- Csharp unhooker
- [Sharp Unhooker](https://github.com/GetRektBoy724/SharpUnhooker]
- https://github.com/0xNinjaCyclone/IATUnhooker
- https://github.com/abdallah-elsharif/UnhookImportAddrTable https://github.com/mgeeky/UnhookMe/tree/master
- (https://github.com/S3cur3Th1sSh1t/SharpUnhooker/tree/main/SharpUnhooker)
- https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html
- https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html
- https://www.youtube.com/watch?v=4fcjd2-KUVM
- https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
- https://www.ired.team/offensive-security/code-injection-process-injection/api-monitoring-and-hooking-for-offensive-tooling
- https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
- https://github.com/mgeeky/ShellcodeFluctuation
- https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++
- https://github.com/CCob/MinHook.NET
- https://github.com/CCob/SharpBlock
- https://github.com/ars3n11/MineSweeper
- Links
- https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware
- https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection
- https://github.com/embee-research/APIHashReplace
- https://github.com/helpsystems/nanodump/blob/main/scripts/randomize_sw2_seed.py*
- https://github.com/ComodoSecurity/openedr
- https://github.com/Mr-Un1k0d3r/EDRs
- https://github.com/0xflux/Sanctum
- https://github.com/FourCoreLabs/EDRHunt
- https://github.com/0xrawsec/whids
- https://github.com/Helixo32/SimpleEDR
- https://github.com/JRE-Robotics/VEXSim
- https://github.com/ScarredMonk/SysmonSimulator
- https://github.com/icyguider/Shhhloader
- Shellcode=> [Execution + syscalls + ProcessInjection + PPID Spoofing + Unhooking + sandbox Evasion + Obfuscation + XOR Encoding with Dynamic Key Generation +API Hashing +String Encryption] => Native EXE||Dll
- https://github.com/klezVirus/inceptor
- Shellcode|EXE|DLL => [Execution | ProcessInjection+ Syscalls + Obfuscation (Native|shellcode|.Net) + Code Signing ] => [.Net ,PS ,Native]
- https://github.com/optiv/Freeze
- https://github.com/naksyn/Pyramid
- https://github.com/0xsp-SRD/mortar
- https://github.com/bats3c/darkarmour
- https://github.com/optiv/ScareCrow
- https://github.com/Yaxser/Backstab/
- https://github.com/tanc7/EXOCET-AV-Evasion
- https://github.com/helviojunior/hookchain
- https://github.com/0xsp-SRD/ZigStrike
- https://github.com/georgesotiriadis/Chimera
- https://github.com/Cracked5pider/Stardust
- https://github.com/tanc7/EXOCET-AV-Evasion
- https://github.com/Ch0pin/AVIator
- https://github.com/wavestone-cdt/EDRSandblast
- https://github.com/naksyn/Pyramid
- https://github.com/reveng007/DarkWidow
- https://github.com/YoelShoshan/hookit
- https://0xmaz.me/posts/HookChain-A-Deep-Dive-into-Advanced-EDR-Bypass-Techniques/
- https://github.com/DamonMohammadbagher/eBook-BypassingAVsByCSharp
- https://matro7sh.github.io/BypassAV/
- https://github.com/SaadAhla/UnhookingPatch
- https://github.com/sinfulz/JustEvadeBro
- https://github.com/senzee1984/EDRPrison
- https://github.com/amjcyber/EDRNoiseMaker
- https://github.com/Yaxser/Backstab/
- https://github.com/Helixo32/NimBlackout
- https://github.com/netero1010/EDRSilencer
- https://github.com/CCob/SharpBlock
- https://github.com/zer0condition/mhydeath
- https://github.com/myzxcg/RealBlindingEDR
- https://offensivedefence.co.uk/
- https://cocomelonc.github.io/
- https://www.bordergate.co.uk/
- https://trickster0.github.io/
- https://alice.climent-pommeret.red/
- https://malwareandstuff.com/
- https://github.com/cr-0w/maldev?tab=readme-ov-file
- https://github.com/rootkit-io/awesome-malware-development
- https://github.com/chvancooten/maldev-for-dummies
- https://github.com/Blazz3/MalDev-AV-EDR-Evasion-for-Pentesters
- https://bytecode77.com/
- https://blackcloud.me/
- https://medium.com/@yua.mikanana19
- https://sysdig.com
- http://otterhacker.github.io/
- https://0xpat.github.io/
- https://www.scriptchildie.com/
- https://xacone.github.io/
- https://steve-s.gitbook.io/0xtriboulet
- https://labs.cognisys.group/
- https://crypt0ace.github.io
-
https://gist.github.com/NaxAlpha/144d1dd96c7d0ad29fe149e4063a8f25
-
https://medium.com/geekculture/basic-windows-api-hooking-acb8d275e9b8
-
https://subscription.packtpub.com/book/security/9781789610789/6/ch06lvl1sec89/exploring-iat-hooking
-
https://github.com/alphaSeclab/hooking/blob/master/Readme_en.md#1030267e24ee5e3747b0876023f4f925
-
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
-
https://medium.com/@contionmig/hooking-detection-bypasses-63c7877ad217
-
https://cocomelonc.github.io/tutorial/2021/11/30/basic-hooking-1.html
-
https://www.perplexity.ai/search/84c6fe48-23be-407f-99e4-1e6ab96b4ad4?s=u
-
https://github.com/christopher-pisz-fivestars/WinHooksDllInjection
-
https://aleksazatezalo.medium.com/three-techniques-for-bypassing-edr-3b4101002951
-
https://vanmieghem.io/process-injection-evading-edr-in-2023/
