Little user-mode AV/EDR evasion lab for training & learning purposes
-
Updated
May 2, 2024 - C++
Little user-mode AV/EDR evasion lab for training & learning purposes
PoC Implementation of a fully dynamic call stack spoofer
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
.NET/PowerShell/VBA Offensive Security Obfuscator
Go shellcode loader that combines multiple evasion techniques
Threadless Process Injection through entry point hijacking
C++ self-Injecting dropper based on various EDR evasion techniques.
indirect syscalls for AV/EDR evasion in Go assembly
pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory
Apply a divide and conquer approach to bypass EDRs
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
Your syscall factory
Embedder is a collection of sources in different languages to embed Python interpreter with minimal dependencies
Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
Implementation of Indirect Syscall technique to pop a calc.exe
BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
Add a description, image, and links to the edr-evasion topic page so that developers can more easily learn about it.
To associate your repository with the edr-evasion topic, visit your repo's landing page and select "manage topics."