A Highly capable Pe Packer

Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

Use hardware breakpoints to spoof the call stack for both syscalls and API calls

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

silence file system monitoring components by hooking their minifilters

This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

Hidedump:a lsassdump tools that may bypass EDR

PoC arbitrary WPM without a process handle

NTAPI hook bypass with (semi) legit stack trace

Indirect Syscall invocation via thread hijacking

Custom binary file packer/encoder with integrated decoder stub. A pentest-tool for modern EDR evasion.

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.