{"id":24917006,"url":"https://github.com/dutchpsycho/ActiveBreach-Engine","last_synced_at":"2025-10-17T03:31:08.493Z","repository":{"id":273212396,"uuid":"918641276","full_name":"dutchpsycho/ACTIVEBREACH-UM-HookBypass","owner":"dutchpsycho","description":"EDR/AC/AV evasion implementation of a Stub-Based syscall invoking system. Bypasses all Usermode Hooks","archived":false,"fork":false,"pushed_at":"2025-01-27T05:48:47.000Z","size":30,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-27T06:29:07.592Z","etag":null,"topics":["antivirus-evasion","edr-evasion","offsec","red-team-tools","red-teaming","windefender"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dutchpsycho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-18T13:28:37.000Z","updated_at":"2025-01-27T05:51:40.000Z","dependencies_parsed_at":"2025-01-19T14:50:05.423Z","dependency_job_id":null,"html_url":"https://github.com/dutchpsycho/ACTIVEBREACH-UM-HookBypass","commit_stats":null,"previous_names":["dutchpsycho/activebreach-um-hookbypass"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FACTIVEBREACH-UM-HookBypass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FACTIVEBREACH-UM-HookBypass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FACTIVEBREACH-UM-HookBypass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FACTIVEBREACH-UM-HookBypass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dutchpsycho","download_url":"https://codeload.github.com/dutchpsycho/ACTIVEBREACH-UM-HookBypass/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":236768136,"owners_count":19201650,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-evasion","edr-evasion","offsec","red-team-tools","red-teaming","windefender"],"created_at":"2025-02-02T08:20:08.438Z","updated_at":"2025-10-17T03:31:08.487Z","avatar_url":"https://github.com/dutchpsycho.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"![TITAN](https://avatars.githubusercontent.com/u/199383721?s=200\u0026v=4)\n\n## ActiveBreach Engine\n\nABE aspires to be SysWhispers \u0026 Hell’s Gate Successor. It takes the concepts used and turns it into a fully functional framework.\n\nOriginally inspired by a blogpost by [MDSEC](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/).\n\n---\n\n### What does ActiveBreach do differently?\n\nCommon syscall frameworks like **SysWhispers** and **Hell's Gate** provide static wrappers or inject precompiled stubs to provide direct system call execution. While effective, these approaches leave much room for improvement and do not address critical security vulnerabilites and detection mechanisms that can be used to detect such methods.\n\nSeveral limitations are common across these tools:\n\n* Binaries containing ``syscall`` instructions or ABI's are a very clear heuristic detection\n* Processes running with RWX/WCX/WX/X regions containing ``syscall`` ABI are obvious to common AV/EDR YARA scans (C/C++ ABE does not fix this, Rust does)\n* Syscalls executed from non-system threads raise suspicion\n* Syscalls executed from non-image-backed RWX/WCX/WX/X regions raise suspicion\n* ``ntdll.dll`` or ``Nt*Api`` strings present in a binary raises heuristics\n* Recursive GetProcAddr raises heuristics\n* Mapping in-memory ``ntdll.dll`` indirectly calls AV/EDR hooks and triggers heuristics\n* LoadLibrary *(Especially ``ntdll.dll``)* raises heuristics\n\n---\n\n### How ActiveBreach Works\n\nABE works around *most* of these constraints, with the rust version offering the most advanced implementation.\n\nFrom stringless ``ntdll.dll`` loading, in-memory execution and page protection flipping \u0026 encryption, ABE makes use of more thought-out and revamped concepts.\n\nI'm not going to go through all the workarounds ABE uses as there's so many of them, I encourage you to look at the code to see for yourself.\n\nABE also introduces these helpers (On C++ version)\n\n* **Anti-Tamper instrumentation**, which validates thread state, PEB/TEB integrity, and call origins\n* **Debugging \u0026 symbolic tracing**, optionally enabled via `AB_DEBUG`, allowing runtime inspection of syscall arguments, return values, and violation counters\n\n---\n\n### Versions\n\nThere's 3 versions of ABE, select based on what you're looking for.\n\n* C - Minimal basic implementation, small footprint\n* C++ - Larger footprint, uses C++ 17/20, includes Anti-Tamper \u0026 Debugging\n* Rust - Largest, most advanced, includes JIT-memory-encryption \u0026 is truly stringless\n\n### Test Coverage\n\nFor C \u0026 C++, they can be found in the solution *(.sln)*.\n\nFor Rust, it can be found in ``/tests/``\n\n---\n\n### Example: Hooked API Flow vs ActiveBreach\n\n```\n┌───────────────┐\n│ User process  │\n└──────┬────────┘\n       │\n       ▼\n┌──────────────────────────┐\n│ CreateFileW (kernel32)   │\n└──────┬───────────────────┘\n       │ calls\n       ▼\n┌──────────────────────────┐\n│ NtCreateFile (ntdll)     │ ◀─ hooked by AV/AC\n└──────┬───────────────────┘\n       │ jmp to hook\n       ▼\n┌──────────────────────────┐\n│ Hook handler             │\n│  logging / policy / block│\n└──────┬───────────────────┘\n       │ maybe calls original stub\n       ▼\n┌──────────────────────────┐\n│ sysenter/syscall         │\n│ kernel transition        │\n└────────┬─────────────────┘\n         ▼\n       Return\n```\n\n---\n\n### **ActiveBreach API call**\n```\n┌───────────────┐\n│ User process  │\n└──────┬────────┘\n       │\n       ▼\n┌──────────────────────────┐\n│ ab_call(\"NtCreateFile\")  │  (uses Nt-only API)\n└──────┬───────────────────┘\n       │\n       ▼\n┌──────────────────────────┐\n│ ab_resolve               │  (get SSN from clean\n│  from clean-mapped ntdll │   ntdll copy, no imports)\n└──────┬───────────────────┘\n       │\n       ▼\n┌──────────────────────────┐\n│ ab_syscall               │  (set regs, emit syscall)\n└──────┬───────────────────┘\n       │\n       ▼\n┌──────────────────────────┐\n│ syscall                  │\n│ kernel transition        │\n└────────┬─────────────────┘\n         ▼\n       Return\n```\n\n---\n\n## Usage\nSee [USAGE.md](USAGE.md) for full setup \u0026 examples in **C, C++ \u0026 Rust**.\n\n---\n\n## License\n\n**Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)**  \n\n[Full License](https://creativecommons.org/licenses/by-nc/4.0/)\n\n---\n\n## Disclaimer\nThis tool is for educational and research use only. Use at your own risk. You are solely responsible for how you use this code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdutchpsycho%2FActiveBreach-Engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdutchpsycho%2FActiveBreach-Engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdutchpsycho%2FActiveBreach-Engine/lists"}