GitHub topics: edr-bypass
droberson/hammertime
PoC LKM to force run cleanup_module() on other LKMs
Language: C - Size: 43 KB - Last synced at: about 22 hours ago - Pushed at: 19 days ago - Stars: 2 - Forks: 0
tkmru/awesome-edr-bypass
Awesome EDR Bypass Resources For Ethical Hacking
Size: 79.1 KB - Last synced at: 2 days ago - Pushed at: 3 months ago - Stars: 1,158 - Forks: 119
thomasxm/BOAZ_beta
Multilayered AV/EDR Evasion Framework
Language: C++ - Size: 85.6 MB - Last synced at: 6 days ago - Pushed at: 6 days ago - Stars: 617 - Forks: 102
VirtualAlllocEx/Direct-Syscalls-vs-Indirect-Syscalls
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Language: C - Size: 24.4 KB - Last synced at: 5 days ago - Pushed at: over 1 year ago - Stars: 185 - Forks: 24
VirtualAlllocEx/Direct-Syscalls-A-journey-from-high-to-low
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
Language: C - Size: 592 KB - Last synced at: 5 days ago - Pushed at: almost 2 years ago - Stars: 133 - Forks: 23
VirtualAlllocEx/DEFCON-31-Syscalls-Workshop
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
Language: C - Size: 16.3 MB - Last synced at: 5 days ago - Pushed at: over 1 year ago - Stars: 655 - Forks: 95
CroodSolutions/AutoPwnKey
AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.
Language: AutoHotkey - Size: 1.28 MB - Last synced at: 13 days ago - Pushed at: 13 days ago - Stars: 25 - Forks: 5
V-i-x-x/AMSI-BYPASS
"AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS
Language: PowerShell - Size: 3.06 MB - Last synced at: 14 days ago - Pushed at: 15 days ago - Stars: 270 - Forks: 47
Chainski/PandaLoader
A WIP shellcode loader tool which bypasses AV/EDR, coded in C++, and equipped with a minimal console builder.
Language: C++ - Size: 205 KB - Last synced at: 15 days ago - Pushed at: 8 months ago - Stars: 42 - Forks: 6
WesleyWong420/RedTeamOps-Havoc-101
Materials for the workshop "Red Team Ops: Havoc 101"
Language: C# - Size: 22.9 MB - Last synced at: 13 days ago - Pushed at: 7 months ago - Stars: 371 - Forks: 50
klezVirus/inceptor
Template-Driven AV/EDR Evasion Framework
Language: Assembly - Size: 19.9 MB - Last synced at: 17 days ago - Pushed at: over 1 year ago - Stars: 1,658 - Forks: 271
voidvxvt/HellBunny
Malleable shellcode loader written in C and Assembly utilizing direct or indirect syscalls for evading EDR hooks
Language: C - Size: 617 KB - Last synced at: 18 days ago - Pushed at: 4 months ago - Stars: 101 - Forks: 19
oldkingcone/BYOSI
Evade EDR's the simple way, by not touching any of the API's they hook.
Language: PHP - Size: 35.2 KB - Last synced at: 18 days ago - Pushed at: 3 months ago - Stars: 94 - Forks: 13
0xflux/Rust-Hells-Gate
Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust
Language: Rust - Size: 70.3 KB - Last synced at: 20 days ago - Pushed at: 11 months ago - Stars: 40 - Forks: 4
0xflux/ETW-Bypass-Rust
Event Tracing for Windows EDR bypass in Rust (usermode)
Language: Rust - Size: 15.6 KB - Last synced at: 11 days ago - Pushed at: 11 months ago - Stars: 19 - Forks: 2
georgesotiriadis/Chimera
Automated DLL Sideloading Tool With EDR Evasion Capabilities
Language: Python - Size: 1.26 MB - Last synced at: 13 days ago - Pushed at: over 1 year ago - Stars: 470 - Forks: 56
dobin/antnium
A C2 framework for initial access in Go
Language: Go - Size: 2.61 MB - Last synced at: 17 days ago - Pushed at: almost 3 years ago - Stars: 179 - Forks: 38
f1zm0/acheron
indirect syscalls for AV/EDR evasion in Go assembly
Language: Assembly - Size: 332 KB - Last synced at: 19 days ago - Pushed at: almost 2 years ago - Stars: 325 - Forks: 38
JenarGithub76/payload-obfuscator
A Python-based tool for studying and practicing Windows PE binary obfuscation techniques.
