Simple ETW unhook PoC. Overwrites NtTraceEvent opcode to disable ETW at Nt-function level.

Implementation of Indirect Syscall technique to pop a calc.exe

Combining 3 techniques (Threadless Injection + DLL Stomping + Caro-Kann) together to evade MDE.

A proof of concept for abusing exception handlers to hook and bypass user mode EDR hooks.

This repository implements Threadless Injection in C

A beacon object file implementation of PoolParty Process Injection Technique.

C++ self-Injecting dropper based on various EDR evasion techniques.

A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass…

Single stub direct and indirect syscalling with runtime SSN resolving for windows.

Single stub direct and indirect syscalling with runtime SSN resolving for windows.

Grab Firefox post requests by hooking PR_Write function from nss3.dll module using trampoline hook to get passwords and emails of users

🗜️ A packer for Windows x86 executable files written in C and Intel x86 Assembly. The new file after packing can obstruct reverse engineering.（使用C和Intel x86汇编开发的Windows x86可执行文件打包工具，打包后的新文件可以阻碍逆向工程。）

Use to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.

A tool to kill antimalware protected processes

Patch AMSI and ETW in remote process via direct syscall

Source code of exploiting windows API for red teaming series