EDR Lab for Experimentation Purposes

An Active Defense and EDR software to empower Blue Teams

Evasive shellcode loader for bypassing event-based injection detection (PoC)

Enumerate and disable common sources of telemetry used by AV/EDR.

iMonitor（冰镜 - 终端行为分析系统）

The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能， 而不用关心底层驱动的开发、维护和兼容性问题，让其可以专注于业务开发

Security product hook detection

Hades HIDS/HIPS for Windows

kernel callback removal (Bypassing EDR Detections)

Yet another C++ Cobalt Strike beacon dropper with Compile-Time API hashing and custom indirect syscalls execution

PoC exploit for the vulnerable WatchDog Anti-Malware driver (amsdk.sys) – weaponized to kill protected EDR/AV processes via BYOVD.

This script is used to bypass DLL Hooking using a fresh mapped copy of ntdll file, patch the ETW and trigger a shellcode with process hollowing

A generic detection engine (.lib) for Windows which uses downloadable custom rulesets to detect & block processes. Can be used in anti-virus, anti-cheat, anti-crypto mining, etc.

Misery Loader to bypass modern EDR solutions

Antivirus EDR evasion bypass for pentesters red teamers

Repository to publish your evasion techniques and contribute to the project

A tool for monitoring system events and sending relevant information to the EDR server for further analysis and response (POC).

Greathelm is a modular Windows security service focused on process inspection, PowerShell telemetry, and automated response enforcement. It’s built entirely in C++ and designed for minimal dependencies, direct API usage.

iMonitor Ice Mirror Endpoint Behavior Analysis System he world most powerful System Activity Monitor Engine

🚀 Suspend EDR and antivirus processes easily with EDR-Freeze, a user-mode tool that bypasses complex driver vulnerabilities on Windows.