{"id":13574161,"url":"https://github.com/deepinstinct/ContainYourself","last_synced_at":"2025-04-04T14:31:53.550Z","repository":{"id":187750233,"uuid":"665594486","full_name":"deepinstinct/ContainYourself","owner":"deepinstinct","description":"A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.","archived":false,"fork":false,"pushed_at":"2023-08-31T07:26:22.000Z","size":1186,"stargazers_count":300,"open_issues_count":1,"forks_count":35,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-05T09:43:56.526Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/deepinstinct.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-12T14:47:24.000Z","updated_at":"2024-10-21T10:38:55.000Z","dependencies_parsed_at":"2023-08-12T02:43:35.904Z","dependency_job_id":"27650054-5884-465f-832b-a5009e6b6a6a","html_url":"https://github.com/deepinstinct/ContainYourself","commit_stats":null,"previous_names":["deepinstinct/containyourself"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepinstinct%2FContainYourself","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepinstinct%2FContainYourself/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepinstinct%2FContainYourself/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepinstinct%2FContainYourself/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/deepinstinct","download_url":"https://codeload.github.com/deepinstinct/ContainYourself/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247194167,"owners_count":20899439,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T15:00:47.379Z","updated_at":"2025-04-04T14:31:51.635Z","avatar_url":"https://github.com/deepinstinct.png","language":"C++","funding_links":[],"categories":["C++"],"sub_categories":[],"readme":"\n# ContainYourself\nA PoC of the ContainYourself research, presented on [DEFCON 31](https://forum.defcon.org/node/245719).\nThis tool abuses the Windows containers framework to bypass EDR file-system-based malware protection, file write restrictions, and ETW-based correlations.\n\nThis repo contains a static library that implements the research findings, a PoC tool that utilizes the library, and a wiper \u0026 ransomware projects.\n\nhttps://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using-the-windows-container-isolation-framework\n\n## Installation\nMake sure to clone the repository and its submodules:\n\n    git clone --recursive git@github.com:deepinstinct/ContainYourself.git\n\n## Usage\n\n    Usage: ContainYourselfPoc.exe [--command]\n    \n    Valid commands:\n            --set-reparse [override|link] - Set wcifs reparse tag\n            --remove-reparse [override|link] - Remove wcifs reparse tag\n            --override-file - override a file using wcifs\n            --copy-file - Copy a file using wcifs\n            --delete-file - Delete a file using wcifs\n            --create-process - Create process from an image file path using NtCreateUserProcess\n    Commands arguments:\n            --source-file  - operation full source file (relative to volume only when using with [--copy-file])\n            --target-file  - operation target file (relative to volume)\n            --source-volume  - operation source volume, without a trailing backslash (default is C:)\n            --target-volume  - operation target volume, without a trailing backslash (default is C:)\n    \n    Examples:\n            ContainYourselfPoc.exe --set-reparse override --source-file C:\\temp\\calc.exe --target-file \\temp\\malware.exe\n            ContainYourselfPoc.exe --remove-reparse --source-file C:\\temp\\calc.exe\n            ContainYourselfPoc.exe --override-file --source-file C:\\temp\\calc.exe\n            ContainYourselfPoc.exe --copy-file --source-file temp\\document.docx --target-file Documents\\document.docx --target-volume E:\n            ContainYourselfPoc.exe --delete-file --source-file C:\\temp\\document.docx\n\n## Disclaimer\n\nEvery security product has the capability to incorporate its unique algorithm designed to counter ransomware and wiper threats. It cannot be guaranteed that this proof-of-concept will successfully circumvent every existing protection solution available.\n\n## Credits\n\n* [Daniel Avinoam](https://twitter.com/daniel_avinoam)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeepinstinct%2FContainYourself","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeepinstinct%2FContainYourself","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeepinstinct%2FContainYourself/lists"}