Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

Aims to identify sleeping beacons

Quickly debug shellcode extracted during malware analysis

PIC lsass dumper using cloned handles

A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.

The Grimoire Hypervisor solution for x86 Processors with experimental nested virtualization support. Remastering with Rust in progress.

绕3环的shellcode免杀框架

C++ self-Injecting dropper based on various EDR evasion techniques.

Abuse Impersonate Privilege from Service to SYSTEM like other potatoes do

Encrypted shellcode Injection to avoid Kernel triggered memory scans

A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC

A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.

Emulate Drivers in RING3 with self context mapping or unicorn

OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

nginx WebShell/内存马，更优雅的nignx backdoor

RPC远程主机信息匿名扫描工具

miscellaneous scripts and programs

This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.

Modules used by the Havoc Framework

Execute shellcode from a remote-hosted bin file using Winhttp.

POC tool to convert CobaltStrike BOF files to raw shellcode

Exploitation of process killer drivers

Proof of Concepts code for Bring Your Own Vulnerable Driver techniques

关于RPC一些绕EDR的tips

远程创建任务计划工具

Hide process,port,self under Linux using the ld_preload

Run Processes as PPL with ELAM

A Beacon Object File (BOF) for Havoc/CS to Bypass PPL and Dump Lsass

WPTaskScheduler RPC Persistence & CVE-2024-49039 via Task Scheduler