Size: 1000 Bytes - Last synced at: 29 days ago - Pushed at: 29 days ago - Stars: 3 - Forks: 0
FantaTastic-jpg/kernel-callback-removal
kernel callback removal (Bypassing EDR Detections)
Language: C++ - Size: 4.9 MB - Last synced at: about 1 month ago - Pushed at: about 1 month ago - Stars: 0 - Forks: 0
V-i-x-x/kernel-callback-removal
kernel callback removal (Bypassing EDR Detections)
Language: C++ - Size: 1.47 MB - Last synced at: about 1 month ago - Pushed at: about 1 month ago - Stars: 6 - Forks: 1
EvilBytecode/Powershell-Persistance
Whenever PowerShell is launched, Notepad will also open. You can customize the script for educational purposes, but I emphasize that I do not take any responsibility for its use or any actions taken.
Language: Go - Size: 6.84 KB - Last synced at: 5 days ago - Pushed at: 10 months ago - Stars: 9 - Forks: 1
melotic/nanostorm
An (WIP) EDR Evasion tool for x64 Windows & Linux binaries that utilizes Nanomites, written in Rust.
Language: Rust - Size: 140 KB - Last synced at: 24 days ago - Pushed at: 4 months ago - Stars: 18 - Forks: 1
fortra/hw-call-stack
Use hardware breakpoints to spoof the call stack for both syscalls and API calls
Language: C - Size: 277 KB - Last synced at: 25 days ago - Pushed at: 11 months ago - Stars: 190 - Forks: 29
0xflux/Rust-APC-Queue-Injection
APC Queue Injection EDR Evasion in Rust
Language: Rust - Size: 5.86 KB - Last synced at: 20 days ago - Pushed at: 10 months ago - Stars: 4 - Forks: 1
mrexodia/lolbin-poc
Small PoC of using a Microsoft signed executable as a lolbin.
Language: C++ - Size: 5.86 KB - Last synced at: 23 days ago - Pushed at: about 2 years ago - Stars: 136 - Forks: 16
noderaven/payload-obfuscator
A Python-based tool for studying and practicing Windows PE binary obfuscation techniques.
Language: Python - Size: 132 KB - Last synced at: 23 days ago - Pushed at: 2 months ago - Stars: 1 - Forks: 0
Abhinandan-Khurana/exploit-payload-generator-ai-agent
A powerful local AI-agentic tool that generates and validates advanced exploit payloads using CrewAI framework.
Language: Python - Size: 168 KB - Last synced at: 2 months ago - Pushed at: 2 months ago - Stars: 0 - Forks: 0
VirtualAlllocEx/Create-Thread-Shellcode-Fetcher
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
Language: C++ - Size: 2.71 MB - Last synced at: 5 days ago - Pushed at: almost 2 years ago - Stars: 246 - Forks: 51
oldkingcone/Tucker
Like the chimera of Nina Tucker, PHP based local enumeration of windows systems.
Language: PHP - Size: 21.5 KB - Last synced at: 2 months ago - Pushed at: 2 months ago - Stars: 0 - Forks: 0
xiosec/Evil-MSCLR
Evil-MSCLR is a tool to load ShellCode and execute commands via the CLR feature in MSSQL.
Language: Go - Size: 3.97 MB - Last synced at: about 1 month ago - Pushed at: 3 months ago - Stars: 1 - Forks: 0
k3lpi3b4nsh33/BlindEdr
A Blind EDR Project for Educational Purposes
Language: C - Size: 508 KB - Last synced at: 3 months ago - Pushed at: 3 months ago - Stars: 2 - Forks: 4
Adkali/PowerJoker
PowerJoker is a Python program which generate a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.
