reveng007 / AMSI-patches-learned-till-nowView external linksLinks
I have documented all of the AMSI patches that I learned till now
☆75Nov 4, 2025Updated 3 months ago
Alternatives and similar repositories for AMSI-patches-learned-till-now
Users that are interested in AMSI-patches-learned-till-now are comparing it to the libraries listed below
Sorting:
- A C# tool to output crackable DPAPI hashes from user MasterKeys☆140Sep 14, 2024Updated last year
- A collection of various and sundry code snippets that leverage .NET dynamic tradecraft☆145May 18, 2024Updated last year
- Simple BOF to read the protection level of a process☆118May 10, 2023Updated 2 years ago
- This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret …☆260Apr 29, 2023Updated 2 years ago
- ☆160Mar 27, 2023Updated 2 years ago
- Patching AmsiOpenSession by forcing an error branching☆154Aug 2, 2023Updated 2 years ago
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆408Jan 11, 2026Updated last month
- BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.☆24Jul 5, 2023Updated 2 years ago
- A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (…☆180Feb 10, 2023Updated 3 years ago
- powershell script i wrote that can suspend an arbitrary process (with limits)☆22Mar 26, 2023Updated 2 years ago
- A C# port from Invoke-GhostTask☆119Jan 5, 2024Updated 2 years ago
- Abuse leaked token handles.☆136Dec 14, 2023Updated 2 years ago
- BOF with Synthetic Stackframe☆220Oct 30, 2025Updated 3 months ago
- Dropping a powershell script at %HOMEPATH%\Documents\WindowsPowershell\ , that contains the implant's path , and whenever powershell pro…☆85Aug 2, 2023Updated 2 years ago
- Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do☆400Feb 6, 2023Updated 3 years ago
- ☆225Oct 22, 2023Updated 2 years ago
- freeBokuLoader fork which targets and frees Metsrv's initial reflective DLL package☆35Mar 28, 2023Updated 2 years ago
- The BackupOperatorToolkit contains different techniques allowing you to escalate from Backup Operator to Domain Admin☆178Feb 14, 2023Updated 3 years ago
- This lightweight C# demo application showcases interactive remote shell access via named pipes and the SMB protocol.☆122Feb 21, 2025Updated 11 months ago
- ☆83Nov 1, 2023Updated 2 years ago
- The code is a pingback to the Dark Vortex blog:☆186Jan 26, 2023Updated 3 years ago
- A BOF that runs unmanaged PEs inline☆678Oct 23, 2024Updated last year
- Basic implementation of Cobalt Strikes - User Defined Reflective Loader feature☆101Feb 28, 2023Updated 2 years ago
- Your syscall factory☆126Jan 13, 2026Updated last month
- Collection of Beacon Object Files (BOF) for Cobalt Strike☆670Aug 15, 2025Updated 6 months ago
- A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk☆473Jul 6, 2024Updated last year
- Lifetime AMSI bypass☆670Sep 26, 2023Updated 2 years ago
- Threadless Process Injection using remote function hooking.☆809Sep 4, 2024Updated last year
- laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.☆501Jan 10, 2023Updated 3 years ago
- Golang search engine scraper intended for identification of published ClickOnce deployments☆93Nov 19, 2024Updated last year
- Execute a payload at each right click on a file/folder in the explorer menu for persistence☆175Mar 15, 2023Updated 2 years ago
- Dynamically invoke arbitrary unmanaged code from managed code without P/Invoke.☆168Jan 25, 2024Updated 2 years ago
- ☆301Oct 29, 2024Updated last year
- Utilizing TLS callbacks to execute a payload without spawning any threads in a remote process☆286Jan 21, 2024Updated 2 years ago
- Porting of BOF InlineExecute-Assembly to load .NET assembly in process but with patchless AMSI and ETW bypass using hardware breakpoint.☆273Apr 17, 2023Updated 2 years ago
- ☆47Feb 11, 2023Updated 3 years ago
- Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle…☆305Aug 2, 2023Updated 2 years ago
- Tool for playing with Windows Access Token manipulation.☆83Nov 28, 2022Updated 3 years ago
- C# version of NTLMRawUnHide☆72Oct 8, 2022Updated 3 years ago