{"id":19144508,"url":"https://github.com/damonmohammadbagher/nativepayload_pe1","last_synced_at":"2025-05-07T01:11:51.181Z","repository":{"id":65379894,"uuid":"591225746","full_name":"DamonMohammadbagher/NativePayload_PE1","owner":"DamonMohammadbagher","description":"NativePayload_PE1/PE2 , Injecting Meterpreter Payload bytes into local Process via Delegation Technique + in-memory with delay Changing RWX to X or RX or (both) [Bypassing AVs]","archived":false,"fork":false,"pushed_at":"2023-06-06T11:08:54.000Z","size":2821,"stargazers_count":58,"open_issues_count":0,"forks_count":15,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-19T17:16:42.442Z","etag":null,"topics":["antivirus","assembly","blueteaming","bypass","bypass-antivirus","bypassing","injecting","injecting-meterpreter-payload","inmemory","pentest","pentesting","redteam","redteaming"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DamonMohammadbagher.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-01-20T08:21:17.000Z","updated_at":"2025-02-07T22:53:41.000Z","dependencies_parsed_at":"2024-11-09T07:36:51.592Z","dependency_job_id":"42d67b9d-6c8b-4075-a0fa-c21dd116edd9","html_url":"https://github.com/DamonMohammadbagher/NativePayload_PE1","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_PE1","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_PE1/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_PE1/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DamonMohammadbagher%2FNativePayload_PE1/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DamonMohammadbagher","download_url":"https://codeload.github.com/DamonMohammadbagher/NativePayload_PE1/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252793653,"owners_count":21805058,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","assembly","blueteaming","bypass","bypass-antivirus","bypassing","injecting","injecting-meterpreter-payload","inmemory","pentest","pentesting","redteam","redteaming"],"created_at":"2024-11-09T07:35:12.529Z","updated_at":"2025-05-07T01:11:51.155Z","avatar_url":"https://github.com/DamonMohammadbagher.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NativePayload_PE1/PE2\n### NativePayload_PE1 , Injecting Meterpreter Payload bytes into local Process via Delegation Technique + in-memory with delay Changing RWX to X or RX or (both), simple Technique to bypass some Anti-viruses.\n\nNote: tested on WIN11 + WinDefender [update 2023/1/25] (bypassed)\n\nNote: tested on WIN10 + WinDefender [update 2023/1/10] (bypassed)\n\nNote: tested on WIN10 + Kaspersky cloud security v21.3 [update 2023/1/22] (bypassed)\n\n### Some Real Sources: some engineers in anti-virus companies say \"COME-ON\", like Kaspersky ;)\n\n#### Note: \"as Security Researcher this was not my first time to bypass all Anti-viruses (or almost all of them ;D) but this one really was fun more than other methods which i have done in the past.\"\n\nSimple Technique to Load Assembly/Bytes into local process (in-memory) via C# Delegation + Native APIs and Bypassing Anti-viruses ;), some part of code changed via [D]elegate Techniques which i called [Technique ;D] to change some behavior of code (also change source code) and ... \n\nnote: as pentester you really need to change your own codes sometimes very fast , these codes changed and again worked very well and as security researcher this is really fun to find out new method/codes to bypass AVs always ;D\n\nMethod is not really new but C# code a little bit is ;D [since 2022 i used this], changing RWX to X and after 2 min to RX ;D \n\n#### Note: so in my opinion playing with R W X to X or sometimes to RX or (both) will help you to avoid get red-flag via AVs, so changing default + delays will help you to confuse AVs sometimes.\n\n### NativePayload_PE2 , Injecting Meterpreter Payload bytes into local Process via Delegation Technique + in-memory with delay Changing RWX to X only, simple Technique to bypass some Anti-viruses.\n\nNote: .NET 4.0 or 4.5 Tested\n\nArticle: https://www.linkedin.com/pulse/2-simple-c-techniques-bypassing-anti-virus-damon-mohammadbagher/\n\nArticle: https://damonmohammadbagher.github.io/Posts/22Jan2023x.html\n\nVideo1 [NativePayload_PE2.cs and NativePaylod_AsynASM.cs] =\u003e https://www.youtube.com/watch?v=T57pWzS59Y8 \n\nVideo2 [NativePayload_PE3.cs] =\u003e https://www.youtube.com/watch?v=sqyKqiU1lsE\n\nVideo3 [New] [NativePaylod_AsynASM.cs] =\u003e https://www.linkedin.com/posts/damonmohammadbagher_bypassing-redteaming-pentesting-activity-7031685536918458369-U9XY\n\n\nUsage: \n \n NativePayload_PE1.exe \"meterpreter/cobaltstrike payload\"\n example: NativePayload_PE1.exe \"fc,48,e8,00,.....\"\n \nUsage: \n \n NativePayload_PE2.exe \"meterpreter/cobaltstrike payload\"\n example: NativePayload_PE2.exe \"fc,48,e8,00,.....\" \n\n\n### NativePayload_PE1 steps [Win11]\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/W11_1.png)\n \n### NativePayload_PE2 steps [Win11]\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/W11_2.png) \n---------------------------\n### NativePayload_PE1 steps [Win10]\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/_x1.png)\n \n### NativePayload_PE1 steps [Win10]\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/_x2.png)\n \n### NativePayload_PE1 steps [Win10]\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/_x3.png)\n \n------------------------- \n\n### NativePayload_PE2 steps [Win10]\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/pe2.png) \n\n### NativePayload_PE2 vs ETW tools\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/pe2_blueteaming_tool.png) \n--------------------------\n\n### NativePayload_PE1 vs Kaspersky v21.3 (bypassed)\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/kasperskyPE1-1.png) \n \n### NativePayload_PE1 vs Kaspersky v21.3 (bypassed)\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/kasperskyPE1-2.png) \n \n ### NativePayload_PE2 vs Kaspersky v21.3 (bypassed)\n ![](https://github.com/DamonMohammadbagher/NativePayload_PE1/blob/main/pic/kasperskyPE2.png) \n\u003cp\u003e\u003ca href=\"https://hits.seeyoufarm.com\"\u003e\u003cimg src=\"https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https://github.com/DamonMohammadbagher/NativePayload_PE1/\"/\u003e\u003c/a\u003e\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdamonmohammadbagher%2Fnativepayload_pe1","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdamonmohammadbagher%2Fnativepayload_pe1","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdamonmohammadbagher%2Fnativepayload_pe1/lists"}