Signal-Labs / iat_unhook_sample
(First Public?) Sample of unhooking ntdll (All Exports & IAT imports) hooks in Rust using in-memory disassembly, avoiding direct syscalls and all hooked functions (incl. hooked NtProtectVirtualMemory)
☆128Updated last year
Related projects ⓘ
Alternatives and complementary repositories for iat_unhook_sample
- A newer iteration of TitanLdr with some newer hooks, and design. A generic user defined reflective DLL I built to prove a point to Mudge …☆159Updated last year
- Single stub direct and indirect syscalling with runtime SSN resolving for windows.☆127Updated 2 years ago
- ☆133Updated last year
- Interceptor is a kernel driver focused on tampering with EDR/AV solutions in kernel space☆120Updated last year
- A improved memory obfuscation primitive using a combination of special and 'normal' Asynchronous Procedural Calls☆102Updated last month
- ☆105Updated last year
- Rust port of LayeredSyscall, designed to perform indirect syscalls while generating legitimate API call stack frames by abusing Vectored …☆89Updated last week
- Malware?☆69Updated last month
- Files for http://blog.deniable.org/posts/windows-callbacks/☆67Updated 2 years ago
- Rusty Hell's Gate / Halo's Gate / Tartarus' Gate / FreshyCalls / Syswhispers2 Library☆24Updated 2 years ago
- I have documented all of the AMSI patches that I learned till now☆68Updated last year
- Bypass LSA protection using the BYODLL technique☆142Updated last month
- Use hardware breakpoints to spoof the call stack for both syscalls and API calls☆181Updated 5 months ago
- Early Bird APC Injection in Rust☆50Updated last month
- ☆95Updated last year
- Code used in this post https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html☆99Updated 2 years ago
- ☆160Updated 2 years ago
- Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar☆117Updated 2 months ago
- The code is a pingback to the Dark Vortex blog:☆163Updated last year
- Load a dynamic library from memory by modifying the native Windows loader☆202Updated last year
- ☆108Updated last year
- The code is a pingback to the Dark Vortex blog: https://0xdarkvortex.dev/hiding-memory-allocations-from-mdatp-etwti-stack-tracing/☆158Updated last year
- bring your own vulnerable driver☆82Updated last year
- A kernel vulnerability used to achieve arbitrary read-write on Windows prior to July 2022☆105Updated last year
- ☆128Updated 2 years ago
- 64-bit, position-independent reverse tcp shell, built in Rust for Windows.☆44Updated last month
- ☆116Updated 2 months ago