vvswift/Bypass-Protection0x00

GitHub: vvswift/Bypass-Protection0x00

一份面向研究与教学场景的 EDR/AV 绕过技术集合,提供覆盖加载、注入、隐藏与反取证的多层次绕过方案。

Stars: 77 | Forks: 23

EDR & AV Bypass Arsenal

**用于绕过现代 EDR、AV 及其他防御机制的工具、补丁和技术的综合集合。** 本仓库中的所有工具都是一个持续增长的集合的一部分,如果可能的话,作者的联系方式会附在每个工具的内部。 本项目面向安全研究人员和学生。 ## 🚫 免责声明

[Overview Specifics]

Red Team EDR Bypass Rootkits Direct Syscalls HVNC Spyware Rootkits Direct Syscalls HVNC Spyware Spyware Rootkits

## 仓库结构 1️⃣ **Auto-Color** ``` Polymorphic obfuscation toolkit that uses color based encoding to evade static detection. ``` 2️⃣ **BypassAV** ``` Automated framework for disabling or bypassing Windows antivirus engines via API hooking and patching. ``` 3️⃣ **CallstackSpoofingPOC** ``` Proof-of-concept demonstrating call-stack spoofing techniques to defeat Control-Flow Integrity CFI. ``` 4️⃣ **DSC** ``` Driver Signature Check bypass module enabling the loading of unsigned kernel drivers on Windows. ``` 5️⃣ **EfiGuard** ``` Exploit for bypassing UEFI firmware protections and executing unauthorized code during boot. ``` 6️⃣ **ElfDoor-gcc** ``` Linux kernel module loader that injects unsigned ELF objects into kernel space to bypass module signing. ``` 7️⃣ **Hanshell** ``` Shellcode packer/loader with dynamic encryption and anti analysis features. ``` 8️⃣ **PPL-0day** ``` Proof-of-concept exploit targeting Windows Protected Process Light PPL to bypass PPL enforcement. ``` 9️⃣ **Shellcode-Injector** ``` Generic shellcode injection framework supporting reflective injection and process hollowing. ``` 1️⃣0️⃣ **Landrun** ``` Payload loader that leverages custom containerization techniques for stealth execution. ``` 1️⃣1️⃣ **Power-killEDR_AV** ``` Utility to terminate EDR/AV processes by exploiting high privilege system calls. ``` 1️⃣2️⃣ **Zapper** ``` Cleanup tool for erasing logs, disabling tamper protections, and removing forensic traces. ``` 1️⃣3️⃣ **APC-Injection** ``` Leverages Windows Asynchronous Procedure Calls to queue and execute arbitrary code in remote processes for stealthy injection. ``` 1️⃣4️⃣ **Bypass-EDR** ``` Collection of techniques and scripts to disable or evade common Endpoint Detection & Response platforms at runtime. ``` 1️⃣5️⃣ **Bypass-Smartscreen** ``` Implements methods to circumvent Windows SmartScreen application reputation checks and unknown publisher warnings. ``` 1️⃣6️⃣ **Google Script Proxy** ``` Command-and-control proxy using Google Apps Script to relay C2 traffic over Google infrastructure. ``` 1️⃣7️⃣ **PE-infector** ``` Injects custom shellcode or payloads into Portable Executable files, modifying headers and sections for stealthy distribution. ``` 1️⃣8️⃣ **PandaLoader** ``` Payload loader that uses API hooking and reflective techniques to hide code in protected or monitored processes. ``` 1️⃣9️⃣ **Shellcode-Loader** ``` Simple framework for allocating memory, writing shellcode, and invoking it via various injection primitives. ``` 2️⃣0️⃣ **Shellcode-Mutator** ``` Applies polymorphic transformations to raw shellcode encryption, encoding, padding to evade signature-based detection. ``` 2️⃣1️⃣ **el84_injector** ``` ELF injector for Linux: attaches to a running process and maps arbitrary ELF segments into its memory space for execution. ``` 2️⃣2️⃣ **AV\_Clean** ``` Set of scripts and utilities for removing antivirus traces: stops services, deletes files and registry keys, and rolls back changes. ``` 2️⃣3️⃣ **Byte** ``` ZIP-bomb generator that creates ultra compressed archives which expand into huge file sets to exhaust disk space, memory, or CPU resources. ``` 2️⃣4️⃣ **Cryptolib** ``` Common library of cryptographic primitives: encryption, hashing, and obfuscation routines for use in other tools. ``` 2️⃣5️⃣ **Dump** ``` Utility for dumping process and kernel memory including LSASS with support for compression and encryption of the output files. ``` 2️⃣6️⃣ **DVUEFI** ``` Educational platform and PoC suite for analyzing UEFI firmware vulnerabilities, with Secure Boot bypass techniques and integrity-check evasion. ``` 2️⃣7️⃣ **GenEDRBypass** ``` EDR-bypass generator: dynamically produces shellcode via msfvenom, applies XOR obfuscation, and includes anti-debug and anti-sandbox features. ``` 2️⃣8️⃣ **Morpheus** ``` Stealthy in-memory LSASS dumper: