Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
-
Updated
Oct 6, 2024 - C++
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
Template-Driven AV/EDR Evasion Framework
Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.
Resources About Anti-Virus and Anti-Anti-Virus, including 200+ tools and 1300+ posts
An online AV evasion platform written in Springboot (Golang, Nim, C) supports embedded, local and remote loading of Shellocde methods.
Multilayered AV/EDR Evasion Framework
AV evading OSX Backdoor and Crypter Framework
AV bypass while you sip your Chai!
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
ApexLdr is a DLL Payload Loader written in C
A simple and stealthy reverse shell written in Nim that bypasses Windows Defender detection. This tool allows you to establish a reverse shell connection with a target system. Use responsibly for educational purposes only.
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
A CUSTOM CODED FUD DLL, CODED IN C , WHEN LOADED , VIA A DECOY WEB-DELIVERY MODULE( FIRING A DECOY PROGRAM), WILL GIVE A REVERSE SHELL (POWERSHELL) FROM THE VICTIM MACHINE TO THE ATTACKER CONSOLE , OVER LAN AND WAN.
A PERSISTENT FUD Backdoor ReverseShell coded in C for any Windows distro, that will make itself persistent on every BOOT and fire a decoy app in the foreground while connecting back to the attacker machine as a silent background process , spawning a POWERSHELL on the attacker machine.
The provided Python program, Inject-EXE.py, allows you to combine a malicious executable with a legitimate executable, producing a single output executable. This output executable will contain both the malicious and legitimate executables.
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
Old 32 bit PE executable protector / crypter
Add a description, image, and links to the av-bypass topic page so that developers can more easily learn about it.
To associate your repository with the av-bypass topic, visit your repo's landing page and select "manage topics."