Pinned Repositories
Conference-Slides
Create-Thread-Shellcode-Fetcher
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
Create_Thread_Inline_Assembly_x86
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
DEFCON-31-Syscalls-Workshop
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
Direct-Syscalls-A-journey-from-high-to-low
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
Direct-Syscalls-vs-Indirect-Syscalls
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
DSC_SVC_REMOTE
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
Payload-Download-Cradles
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.
Shell-we-Assembly
Shellcode execution via x86 inline assembly based on MSVC syntax
Taskschedule-Persistence-Download-Cradles
Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
VirtualAlllocEx's Repositories
VirtualAlllocEx/DEFCON-31-Syscalls-Workshop
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
VirtualAlllocEx/Payload-Download-Cradles
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.
VirtualAlllocEx/Create-Thread-Shellcode-Fetcher
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
VirtualAlllocEx/Direct-Syscalls-vs-Indirect-Syscalls
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
VirtualAlllocEx/Direct-Syscalls-A-journey-from-high-to-low
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
VirtualAlllocEx/Taskschedule-Persistence-Download-Cradles
Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
VirtualAlllocEx/DSC_SVC_REMOTE
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
VirtualAlllocEx/Create_Thread_Inline_Assembly_x86
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
VirtualAlllocEx/Shell-we-Assembly
Shellcode execution via x86 inline assembly based on MSVC syntax
VirtualAlllocEx/Conference-Slides
VirtualAlllocEx/Create_Thread-Inline_Assembly_x86_Fibers
This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
VirtualAlllocEx/UnlinkDLL
DLL Unlinking from InLoadOrderModuleList, InMemoryOrderModuleList, InInitializationOrderModuleList, and LdrpHashTable
VirtualAlllocEx/CallstackSpoofingPOC
C++ self-Injecting dropper based on various EDR evasion techniques.
VirtualAlllocEx/OSCP-Tricks-2023
OSCP 2023 Preparation Guide | Courses, Tricks, Tutorials, Exercises, Machines
VirtualAlllocEx/WinMalDev
Various methods of executing shellcode
VirtualAlllocEx/EDR-Preloader
An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer
VirtualAlllocEx/NtRemoteLoad
Remote Shellcode Injector
VirtualAlllocEx/Blindside
Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms
VirtualAlllocEx/Conferences_OtterHacker
VirtualAlllocEx/NovaLdr
Threadless Module Stomping In Rust with some features (In memory of those murdered in the Nova party massacre)
VirtualAlllocEx/SysWhispers3
SysWhispers on Steroids - AV/EDR evasion via direct system calls.
VirtualAlllocEx/HWSyscalls
HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
VirtualAlllocEx/learning-malware-analysis
This repository contains sample programs that mimick behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to worry about handling live malware.
VirtualAlllocEx/learning-reverse-engineering
This repository contains sample programs written primarily in C and C++ for learning native code reverse engineering.
VirtualAlllocEx/Messagebox-Test
VirtualAlllocEx/Tartarus-TpAllocInject
VirtualAlllocEx/Windows-Local-Privilege-Escalation-Cookbook
Windows Local Privilege Escalation Cookbook
VirtualAlllocEx/HadesLdr
Shellcode Loader Implementing Indirect Dynamic Syscall , API Hashing, Fileless Shellcode retrieving using Winsock2
VirtualAlllocEx/Jomungand
Shellcode Loader with memory evasion
VirtualAlllocEx/Voidgate
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.