-
https://www.deepinstinct.com/blog/dirty-vanity-a-new-approach-to-code-injection-edr-bypass
-
https://www.linkedin.com/posts/viehgroupedr-internals-bypasses-activity-7123224244737429504-glx
-
https://systemweakness.com/byovd-a-kernel-attack-stealthy-threat-to-endpoint-security-ec809272e505
-
https://www.purpl3f0xsecur1ty.tech/2021/03/30/av_evasion.html
-
https://kylemistele.medium.com/a-beginners-guide-to-edr-evasion-b98cc076eb9a
-
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
-
https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa
-
https://infosecwriteups.com/evade-avs-edr-with-shellcode-injection-159dde4dba1a
-
https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver
-
https://cymulate.com/blog/blindside-a-new-technique-for-edr-evasion-with-hardware-breakpoints
-
https://www.safebreach.com/blog/dark-side-of-edr-offensive-tool/
-
https://riccardoancarani.github.io/2023-09-14-attacking-an-edr-part-2/
-
https://riccardoancarani.github.io/2023-11-07-attacking-an-edr-part-3/
-
https://riccardoancarani.github.io/2023-08-03-attacking-an-edr-part-1/
-
https://cymulate.com/blog/blindside-a-new-technique-for-edr-evasion-with-hardware-breakpoints/
-
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
-
https://sysdig.com/blog/the-art-of-writing-ebpf-programs-a-primer/
-
https://kpmg.com/nl/en/home/insights/2023/12/mortar-loader.html
-
https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/
-
https://jacobkalat.com/edr-evasion/2025/02/12/WFP-Wizardry-Abusing-WFP-for-EDR-Evasion.html
-
https://www.naksyn.com/edr%20evasion/2022/09/01/operating-into-EDRs-blindspot.html
-
https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet
-
https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet
-
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
-
https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html
-
https://www.youtube.com/playlist?list=PLXooO-eTihBuvLEEP304PULUf4VIUsBy8
-
https://www.youtube.com/playlist?list=PLftLWJ2JF7NgyjlvQPeQHDq-DQuaLudry
-
https://www.youtube.com/watch?v=8YUA4lOBhpM&list=PLDyW0GpJbH0tlW5TIvB7Z1Vis6MJSmsj3&index=9&pp=iAQB
-
https://www.youtube.com/watch?v=aNEqC-U5tHM&list=PL_z_ep2nxC57sHAlCcvvaYRrpdMIQXri1
-
https://www.youtube.com/watch?v=dQ3dNJcPSAs&list=PLXooO-eTihBu-TssFE9w3MmhKUheHvhyy
-
https://www.youtube.com/watch?v=L__arv8I2bk&list=PL-D1lWyrp4YOAwTjRsLR7OrTxGQmtuYEX
- Understand User-mode and Kernel-mode presentation of a process.
- Understand PE structure.
- Understand User-mode and Kernel-mode separation and execution flow using IDA Pro and WinDbg.
- Reversing EDR's internals using IDA Pro and WinDbg.
- Understand how EDR's telemetries are collected.
- Using obfuscators & code virtualization to protect code against:
- Static detection
- Analyzing
- Reverse-engineering
- Signed ClickOnce Backdooring.
- Understand how a process can communicate with a driver from userland.
- Create a user-mode code that sends and receives data from a kernel driver.
- Reversing R/W kernel primitive vulnerable drivers and exploiting them to:
- Load unsigned code into the kernel using IDA Pro.
- Learn methodologies to:
- Hunt for leaked certificates.
- Leverage outdated certificates to sign a rootkit.
- Learn methodologies to hunt for signed killer drivers.
- Reverse multiple killer drivers using IDA Pro.
- Learn how to exploit killer drivers to kill EDR processes.
- Write a custom killer rootkit.
- Understanding & reversing kernel callbacks using WinDbg and IDA Pro.
- Understanding:
- What telemetry kernel callbacks collect.
- The purpose of collected telemetry.
- Writing a user-mode code and kernel driver toolkit to:
- Enumerate and remove kernel callbacks.
- Exploiting R/W kernel primitive vulnerable drivers to enumerate and remove kernel callbacks.
- Understanding & reversing ETW internals.
- Disabling ETW providers.
- Understanding & reversing process protection levels using WinDbg.
- Exploiting R/W kernel primitive vulnerable drivers to manage a process's protection level.
- Writing a user-mode code and kernel driver toolkit to:
- Manage process protection levels.
- Dumping LSA-protected LSASS.
- Hiding:
- Processes/drivers from analysts and user-mode processes.
- Kernel functions from the Import Address Table.
- Learning efficient dynamic kernel offset resolution.
- Writing a data exfiltration tool that hides malicious traffic inside multiple trusted APIs, such as Slack.
- Discovering and coding multiple ways to prevent EDR processes from sending alerts to SOC management consoles.
- Reversing ASR rules and bypassing them.
- Understanding & reversing Sysmon.
- Discovering and coding multiple ways to blind Sysmon.
- Discovering multiple ways to bypass Windows User Account Control.
- Discovering and coding multiple techniques for:
- Anti-Debugging
- Anti-Disassembling
- Anti-Virtualization
- Anti-Sandbox
- Anti-Code Injection