Alternatives and similar repositories for FalconEye

Users that are interested in FalconEye are comparing it to the libraries listed below

• jthuraisamy / TelemetrySourcerer

  View on GitHub
  Enumerate and disable common sources of telemetry used by AV/EDR.
  ☆819Mar 11, 2021Updated 4 years ago
• DownWithUp / DynamicKernelShellcode

  View on GitHub
  An example of how x64 kernel shellcode can dynamically find and use APIs
  ☆104May 14, 2020Updated 5 years ago
• lawiet47 / STFUEDR

  View on GitHub
  Silence EDRs by removing kernel callbacks
  ☆239Dec 7, 2020Updated 5 years ago
• hugsy / CFB

  View on GitHub
  CFB is a ProcMon-style tool designed to assist capturing IRPs sent to Windows drivers.
  ☆333Mar 26, 2024Updated last year
• kkent030315 / PageTableInjection

  View on GitHub
  Code Injection, Inject malicious payload via pagetables pml4.
  ☆242Jul 7, 2021Updated 4 years ago
• aaaddress1 / wowGrail

  View on GitHub
  PoC: Rebuild A New Path Back to the Heaven's Gate (HITB 2021)
  ☆109May 27, 2021Updated 4 years ago
• SafeBreach-Labs / pinjectra

  View on GitHub
  Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
  ☆824Mar 10, 2022Updated 3 years ago
• jxy-s / herpaderping

  View on GitHub
  Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the in…
  ☆1,182Jul 5, 2023Updated 2 years ago
• aaaddress1 / wowInjector

  View on GitHub
  PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)
  ☆167May 27, 2021Updated 4 years ago
• med0x2e / SigFlip

  View on GitHub
  SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature…
  ☆1,253Aug 27, 2023Updated 2 years ago
• xuanxuan0 / TiEtwAgent

  View on GitHub
  PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
  ☆298Apr 10, 2021Updated 4 years ago
• outflanknl / TamperETW

  View on GitHub
  PoC to demonstrate how CLR ETW events can be tampered.
  ☆192Mar 26, 2020Updated 5 years ago
• optiv / Dent

  View on GitHub
  A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
  ☆297Aug 18, 2023Updated 2 years ago
• 3lp4tr0n / BeaconHunter

  View on GitHub
  Detect and respond to Cobalt Strike beacons using ETW.
  ☆520Jul 15, 2022Updated 3 years ago
• mgeeky / UnhookMe

  View on GitHub
  UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red …
  ☆349Jul 3, 2022Updated 3 years ago
• redplait / pexphide

  View on GitHub
  PoC for hiding PE exports
  ☆67Dec 19, 2020Updated 5 years ago
• joe-desimone / patriot

  View on GitHub
  ☆153Jul 31, 2022Updated 3 years ago
• hasherezade / process_ghosting

  View on GitHub
  Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted fi…
  ☆682Mar 11, 2024Updated last year
• thefLink / DeepSleep

  View on GitHub
  A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC
  ☆373May 24, 2022Updated 3 years ago
• Mr-Un1k0d3r / EDRs

  View on GitHub
  ☆2,169Feb 21, 2023Updated 2 years ago
• d35ha / CallObfuscator

  View on GitHub
  Obfuscate specific windows apis with different apis
  ☆1,021Feb 21, 2021Updated 4 years ago
• airbus-cert / etwbreaker

  View on GitHub
  An IDA plugin to deal with Event Tracing for Windows (ETW)
  ☆55Jul 8, 2022Updated 3 years ago
• Cr4sh / KernelForge

  View on GitHub
  A library to develop kernel level Windows payloads for post HVCI era
  ☆483May 18, 2021Updated 4 years ago
• jdu2600 / Windows10EtwEvents

  View on GitHub
  Events from all manifest-based and mof-based ETW providers across Windows 10 versions
  ☆329May 2, 2024Updated last year
• 0xpat / COFFInjector

  View on GitHub
  PoC MSVC COFF Object file loader/injector.
  ☆185Mar 19, 2021Updated 4 years ago
• nccgroup / DetectWindowsCopyOnWriteForAPI

  View on GitHub
  Enumerate various traits from Windows processes as an aid to threat hunting
  ☆202Jan 13, 2022Updated 4 years ago
• hasherezade / transacted_hollowing

  View on GitHub
  Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
  ☆581Mar 8, 2024Updated last year
• jthuraisamy / SysWhispers2

  View on GitHub
  AV/EDR evasion via direct system calls.
  ☆1,789Sep 3, 2022Updated 3 years ago
• pathtofile / Sealighter

  View on GitHub
  Sysmon-Like research tool for ETW
  ☆384Nov 15, 2022Updated 3 years ago
• LloydLabs / delete-self-poc

  View on GitHub
  A way to delete a locked file, or current running executable, on disk.
  ☆616Nov 5, 2025Updated 3 months ago
• bats3c / DarkLoadLibrary

  View on GitHub
  LoadLibrary for offensive operations
  ☆1,174Oct 22, 2021Updated 4 years ago
• hlldz / RefleXXion

  View on GitHub
  RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, …
  ☆502Jan 25, 2022Updated 4 years ago
• airbus-cert / Winshark

  View on GitHub
  A wireshark plugin to instrument ETW
  ☆579Jan 28, 2022Updated 4 years ago
• zeroperil / HookDump

  View on GitHub
  Security product hook detection
  ☆323Mar 30, 2021Updated 4 years ago
• OG-Sadpanda / SharpExcelibur

  View on GitHub
  Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly
  ☆90Sep 30, 2024Updated last year
• repnz / apc-research

  View on GitHub
  APC Internals Research Code
  ☆167Jun 28, 2020Updated 5 years ago
• mandiant / speakeasy

  View on GitHub
  Windows kernel and user mode emulation.
  ☆1,841Feb 4, 2026Updated last week
• itm4n / PPLdump

  View on GitHub
  Dump the memory of a PPL with a userland exploit
  ☆891Jul 24, 2022Updated 3 years ago
• br-sn / CheekyBlinder

  View on GitHub
  Enumerating and removing kernel callbacks using signed vulnerable drivers
  ☆587Jan 24, 2023Updated 3 years ago