compresses memory dumps and exfiltrates them over obfuscated NTP style UDP packets secured with RC4 and error correction. ``` 2️⃣9️⃣ **SecureUxTheme** ``` Patch and loader for disabling signature checks in UxTheme.dll, allowing the installation of unsigned Windows themes. ``` 3️⃣0️⃣ **TripleCross** ``` Code injection framework leveraging COM objects to execute payloads in protected processes without direct API calls. ``` 3️⃣1️⃣ **UEFISecureBoot** ``` Scripts and PoCs for bypassing or disabling UEFI Secure Boot by chain-loading unsigned bootloaders and modifying firmware variables. ``` 3️⃣2️⃣ **Vulnerable** ``` Collection of intentionally vulnerable applications, drivers, and firmware images for practicing and demonstrating bypass techniques. ``` 3️⃣3️⃣ **elf-infector** ``` Linux ELF binary infector that injects custom shellcode into existing executables by modifying headers and segments for stealthy execution. ``` 3️⃣4️⃣ **gnu-efi** ``` Build scripts and headers for creating UEFI applications using GNU EFI, simplifying Secure Boot testing. ``` 3️⃣5️⃣ **injectAmsiBypass** ``` Beacon Object File and standalone module that dynamically patches AMSI in memory to bypass script-scanning defenses. ``` 3️⃣6️⃣ **kernel-callback** ``` Kernel mode injection primitive using Routine Callback, executing payloads in kernel context while bypassing user mode hooks. ``` 3️⃣7️⃣ **kernel-hardening-checker** ``` Windows PatchGuard auditor that inspects driver-signature settings and reports potential bypass attack vectors. ``` 3️⃣8️⃣ **lib** ``` Shared libraries and utilities for process management, injection primitives, and obfuscation methods used across multiple tools. ``` 3️⃣9️⃣ **mcuboot** ``` Reference bootloader for microcontrollers with firmware-signature verification and chain of trust support for embedded systems. ``` 4️⃣0️⃣ **phnt** ``` Header only collection of Windows NT API definitions and internal structures for low level system programming. ``` 4️⃣1️⃣ **redlotus** ``` Advanced in-memory loader with reflective loading and encrypted payload delivery to evade analysis. ``` 4️⃣2️⃣ **rootkit** ``` Kernel mode rootkit framework for hiding processes, inline hooking, and bypassing Event Tracing for Windows ETW on modern systems. ``` 4️⃣3️⃣ **scripts** ``` Helper scripts for building, deploying, and automating tools: compilation helpers and test C2 harnesses. ``` 4️⃣4️⃣ **shim** ``` Custom shim-DLL and loader mechanism to intercept application launches, patch imports, and bypass AppLocker/SmartScreen. ``` 4️⃣5️⃣ **Nimbus** ``` Contains a C# reflective-loader for .NET assemblies EXE/DLL that loads and immediately executes .NET applications in memory without creating temporary files on disk. ``` 4️⃣6️⃣ **Shellcode-Hide** ``` Set of tools for preparing and covertly executing shellcode on Windows, including loaders, encoders and encryptors ``` 4️⃣7️⃣ **Safari 1day RCE Exploit** ``` Exploit RCE vulnerability in WebKit/Safari running on certain versions of iOS and macOS. ``` 4️⃣8️⃣ **ReverseSocks5** ``` Tool for organizing a reverse SOCKS5 proxy. ``` 4️⃣9️⃣ **tsh-master** ``` Backdoor for Unix-like systems. ``` 5️⃣0️⃣ **Hunt-Sleeping-Beacons** ``` Callstack scanner which tries to identify IOCs indicating an unpacked or injected C2 agent. ``` 5️⃣1️⃣ **BitlockMove** ``` Lateral Movement via Bitlocker DCOM & COM Hijacking, PoC for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of the currently logged on users session. ``` 5️⃣2️⃣ **WatchDogKiller** ``` PoC accompanying technical write-up on the WatchDog Anti-Malware amsdk.sys BYOVD vulnerability. ``` 5️⃣3️⃣ **ZipKiller** ``` Tool written in Python 3 that uses the built-in zipfile module to perform dictionary and brute-force attacks on .zip archives. It is designed to be fast, efficient, and beginner-friendly for learning purposes. The tool supports saving and loading password lists from a configuration file, allowing users to manage their wordlists and reuse them easily during password cracking. ``` 5️⃣4️⃣ **Invisi-ShellHide** ``` Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging, Module logging, Transcription, AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API. ```
标签:DNS 反向解析, EDR绕过, 云资产清单, 免杀技术, 安全研究, 客户端加密, 暴力破解检测, 渗透测试, 红队工具, 逆向工程, 高交互蜜罐