Modern security products (CrowdStrike, Bitdefender, SentinelOne, etc.) hook the nLoadImage function inside clr.dll to intercept and scan in-memory .NET assembly loads. This tool unhooks that function.
☆206Dec 8, 2025Updated 2 months ago
Alternatives and similar repositories for CLR-Unhook
Users that are interested in CLR-Unhook are comparing it to the libraries listed below
Sorting:
- a demo module for the kaine agent to execute and inject assembly modules☆41Aug 28, 2024Updated last year
- Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking☆438Jun 27, 2025Updated 8 months ago
- Some stuff for PHD2021☆14May 21, 2025Updated 9 months ago
- Bypass user-land hooks by syscall tampering via the Trap Flag☆138Aug 25, 2025Updated 6 months ago
- Locate dlls and function addresses without PEB Walk and EAT parsing☆105Nov 7, 2025Updated 3 months ago
- SharpExShell automates the DCOM lateral movment technique which abuses ActivateMicrosoftApp method of Excel application.☆75May 1, 2024Updated last year
- Usermode NT Explorer - Query kernel addresses, translate virtual to physical addresses, inspect the PFN database, and more.☆72Jan 27, 2026Updated last month
- Using Chromium-based browsers as a proxy for C2 traffic.☆146Dec 6, 2025Updated 3 months ago
- A Patchless AMSI Bypass Technique using VEH²☆30Jun 22, 2025Updated 8 months ago
- BOF that finds all the Nt* system call stubs within NTDLL and overwrites with clean syscall stubs (user land hook evasion)☆195Feb 6, 2025Updated last year
- Prevent in-process process termination by patching exit APIs☆63Nov 9, 2025Updated 3 months ago
- Curated list of public Beacon Object Files(BOFs) build in as submodules for easy cloning☆137Dec 7, 2025Updated 3 months ago
- Another version of .NET loader provides capabilities of bypassing ETW and AMSI, utilizing VEH for syscalls and loading .NET assemblies☆50Jul 6, 2025Updated 8 months ago
- COM-based DLL Surrogate Injection☆142Dec 9, 2025Updated 2 months ago
- A runtime for developing large-scale and complex shellcode.☆22Updated this week
- AppLocker-Based EDR Neutralization☆323Dec 19, 2025Updated 2 months ago
- Indirect Syscall implementation to bypass userland NTAPIs hooking.☆85Aug 13, 2024Updated last year
- Find jmp gadgets for call stack spoofing.☆75Oct 1, 2025Updated 5 months ago
- Sleep obfuscation☆268Dec 13, 2024Updated last year
- Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows …☆264Sep 23, 2025Updated 5 months ago
- A hacky way of getting cross-arch/platform support in Cobalt Strike☆37Aug 31, 2025Updated 6 months ago
- Lateral Movement Bof with MSI ODBC Driver Install☆145Sep 30, 2025Updated 5 months ago
- EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.☆807Nov 1, 2025Updated 4 months ago
- Evasive shellcode loader☆401Oct 17, 2024Updated last year
- Boilerplate to develop raw and truly Position Independent Code (PIC).☆117Jan 20, 2025Updated last year
- Bypasses AMSI protection through remote memory patching and parsing technique.☆54May 12, 2025Updated 9 months ago
- A proof of concept AMSI & ETW bypass using trampolines for hooking and modifying execution flow☆18Jun 26, 2025Updated 8 months ago
- "Service-less" driver loading☆184Nov 28, 2024Updated last year
- Lateral Movement via the .NET Profiler☆100Nov 21, 2024Updated last year
- The ADSyncDump BOF is a port of Dirk-Jan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencie…☆171Sep 3, 2025Updated 6 months ago
- A basic C2 framework written in C☆59Jul 7, 2024Updated last year
- A unique introduction to native runtime obfuscation.☆75Mar 2, 2025Updated last year
- Open Source Implementation of Cobalt Strike's Malleable C2☆94Jan 27, 2026Updated last month
- Yet another shellcode loader - but a sneaky one☆25Apr 16, 2025Updated 10 months ago
- Cobaltstrike Reflective Loader with Synthetic Stackframe☆186Jan 17, 2026Updated last month
- Gain insights into MS-RPC implementations that may be vulnerable using an automated approach and make it easy to visualize the data. By f…☆326Oct 20, 2025Updated 4 months ago
- MIPS VM to execute payloads without allocating executable memory. Based on a PlayStation 1 (PSX) Emulator.☆125Dec 6, 2024Updated last year
- Stack Spoofing with Synthetic frames based on the work of namazso, SilentMoonWalk, and VulcanRaven☆263Oct 16, 2024Updated last year
- A BOF that's a BOF Loader and more☆199Jan 17, 2026Updated last month