I have documented all of the AMSI patches that I learned till now
☆73Nov 4, 2025Updated 4 months ago
Alternatives and similar repositories for AMSI-patches-learned-till-now
Users that are interested in AMSI-patches-learned-till-now are comparing it to the libraries listed below
Sorting:
- BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.☆24Jul 5, 2023Updated 2 years ago
- A C# tool to output crackable DPAPI hashes from user MasterKeys☆140Sep 14, 2024Updated last year
- This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret …☆263Apr 29, 2023Updated 2 years ago
- Patching AmsiOpenSession by forcing an error branching☆154Aug 2, 2023Updated 2 years ago
- A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (…☆180Feb 10, 2023Updated 3 years ago
- ☆176Mar 27, 2023Updated 2 years ago
- Simple BOF to read the protection level of a process☆119May 10, 2023Updated 2 years ago
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆412Jan 11, 2026Updated 2 months ago
- A collection of various and sundry code snippets that leverage .NET dynamic tradecraft☆145May 18, 2024Updated last year
- freeBokuLoader fork which targets and frees Metsrv's initial reflective DLL package☆35Mar 28, 2023Updated 2 years ago
- Lifetime AMSI bypass☆671Sep 26, 2023Updated 2 years ago
- Self delete DLL (2)☆14Feb 15, 2024Updated 2 years ago
- Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do☆402Feb 6, 2023Updated 3 years ago
- powershell script i wrote that can suspend an arbitrary process (with limits)☆22Mar 26, 2023Updated 2 years ago
- Abuse leaked token handles.☆136Dec 14, 2023Updated 2 years ago
- Dropping a powershell script at %HOMEPATH%\Documents\WindowsPowershell\ , that contains the implant's path , and whenever powershell pro…☆85Aug 2, 2023Updated 2 years ago
- A C# port from Invoke-GhostTask☆120Jan 5, 2024Updated 2 years ago
- BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released a…☆395Jan 9, 2024Updated 2 years ago
- Collection of Beacon Object Files (BOF) for Cobalt Strike☆680Aug 15, 2025Updated 7 months ago
- HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.☆719Jul 19, 2023Updated 2 years ago
- Utilizng an MCP Server to communicate with your C2☆86May 15, 2025Updated 10 months ago
- BOF with Synthetic Stackframe☆233Oct 30, 2025Updated 4 months ago
- This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.☆122Feb 21, 2025Updated last year
- ☆83Nov 1, 2023Updated 2 years ago
- Alternative Shellcode Execution Via Callbacks in C# with P/Invoke☆85Feb 26, 2023Updated 3 years ago
- The code is a pingback to the Dark Vortex blog:☆186Jan 26, 2023Updated 3 years ago
- A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk☆473Jul 6, 2024Updated last year
- Execute a payload at each right click on a file/folder in the explorer menu for persistence☆175Mar 15, 2023Updated 3 years ago
- A BOF that runs unmanaged PEs inline☆683Oct 23, 2024Updated last year
- laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.☆501Jan 10, 2023Updated 3 years ago
- The BackupOperatorToolkit contains different techniques allowing you to escalate from Backup Operator to Domain Admin☆180Feb 14, 2023Updated 3 years ago
- ☆48Feb 11, 2023Updated 3 years ago
- Basic implementation of Cobalt Strikes - User Defined Reflective Loader feature☆101Feb 28, 2023Updated 3 years ago
- Implementation of Advanced Module Stomping and Heap/Stack Encryption☆225Jul 25, 2023Updated 2 years ago
- ☆224Oct 22, 2023Updated 2 years ago
- ☆128Jun 28, 2023Updated 2 years ago
- Threadless Process Injection using remote function hooking.☆810Sep 4, 2024Updated last year
- different ntdll unhooking techniques : unhooking ntdll from disk, from KnownDlls, from suspended process, from remote server (fileless)☆203Aug 2, 2023Updated 2 years ago
- ETW based POC to identify direct and indirect syscalls☆189Apr 19, 2023Updated 2 years ago