{"id":27646286,"url":"https://github.com/dutchpsycho/activebreach-engine","last_synced_at":"2025-04-24T01:18:00.045Z","repository":{"id":273212396,"uuid":"918641276","full_name":"dutchpsycho/ActiveBreach-Engine","owner":"dutchpsycho","description":"Dynamic Syscall Dispatch \u0026 Execution Framework, Bypassing Usermode hooks \u0026 Kernel protections (Win10/11x64)","archived":false,"fork":false,"pushed_at":"2025-04-18T01:32:06.000Z","size":219,"stargazers_count":12,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-24T01:17:55.790Z","etag":null,"topics":["anti-debug","anticheat","detours","dispatcher","edr-evasion","hook-bypass","hooking-framework","lotl","malware-research","minhook","ntdll","offensive-security","red-team","syscall","syscall-proxy","windows-internals","winternals"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dutchpsycho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-01-18T13:28:37.000Z","updated_at":"2025-04-18T14:50:15.000Z","dependencies_parsed_at":"2025-02-15T11:27:08.665Z","dependency_job_id":"a1779332-59d3-42f5-9b17-6563df313916","html_url":"https://github.com/dutchpsycho/ActiveBreach-Engine","commit_stats":null,"previous_names":["dutchpsycho/activebreach-um-hookbypass","dutchpsycho/syscall-proxy","titan-softwork-solutions/syscall-proxy","dutchpsycho/activebreach-engine"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FActiveBreach-Engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FActiveBreach-Engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FActiveBreach-Engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FActiveBreach-Engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dutchpsycho","download_url":"https://codeload.github.com/dutchpsycho/ActiveBreach-Engine/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250540887,"owners_count":21447428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-debug","anticheat","detours","dispatcher","edr-evasion","hook-bypass","hooking-framework","lotl","malware-research","minhook","ntdll","offensive-security","red-team","syscall","syscall-proxy","windows-internals","winternals"],"created_at":"2025-04-24T01:17:59.479Z","updated_at":"2025-04-24T01:18:00.014Z","avatar_url":"https://github.com/dutchpsycho.png","language":"C++","readme":"![TITAN](https://avatars.githubusercontent.com/u/199383721?s=200\u0026v=4)\n\n## Project Overview  \n\n**ActiveBreach Engine** is an open-source offensive security research initiative by **TITAN Softwork Solutions**, designed for invisible driverless syscall execution under EDR/AntiCheat protected environments.  \n\nOriginally inspired by foundational work from [MDSEC](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/), **SysWhispers**, and **Hell’s Gate**, this framework pushes beyond basic syscall generation by implementing a fully dynamic, runtime-generated dispatcher — purpose-built for evading usermode API hooks and sidestepping kernel-level security.\n\nThis is not a wrapper. This is not a loader. This is a syscall engine tied directly into memory, resolving, constructing, and dispatching calls with no static linkage or conventional API usage.\n\n---\n\n### Why?\n\nMost public syscall tooling falls into one of two buckets:\n\n1. **Global Unhooking:**  \n   Nuking all usermode protections via page remapping or ntdll restoration. Effective short-term — but loud, risky, and easily behaviorally profiled by modern EDRs/AC's.\n\n2. **Static Stub Patching:**  \n   Embedding syscall stubs inline. Fast, but fragile. Prone to detection through memory scanning or signature-based heuristics.\n\n---\n\n**ActiveBreach Engine** was built on a third principle:\n\n\u003e *“If usermode is compromised, don't fix it — route around it.”*\n\nRather than restoring overwritten memory, touching hooks or accessing the kernel, ActiveBreach extracts SSN's from a clean memory copy of `ntdll.dll`, builds ephemeral execution stubs in dynamically allocated memory, and proxies all execution through an isolated, internal unlinked dispatcher thread. All syscall interactions are memory-local, thread-isolated, and AV-opaque.\n\nOh yeah, this also doesn't expose any Nt* or ntdll.dll strings, we use hashes.