danafaye / WindowsAPIAbuseAtlasLinks
A living guide to lesser-known and evasive Windows API abuses used in malware, with practical reverse engineering notes, YARA detections, and behavioral indicators.
☆24Updated this week
Alternatives and similar repositories for WindowsAPIAbuseAtlas
Users that are interested in WindowsAPIAbuseAtlas are comparing it to the libraries listed below
Sorting:
- ☆173Updated 4 months ago
- ☆68Updated 7 months ago
- ☆238Updated 2 months ago
- A small program written in C that is designed to load 32/64-bit shellcode and allow for execution or debugging. Can also output PE files …☆159Updated last year
- Slides & Code snippets for a workshop held @ x33fcon 2024☆265Updated last year
- ☆160Updated 5 months ago
- IoctlHunter is a command-line tool designed to simplify the analysis of IOCTL calls made by userland software targeting Windows drivers.☆105Updated last year
- ☆157Updated 8 months ago
- kernel callback removal (Bypassing EDR Detections)☆187Updated 5 months ago
- MIPS VM to execute payloads without allocating executable memory. Based on a PlayStation 1 (PSX) Emulator.☆119Updated 8 months ago
- A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.☆205Updated 3 weeks ago
- ☆155Updated 2 months ago
- ☆152Updated 4 months ago
- Bypass user-land hooks by syscall tampering via the Trap Flag☆98Updated last week
- Evade EDR's the simple way, by not touching any of the API's they hook.☆153Updated 7 months ago
- Unprotect is a collaborative platform dedicated to uncovering and documenting malware evasion techniques. We invite you to join us in thi…☆172Updated 4 months ago
- ☆58Updated 4 months ago
- ☆113Updated last month
- This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead…☆130Updated 3 months ago
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆270Updated 11 months ago
- ☆262Updated 2 years ago
- Injecting DLL into LSASS at boot☆137Updated 4 months ago
- A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.☆316Updated 2 years ago
- Python tool to check rootkits in Windows kernel☆199Updated last week
- A CIA tradecraft technique to asynchronously detect when a process is created using WMI.☆134Updated last year
- Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider☆185Updated 2 years ago
- A Mythic Agent written in PIC C.☆199Updated 6 months ago
- AI-based Ludus range configuration builder☆24Updated 3 months ago
- lib-nosa is a minimalist C library designed to facilitate socket connections through AFD driver IOCTL operations on Windows.☆114Updated 11 months ago
- BSides Prishtina 2024 Malware Development and Persistence workshop☆94Updated 3 months ago