Language: Python - Size: 95.7 KB - Last synced at: 4 months ago - Pushed at: 4 months ago - Stars: 37 - Forks: 8
VirtualAlllocEx/Create_Thread-Inline_Assembly_x86_Fibers
This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
Language: C++ - Size: 466 KB - Last synced at: 5 days ago - Pushed at: about 2 years ago - Stars: 7 - Forks: 4
VirtualAlllocEx/Create_Thread_Inline_Assembly_x86
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
Language: C++ - Size: 563 KB - Last synced at: 5 days ago - Pushed at: about 2 years ago - Stars: 18 - Forks: 9
VirtualAlllocEx/Shell-we-Assembly
Shellcode execution via x86 inline assembly based on MSVC syntax
Language: C++ - Size: 26.4 KB - Last synced at: 1 day ago - Pushed at: almost 2 years ago - Stars: 13 - Forks: 5
VirtualAlllocEx/DSC_SVC_REMOTE
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
Language: C - Size: 21.5 KB - Last synced at: 5 days ago - Pushed at: almost 2 years ago - Stars: 51 - Forks: 11
Cyb3rV1c/ThreadVeil
Tool That Injects Shell via Remote Thread Hijacking
Language: C++ - Size: 31.3 KB - Last synced at: 29 days ago - Pushed at: 5 months ago - Stars: 1 - Forks: 0
x0reaxeax/SysCook64
Indirect Syscall invocation via thread hijacking
Language: C - Size: 12.7 KB - Last synced at: 1 day ago - Pushed at: almost 2 years ago - Stars: 14 - Forks: 3
x0reaxeax/SyscallHookBypass
NTAPI hook bypass with (semi) legit stack trace
Language: C - Size: 8.79 KB - Last synced at: 1 day ago - Pushed at: almost 2 years ago - Stars: 14 - Forks: 2
x0reaxeax/SilentWrite
PoC arbitrary WPM without a process handle
Language: C - Size: 9.77 KB - Last synced at: 1 day ago - Pushed at: almost 2 years ago - Stars: 18 - Forks: 3
hackforyourentertainment/Misery
Misery Loader to bypass modern EDR solutions
Language: C++ - Size: 43.9 KB - Last synced at: 4 months ago - Pushed at: 4 months ago - Stars: 0 - Forks: 1
tholian-network/warps
:telescope: Warping your own Internet everywhere you go :satellite:
Language: Go - Size: 181 KB - Last synced at: 9 days ago - Pushed at: 6 months ago - Stars: 6 - Forks: 1
Cyb3rV1c/LowkeyRusty
Rust based process injection tool
Language: Rust - Size: 20.5 KB - Last synced at: 24 days ago - Pushed at: 5 months ago - Stars: 1 - Forks: 1
PapkuWorld/Rat-Botnet
Powerful Rat/Botnet written C/C++ and Rust works on Windows, Linux and Mac OS, Android and IOT Devices Central / P2P Architecture. (Project Under Development)
Language: C++ - Size: 52.7 KB - Last synced at: 2 days ago - Pushed at: 9 months ago - Stars: 10 - Forks: 3
Offensive-Panda/WPM-MAJIC-ENTRY-POINT-INJECTION
This exploit is utilising AddressOfEntryPoint of process which is RX and using WriteProcessMemory internal magic to change the permission and write the shellcode.
Language: C++ - Size: 41.9 MB - Last synced at: 6 months ago - Pushed at: 6 months ago - Stars: 12 - Forks: 1
WafflesExploits/CobaltStrike-YARA-Bypass-f0b627fc
Repository of scripts from my blog post on bypassing the YARA rule Windows_Trojan_CobaltStrike_f0b627fc by generating alternative shellcode sequences.
Language: Python - Size: 12.7 KB - Last synced at: 6 months ago - Pushed at: 6 months ago - Stars: 3 - Forks: 0
WafflesExploits/Dynamic-HTTP-Payload-Stager
A dynamic HTTP/s Payload Stager that automates updating decryption variables, saving time and effort in managing shellcode loaders.
Language: C++ - Size: 30.3 KB - Last synced at: 7 months ago - Pushed at: 7 months ago - Stars: 4 - Forks: 1
ricardojoserf/goNtdllOverwrite
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder or a debugged process
Language: Go - Size: 12.7 KB - Last synced at: 7 months ago - Pushed at: 10 months ago - Stars: 3 - Forks: 2
itaymigdal/PichichiH0ll0wer
Nim process hollowing loader
Language: Nim - Size: 2.56 MB - Last synced at: 9 months ago - Pushed at: 9 months ago - Stars: 46 - Forks: 11
Offensive-Panda/PEB_WALK_AND_API_OBFUSCATION_INJECTION
This exploit use PEB walk technique to resolve API calls dynamically, obfuscate all API calls to perform process injection.
