Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table
created at Feb. 3, 2023, 5:12 p.m.
Loading Remote AES Encrypted PE in memory , Decrypted it and run it
created at Feb. 8, 2023, 4:59 p.m.
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
created at Feb. 8, 2023, 4:21 p.m.
Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads
created at April 26, 2023, 3:24 a.m.