danafaye / WindowsAPIAbuseAtlasLinks
A living guide to lesser-known and evasive Windows API abuses used in malware, with practical reverse engineering notes, YARA detections, and behavioral indicators.
☆92Updated 3 months ago
Alternatives and similar repositories for WindowsAPIAbuseAtlas
Users that are interested in WindowsAPIAbuseAtlas are comparing it to the libraries listed below
Sorting:
- kernel callback removal (Bypassing EDR Detections)☆210Updated 2 months ago
- Slides & Code snippets for a workshop held @ x33fcon 2024☆282Updated last year
- ☆273Updated 3 years ago
- Collect Windows telemetry for Maldev☆454Updated 2 months ago
- The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls☆222Updated 2 years ago
- Injecting DLL into LSASS at boot☆156Updated 9 months ago
- My projects to understand malware development and detection. Use responsibly. I'm not responsible if you cause unauthorised damage to any…☆109Updated 7 months ago
- Windows rootkit designed to work with BYOVD exploits☆213Updated last year
- This is the loader that supports running a program with Protected Process Light (PPL) protection functionality.☆291Updated 3 months ago
- Unprotect is a collaborative platform dedicated to uncovering and documenting malware evasion techniques. We invite you to join us in thi…☆203Updated 4 months ago
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆407Updated 3 weeks ago
- Admin to Kernel code execution using the KSecDD driver☆263Updated last year
- A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.☆319Updated 2 years ago
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆280Updated last year
- Exploitation of process killer drivers☆201Updated 2 years ago
- IoctlHunter is a command-line tool designed to simplify the analysis of IOCTL calls made by userland software targeting Windows drivers.☆105Updated 2 years ago
- A small program written in C that is designed to load 32/64-bit shellcode and allow for execution or debugging. Can also output PE files …☆167Updated last year
- Tools for analyzing EDR agents☆276Updated last year
- Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread☆260Updated 5 months ago
- EDRSandblast-GodFault☆270Updated 2 years ago
- AppLocker-Based EDR Neutralization☆281Updated last month
- Code execution/injection technique using DLL PEB module structure manipulation☆220Updated 7 months ago
- Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths☆358Updated last year
- Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijac…☆268Updated last year
- ☆163Updated 7 months ago
- early cascade injection PoC based on Outflanks blog post☆236Updated last year
- Hells Hollow Windows 11 Rootkit technique to Hook the SSDT via Alt Syscalls☆209Updated 5 months ago
- a modified CONTEXT based ropchain to circumvent CFG-FindHiddenShellcode and EtwTi-FluctuationMonitor☆107Updated last year
- This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead…☆138Updated 8 months ago
- Activation Context Hijack☆169Updated 5 months ago