Soumyani1's Projects
.net config loader
I have documented all of the AMSI patches that I learned till now
My musings in C and offensive tooling
Block any Process to open HANDLE to your process , only SYTEM is allowed to open handle to your process ,with that you can avoid remote memory scanners
All the topics and concepts of C programming that I have learned so far. The things covered in this repo are all beginner-friendly.
C2 server to connect to a victim machine via reverse shell
PoC for a new sleep obfuscation technique leveraging waitable timers to evade memory scanners.
Improved version of EKKO by @5pider that Encrypts only Image Sections
Stealthy Loader-cum-dropper/stage-1/stager targeting Windows10
Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing
A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC
all credits go to @mgeeky
Detects Module Stomping as implemented by Cobalt Strike
DPAPI looting remotely in Python
ETW patches from userMode learned till now
Database for custom made as well as publicly available stage-2 or beacons or stageless payloads, used by loaders/stage-1/stagers, or for further usage of C2 as well
Encypting the Heap while sleeping by hooking and modifying Sleep with our own sleep that encrypts the heap
Shellcode Loader with memory evasion
Code used in this post https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
Sleep obfuscation
I will be uploading all the codes which I created with the help either opensource projects or blogs. This is a step by step EDR learning path for me.
A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
random code snippets, useful for getting started
A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (using pe2shc by @hasherezade). Payload encryption via SystemFucntion033 NtApi and No new thread via Fiber
Just a small python script which spits out unsigned char representation for Hooked Underlying Ntapis (Which are False Positives) , for c/cpp Usage