Language: C++ - Size: 48.2 MB - Last synced at: 9 months ago - Pushed at: 9 months ago - Stars: 0 - Forks: 0
ricardojoserf/pyNtdllOverwrite
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder or a debugged process
Language: Python - Size: 10.7 KB - Last synced at: 10 months ago - Pushed at: 10 months ago - Stars: 0 - Forks: 0
SnipSnapp/Random-Powershell
Mostly malicious or abusable powershell I've written
Language: PowerShell - Size: 49.8 KB - Last synced at: 10 months ago - Pushed at: 10 months ago - Stars: 1 - Forks: 1
EvilBytecode/GoPulzeTerminator
Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes. coded in your beloved golang!
Language: Go - Size: 118 KB - Last synced at: 11 months ago - Pushed at: 11 months ago - Stars: 1 - Forks: 0
k4itruns/crypter-kraken
Kraken Crypter v5 (Native/Turbo)
Size: 817 KB - Last synced at: 11 months ago - Pushed at: 11 months ago - Stars: 0 - Forks: 0
asciistring/Kraken-Crypter-v5-Native-Turbo-
Kraken Crypter v5 (Native/Turbo)
Size: 17.6 KB - Last synced at: about 1 year ago - Pushed at: about 1 year ago - Stars: 1 - Forks: 0
0mWindyBug/MinifilterHook
silence file system monitoring components by hooking their minifilters
Language: C - Size: 1.67 MB - Last synced at: about 1 year ago - Pushed at: about 1 year ago - Stars: 25 - Forks: 6
Bawless-Services/Bawless-Services-EDR-Crypter
Bawless Services strives to provide excellent service to our customers, though we recognize there is always room for improvement. We are committed to listening
Size: 25.4 KB - Last synced at: about 1 year ago - Pushed at: about 1 year ago - Stars: 1 - Forks: 0
roadwy/SideloadFinder
frida based script which automates the process of discovering and exploiting DLL Hijacks in target binaries. The discovered binaries can later be weaponized during Red Team Operations to evade AV/EDR's.
Language: Python - Size: 331 KB - Last synced at: about 1 year ago - Pushed at: about 2 years ago - Stars: 39 - Forks: 4
njcve/inflate.py
Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
Language: Python - Size: 3.91 KB - Last synced at: about 1 year ago - Pushed at: about 3 years ago - Stars: 112 - Forks: 15
NUL0x4C/AtomPePacker
A Highly capable Pe Packer
Language: C - Size: 119 KB - Last synced at: over 1 year ago - Pushed at: over 2 years ago - Stars: 638 - Forks: 112
DragonRaaS/Dragon-Ransomware
New Ransomware bypassing EDR, AVs, UAC, Sandboxes.
Language: C# - Size: 1.95 KB - Last synced at: over 1 year ago - Pushed at: over 1 year ago - Stars: 1 - Forks: 0
luciabglthecat/Luxury-Crypter-18
Luxury Shield 18
Size: 12.7 KB - Last synced at: over 1 year ago - Pushed at: over 1 year ago - Stars: 1 - Forks: 0
Hanbry/Custom-PE-Packer
Custom binary file packer/encoder with integrated decoder stub. A pentest-tool for modern EDR evasion.
Language: C - Size: 64.5 KB - Last synced at: over 1 year ago - Pushed at: over 1 year ago - Stars: 1 - Forks: 0
LuxuryrDs/Luxury-Crypter
Luxury Crypter - Free Version v1.0.0
Size: 0 Bytes - Last synced at: almost 2 years ago - Pushed at: almost 2 years ago - Stars: 1 - Forks: 0
CodeXTF2/evasion-adventures-files
Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"
Language: C++ - Size: 6.75 MB - Last synced at: about 2 years ago - Pushed at: over 2 years ago - Stars: 14 - Forks: 7
