{"id":30219107,"url":"https://github.com/0xccf4/expkit","last_synced_at":"2025-08-14T07:47:33.670Z","repository":{"id":184412453,"uuid":"538060063","full_name":"0xCCF4/ExpKit","owner":"0xCCF4","description":"A framework and build automation tool to process exploits/payloads to evade antivirus and endpoint detection response products using reusable building-blocks like encryption or obfuscation. Mirrors: https://gitlab.com/0xCCF4/expkit . Create issues and merge request on gitlab.","archived":false,"fork":false,"pushed_at":"2024-01-16T10:45:03.000Z","size":245,"stargazers_count":9,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-01-16T17:06:57.391Z","etag":null,"topics":["antivirus-evasion","building-automation","cross-platform","cybersecurity","endpoint-detection-response","evasion","exploits","framework","multiplatform","payloads","platform-independent","python"],"latest_commit_sha":null,"homepage":"https://0xccf4.gitlab.io/expkit/","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xCCF4.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2022-09-18T09:30:37.000Z","updated_at":"2023-12-25T22:00:20.000Z","dependencies_parsed_at":null,"dependency_job_id":"a72f75ec-4cdd-4f79-a24c-bf7c03d0f1e3","html_url":"https://github.com/0xCCF4/ExpKit","commit_stats":null,"previous_names":["0xccf4/expkit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0xCCF4/ExpKit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xCCF4%2FExpKit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xCCF4%2FExpKit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xCCF4%2FExpKit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xCCF4%2FExpKit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xCCF4","download_url":"https://codeload.github.com/0xCCF4/ExpKit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xCCF4%2FExpKit/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270385319,"owners_count":24574544,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-14T02:00:10.309Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","building-automation","cross-platform","cybersecurity","endpoint-detection-response","evasion","exploits","framework","multiplatform","payloads","platform-independent","python"],"created_at":"2025-08-14T07:47:29.698Z","updated_at":"2025-08-14T07:47:33.654Z","avatar_url":"https://github.com/0xCCF4.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ExploitKit (ExpKit) - AD/EDR evasion framework\n\nExploitKit ([ExpKit](https://gitlab.com/0xCCF4/expkit))\nis a framework and build automation tool\nto process exploits/payloads to evade antivirus and\nendpoint detection response products using reusable\nbuilding blocks like encryption or obfuscation stages.\n\nExpKit automatises the process of modifying exploits/payloads\nto evade antivirus and endpoint detection response products by\nproviding a development/build framework to compile/process\nexploit/payload code. Write your evasion processing\nstages once and reuse them on your exploit/payloads.\nSee the [documentation](https://0xccf4.gitlab.io/expkit/api/groups/)\nfor a list of already included\nstages. Those reusable blocks expose parameters\nto the user to configure them. Allowing further\ncustomization to prevent detection. A multi-platform (os and architecture)\nallows processing exploits/payloads for different\noperating systems and architectures.\n\nFor the full documentation visit the [docs](https://0xccf4.gitlab.io/expkit/).\n\nProject status: __In development - pre-alpha__\n\n## Features\n\n* Modular design\n* Build automation\n* Reusable building blocks\n* Easy to extend with custom processing stages\n* Multi-platform (os and architecture) support\n* On-the-fly compilation on web request\n* Randomized build output on every build (e.g. random encryption keys)\n* Common evasion techniques already (parameterized) implemented (__WIP__)\n\n## Installation\n\nExpKit can be installed locally using `pip` and `python3.10`,\nideally by using a virtual environment:\n\n```\npip install -e .\n```\n\nor by using PyPI:\n\n```\npip install expkit-framework\n```\n\nThis will install ExpKit and all its runtime dependencies.\n\n## Projects\n\nProjects are configured by a `config.json` file that\nincludes the definition of the stages to execute and\nartifacts (exploits/payloads) to build. The following\ncode block contains an example configuration for a C#\nproject: A C# project is loaded from the folder `payload_code`\nobfuscated, compiled and exported as `build.exe`.\n\n```json\n{\n  \"config\": {\n    \"BUILD_TYPE\": \"Release\"\n  },\n  \n  \"artifacts\": {\n    \"base\": {\n      \"stages\": [\n        \n        {\n          \"name\": \"LOAD_FOLDER\",\n          \"config\": {\n            \"LOAD_FOLDER_PATH\": \"./payload_code\",\n            \"LOAD_TARGET_FORMAT\": \"CSHARP_PROJECT\"\n          }\n        },\n        \n        { \"name\": \"OBFUSCATE_CSHARP\" },\n        \n        { \"name\": \"COMPILE_CSHARP\" },\n        \n        {\n          \"name\": \"EXPORT\",\n          \"config\": {\n            \"EXPORT_NAME\": \"build.exe\"\n          }\n        }\n        \n      ]\n    }\n  }\n}\n```\n\nThe syntax of the configuration file is described within the\n[API Reference](https://0xccf4.gitlab.io/expkit/api/configuration/) section.\n\n## Building a project\n\nTo build the project, run the following command:\n\n```bash\nexpkit build WINDOWS AMD64\n```\n\nThis will build the project and create an executable file,\naccording to the configuration, within the current working directory,\nnamed `build.exe`.\nBuilding the project from a different operating system/architecture\nrequires the setup up of a [build worker](../user-guide/build-worker) environment.\n\n## Serving and building the project on the fly\n\nTo serve the project and build a payload on the fly whenever a\nweb-request is received, run the following command:\n\n```bash\nexpkit server 80 0.0.0.0 secret-token\n```\n\nThis will start a web server on port 80 and listen on all interfaces.\nThe server will build a payload for the operating system and architecture\nspecified in the web request. The web request must contain the\n`secret-token` as a query parameter. The following example shows\na web request to build a payload for Windows 64-bit:\n\n```bash\ncurl http://localhost:80/build?token=secret-token\u0026os=WINDOWS\u0026arch=AMD64\u0026target=base\n```\n\nThe `target` parameter specifies the target artifact to build.\nWhen requiring an HTTPS connection, it is advised to run a nginx\nproxy in front of the ExpKit server.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xccf4%2Fexpkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xccf4%2Fexpkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xccf4%2Fexpkit/lists"}