EDR Lab for Experimentation Purposes

PoC Implementation of a fully dynamic call stack spoofer

Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

Python AV Evasion Tools

.NET/PowerShell/VBA Offensive Security Obfuscator

C++ self-Injecting dropper based on various EDR evasion techniques.

Go shellcode loader that combines multiple evasion techniques

indirect syscalls for AV/EDR evasion in Go assembly

Call stack spoofing for Rust

Threadless Process Injection through entry point hijacking

pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory

AppLocker-Based EDR Neutralization

AV/EDR evasion via direct and indirect system calls Windows NT 3.1 through Windows 11 24H2 · x64 · x86 · WoW64 · ARM64

Apply a divide and conquer approach to bypass EDRs

RunPE implementation with multiple evasive techniques (2)

This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.

Generic PE loader for fast prototyping evasion techniques

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

kernel callback removal (Bypassing EDR Detections)

PoC exploit for the vulnerable WatchDog Anti-Malware driver (amsdk.sys) – weaponized to kill protected EDR/AV processes via BYOVD.

Evade EDR's the simple way, by not touching any of the API's they hook.

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

Shellcode loader written in C and Assembly utilizing direct or indirect syscalls to evade UM EDR hooks

This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills in malware development, malware research, offensive security, security defenses and measures.

Embedder is a collection of sources in different languages to embed Python interpreter with minimal dependencies

Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass

Implementation of Indirect Syscall technique to pop a calc.exe

AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.

A ring0 Loadable Kernel Module (Linux) for latest kernels 6.x

Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion