danafaye / WindowsAPIAbuseAtlasLinks
A living guide to lesser-known and evasive Windows API abuses used in malware, with practical reverse engineering notes, YARA detections, and behavioral indicators.
☆87Updated last month
Alternatives and similar repositories for WindowsAPIAbuseAtlas
Users that are interested in WindowsAPIAbuseAtlas are comparing it to the libraries listed below
Sorting:
- kernel callback removal (Bypassing EDR Detections)☆206Updated last month
- Slides & Code snippets for a workshop held @ x33fcon 2024☆275Updated last year
- ☆268Updated 2 years ago
- A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.☆318Updated 2 years ago
- Injecting DLL into LSASS at boot☆155Updated 7 months ago
- ☆159Updated last year
- Windows rootkit designed to work with BYOVD exploits☆211Updated 11 months ago
- ☆180Updated 7 months ago
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆277Updated last year
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆362Updated 10 months ago
- Code execution/injection technique using DLL PEB module structure manipulation☆217Updated 6 months ago
- EDRSandblast-GodFault☆269Updated 2 years ago
- "Service-less" driver loading☆166Updated last year
- IoctlHunter is a command-line tool designed to simplify the analysis of IOCTL calls made by userland software targeting Windows drivers.☆105Updated last year
- Tools for analyzing EDR agents☆272Updated last year
- Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread☆257Updated 3 months ago
- A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders imp…☆334Updated last year
- Collect Windows telemetry for Maldev☆445Updated last month
- MIPS VM to execute payloads without allocating executable memory. Based on a PlayStation 1 (PSX) Emulator.☆121Updated last year
- Hells Hollow Windows 11 Rootkit technique to Hook the SSDT via Alt Syscalls☆206Updated 3 months ago
- Exploitation of process killer drivers☆201Updated 2 years ago
- Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar☆135Updated last year
- early cascade injection PoC based on Outflanks blog post☆234Updated last year
- The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls☆219Updated last year
- Proof of Concepts code for Bring Your Own Vulnerable Driver techniques☆198Updated 3 months ago
- Admin to Kernel code execution using the KSecDD driver☆260Updated last year
- This is the loader that supports running a program with Protected Process Light (PPL) protection functionality.☆285Updated last month
- Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijac…☆264Updated last year
- a modified CONTEXT based ropchain to circumvent CFG-FindHiddenShellcode and EtwTi-FluctuationMonitor☆106Updated last year
- Activation Context Hijack☆169Updated 4 months ago