Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

C++ self-Injecting dropper based on various EDR evasion techniques.

AppLocker-Based EDR Neutralization

RunPE implementation with multiple evasive techniques (2)

Generic PE loader for fast prototyping evasion techniques

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

Shellcode loader written in C and Assembly utilizing direct or indirect syscalls for evading EDR hooks

Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass

A ring0 Loadable Kernel Module (Linux) for latest kernels 6.x

Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion

A Blind EDR Project for Educational Purposes

EDR & AV Bypass Arsenal— a comprehensive collection of tools, patches, and techniques for evading modern EDR and antivirus defenses.

This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

Cobalt Strike Aggressor Script for identifying security products on Windows hosts — six enumeration methods rated by noise level, from silent in-process BOF to full PowerShell/WMI.

Indirect Syscall invocation via thread hijacking

Advanced shellcode loader with AES-256, EDR/AMSI/ETW bypass, indirect syscalls.

BadExclusions is a tool to identify folder custom or undocumented exclusions on AV/EDR

PoC arbitrary WPM without a process handle

I/O Cache-As-Ram + AMD x86_64 cache line locking | Mirror of https://codeberg.org/3itch/icekit