messagebox-Test. PowerShell

1

HadesLdr. Shellcode Loader Implementing Indirect Dynamic Syscall , API Hashing, Fileless Shellcode retrieving using Winsock2

1

HWSyscalls. HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.

1

TartarusGate. TartarusGate, Bypassing EDRs

1