Little user-mode AV/EDR evasion lab for training & learning purposes

PoC Implementation of a fully dynamic call stack spoofer

Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

.NET/PowerShell/VBA Offensive Security Obfuscator

Go shellcode loader that combines multiple evasion techniques

C++ self-Injecting dropper based on various EDR evasion techniques.

Threadless Process Injection through entry point hijacking

indirect syscalls for AV/EDR evasion in Go assembly

Call stack spoofing for Rust

pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory

Apply a divide and conquer approach to bypass EDRs

This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.

Generic PE loader for fast prototyping evasion techniques

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

Your syscall factory

Embedder is a collection of sources in different languages to embed Python interpreter with minimal dependencies

Implementation of Indirect Syscall technique to pop a calc.exe

Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged

This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills in malware development, malware research, offensive security, security defenses and measures.