Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.

Template-Driven AV/EDR Evasion Framework

Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.

Multilayered AV/EDR Evasion Framework

Resources About Anti-Virus and Anti-Anti-Virus, including 200+ tools and 1300+ posts

An online AV evasion platform written in Springboot (Golang, Nim, C) supports embedded, local and remote loading of Shellocde methods.

AV evading cross platform Backdoor and Crypter Framework with a integrated lightweight webUI

AV bypass while you sip your Chai!

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

PoC exploit for the vulnerable WatchDog Anti-Malware driver (amsdk.sys) – weaponized to kill protected EDR/AV processes via BYOVD.

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.

A simple and stealthy reverse shell written in Nim that bypasses Windows Defender detection. This tool allows you to establish a reverse shell connection with a target system. Use responsibly for educational purposes only.

ApexLdr is a DLL Payload Loader written in C

AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.

Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass

This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

proper ntdll .text section unhooking via native api. unlike other unhookers this doesnt leave 2 ntdlls loaded. x86/x64/wow64 supported.

通过Patch白文件实现免杀

The provided Python program, Inject-EXE.py, allows you to combine a malicious executable with a legitimate executable, producing a single output executable. This output executable will contain both the malicious and legitimate executables.