danafaye / WindowsAPIAbuseAtlasLinks
A living guide to lesser-known and evasive Windows API abuses used in malware, with practical reverse engineering notes, YARA detections, and behavioral indicators.
☆92Updated 3 months ago
Alternatives and similar repositories for WindowsAPIAbuseAtlas
Users that are interested in WindowsAPIAbuseAtlas are comparing it to the libraries listed below
Sorting:
- Slides & Code snippets for a workshop held @ x33fcon 2024☆282Updated last year
- ☆274Updated 3 years ago
- kernel callback removal (Bypassing EDR Detections)☆211Updated 2 months ago
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆408Updated 3 weeks ago
- A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.☆319Updated 2 years ago
- Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread☆262Updated 5 months ago
- Collect Windows telemetry for Maldev☆455Updated last week
- Exploitation of process killer drivers☆201Updated 2 years ago
- The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls☆225Updated 2 years ago
- Injecting DLL into LSASS at boot☆156Updated 9 months ago
- Windows rootkit designed to work with BYOVD exploits☆214Updated last year
- This is the loader that supports running a program with Protected Process Light (PPL) protection functionality.☆294Updated 3 months ago
- Tools for analyzing EDR agents☆277Updated last year
- Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijac…☆269Updated last year
- A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders imp…☆339Updated last year
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆280Updated last year
- early cascade injection PoC based on Outflanks blog post☆236Updated last year
- My projects to understand malware development and detection. Use responsibly. I'm not responsible if you cause unauthorised damage to any…☆111Updated 7 months ago
- ☆180Updated 9 months ago
- Admin to Kernel code execution using the KSecDD driver☆264Updated last year
- A small program written in C that is designed to load 32/64-bit shellcode and allow for execution or debugging. Can also output PE files …☆169Updated last year
- EDRSandblast-GodFault☆271Updated 2 years ago
- Code execution/injection technique using DLL PEB module structure manipulation☆220Updated 8 months ago
- BSides Prishtina 2024 Malware Development and Persistence workshop☆124Updated last month
- Unprotect is a collaborative platform dedicated to uncovering and documenting malware evasion techniques. We invite you to join us in thi…☆203Updated 4 months ago
- a modified CONTEXT based ropchain to circumvent CFG-FindHiddenShellcode and EtwTi-FluctuationMonitor☆107Updated last year
- A vulnerable driver exploited by me (BYOVD) that is capable of terminating several EDRs and antivirus software in the market, rendering t…☆103Updated last year
- Hells Hollow Windows 11 Rootkit technique to Hook the SSDT via Alt Syscalls☆213Updated 5 months ago
- AppLocker-Based EDR Neutralization☆289Updated last month
- Zero EAT touch way to retrieve function addresses (GetProcAddress on steroids)☆144Updated last year