Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

𝐀 𝐕 𝐊 𝐈 𝐋 𝐋 𝐄 𝐗 𝐄 𝐂

Bypass Windows Defender with a persistent staged reverse shell using C code & metasploit framework

A library for cloning x64 Windows functions.

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Simple but effective methods to avoid being detected by antivirus