T3nb3w / ComDotNetExploit
A C++ proof of concept demonstrating the exploitation of Windows Protected Process Light (PPL) by leveraging COM-to-.NET redirection and reflection techniques for code injection. This PoC showcases bypassing code integrity checks and loading malicious payloads in highly protected processes such as LSASS. Based on research from James Forshaw.
☆281Updated last month
Alternatives and similar repositories for ComDotNetExploit:
Users that are interested in ComDotNetExploit are comparing it to the libraries listed below
- Exploitation of process killer drivers☆199Updated last year
- A set of programs for analyzing common vulnerabilities in COM☆210Updated 7 months ago
- Generating legitimate call stack frame along with indirect syscalls by abusing Vectored Exception Handling (VEH) to bypass User-Land EDR …☆250Updated 8 months ago
- Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread☆184Updated this week
- Bypass LSA protection using the BYODLL technique☆157Updated 7 months ago
- .NET assembly loader with patchless AMSI and ETW bypass☆328Updated 2 years ago
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆259Updated 7 months ago
- A Powershell AMSI Bypass technique via Vectored Exception Handler (VEH). This technique does not perform assembly instruction patching, f…☆160Updated 10 months ago
- Generic PE loader for fast prototyping evasion techniques☆230Updated 9 months ago
- ☆189Updated 10 months ago
- Sleep obfuscation☆216Updated 4 months ago
- A Beacon Object File (BOF) template for Visual Studio☆188Updated last month
- Slides & Code snippets for a workshop held @ x33fcon 2024☆257Updated 10 months ago
- EDRSandblast-GodFault☆260Updated last year
- Stack Spoofing with Synthetic frames based on the work of namazso, SilentMoonWalk, and VulcanRaven☆215Updated 6 months ago
- kernel callback removal (Bypassing EDR Detections)☆160Updated last month
- Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths☆328Updated 8 months ago
- Porting of BOF InlineExecute-Assembly to load .NET assembly in process but with patchless AMSI and ETW bypass using hardware breakpoint.☆224Updated 2 years ago
- Dump the memory of any PPL with a Userland exploit chain☆333Updated 2 years ago
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆335Updated 2 months ago
- Patch AMSI and ETW☆236Updated 11 months ago
- For when DLLMain is the only way☆375Updated 5 months ago
- early cascade injection PoC based on Outflanks blog post☆214Updated 5 months ago
- An example reference design for a proposed BOF PE☆159Updated this week
- An App Domain Manager Injection DLL PoC on steroids☆169Updated last year
- Bypass Credential Guard by patching WDigest.dll using only NTAPI functions☆236Updated 2 weeks ago
- The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls☆185Updated last year
- Collect Windows telemetry for Maldev☆340Updated 2 months ago
- A proof of concept for abusing exception handlers to hook and bypass user mode EDR hooks.☆185Updated last year
- A PowerShell console in C/C++ with all the security features disabled☆227Updated last month