BlackHat-Ashura / Process_Ghosting
Process Ghosting is a technique in which a process is created from a delete pending file. This means the created process is not backed by a file. This is an evasion technique.
☆14Updated 11 months ago
Alternatives and similar repositories for Process_Ghosting:
Users that are interested in Process_Ghosting are comparing it to the libraries listed below
- Small tool to play with IOCs caused by Imageload events☆42Updated last year
- A pure C version of SymProcAddress☆27Updated last year
- a simple poc showcasing the ability of an admin to suspend EDR's protected processes , making it useless☆38Updated 9 months ago
- miscellaneous codes☆35Updated last year
- ☆26Updated 2 months ago
- ☆48Updated last year
- in-process powershell runner for BRC4☆45Updated last year
- Your NTDLL vaccine from modern direct syscall methods.☆35Updated 3 years ago
- An Aggressor Script that utilizes NtCreateUserProcess to run binaries☆26Updated 2 months ago
- Files for http://blog.deniable.org/posts/windows-callbacks/☆12Updated 2 years ago
- BOF for C2 framework☆41Updated 5 months ago
- API Hammering with C++20☆46Updated 2 years ago
- This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly☆18Updated 2 years ago
- An example of COM hijacking using a proxy DLL.☆28Updated 3 years ago
- yet another sleep encryption thing. also used the default github repo name for this one.☆69Updated last year
- ☆27Updated 3 months ago
- ☆59Updated last year
- This is the combination of multiple evasion techniques to evade defenses. (Dirty Vanity)☆48Updated 11 months ago
- Combining 3 techniques (Threadless Injection + DLL Stomping + Caro-Kann) together to evade MDE.☆61Updated last year
- A C++ PoC implementation for enumerating Windows Fibers directly from memory☆18Updated 11 months ago
- A method to execute shellcode using RegisterWaitForInputIdle API.☆52Updated 2 years ago
- EvtPsst☆53Updated last year
- ☆21Updated 11 months ago
- Experimental PoC for unhooking API functions using in-memory patching, without VirtualProtect, for one specific EDR.☆39Updated last year
- Section-based payload obfuscation technique for x64☆59Updated 8 months ago
- A simple rpc2socks alternative in pure Go.☆28Updated 9 months ago
- ☆28Updated 10 months ago
- FrostLock Injection is a freeze/thaw-based code injection technique that uses Windows Job Objects to temporarily freeze (suspend) a targe…☆24Updated 2 weeks ago
- Self Delete DLL☆23Updated last year
- Example of using Sleep to create better named pipes.☆41Updated last year