\n\n---\n\n## Bypasses\n\n#### 🚫 User-Mode (Driverless EDR/AV)\n\n| **Bypass Target**              | **How It's Avoided**                                                                 |\n|--------------------------------|----------------------------------------------------------------------------------------|\n| `ntdll.dll` inline hooks       | Loads raw `ntdll.dll` from disk manually, bypassing loader and avoiding all inline patches |\n| API call heuristics            | No `Nt*`, `Zw*`, or Win32 APIs used — all syscalls are dispatched via hashed stub indirection |\n| Import resolver traps          | Nothing is dynamically resolved via `GetProcAddress` or `LoadLibrary`; all stubs are mapped from a clean image |\n| `GetProcAddress` tracing       | Never used — stub lookup and mapping is performed via internal hashed syscall table |\n| User-mode hook detection       | No Win32-layer APIs are touched; all calls avoid user-mode trampolines and inline detours |\n| `CreateRemoteThread` heuristics| Thread creation is done via `NtCreateThreadEx` syscall stubs, avoiding heuristic detection |\n| `NtSetInformationThread` usage| Direct syscall stub used to hide threads from debuggers; no API-layer visibility |\n| ETW-based telemetry            | No interaction with ETW-traced APIs (e.g. `OpenProcess`, `WriteProcessMemory`, `VirtualAllocEx`, etc.) |\n| AMSI (Windows Defender)        | No use of scripting or interpreter APIs; avoids all paths that would invoke `AmsiScanBuffer` |\n| Import Address Table (IAT) hooks | Does not use any imported syscall-related functions — import table stays clean/normal |\n| SEH/Vectored Exception tracing | No calls to `AddVectoredExceptionHandler` or related routines — avoids exception chaining traps |\n| Heap/stack signature detection | Syscall stubs and argument passing occur on a dedicated, obfuscated thread with custom memory layout |\n| `VirtualProtect` / `VPEx` guards | RWX stub memory is committed as RW, written, then changed to RX — minimal exposure to memory scanners |\n\n---\n\n#### ⛔ Kernel-Mode (Driver-Based)\n\n| **Detection Vector**           | **Mitigation / Sidestep**                                                           |\n|-------------------------------|--------------------------------------------------------------------------------------|\n| `PsSetLoadImageNotifyRoutine` | Avoided by manually reading `ntdll.dll` from disk — no image load events fired |\n| `MmLoadSystemImage` traps     | No system image mapping or section object creation is involved |\n| Kernel stack traceback on caller TID         | Syscalls are dispatched from a dedicated thread — origin call stack is never modified |\n| SMEP/SMAP/KVA traps            | No kernel-mode shellcode, no ring-0 transitions attempted |\n| APC injection / thread hooks on caller TID  | Dispatcher thread is unlinked, obfuscated, and not enumerated via common thread inspection routines |\n| File system filter drivers    | Uses direct NT file access to read `ntdll.dll`; avoids FS minifilter interception |\n| Kernel ETW provider traps     | Never touches `EtwWrite` or other kernel tracing entrypoints — all telemetry is sidestepped |\n| Hypervisor-based monitors     | Does not engage syscall shims or VM exit triggers — low-level behavior mimics activity |\n| Process creation callbacks     | No new process is created — all execution stays in the current address space |\n| PatchGuard integrity checks   | No kernel objects or memory regions are modified — avoids all PG violations |\n| DSE/CI callback hooks         | No driver loading or signature verification involved — operates entirely in user-mode |\n| CFG/XFG trapping              | No indirect control flow into unknown or untrusted pages; dispatcher thread controls all execution |\n| Syscall return/ret checks     | Syscall stubs preserve expected CPU state and return cleanly; no ROP-style anomalies |\n\n---\n\n### 🧬 Detection Surface\n\n| **Surface**              | **State**                        |\n|--------------------------|----------------------------------|\n| Hooked Kernel Functions  | **Not Bypassed** — kernel-mode EDR hooks (e.g. SSDT, inline traps) will still trigger |\n| PE Imports               | **Clean** — no syscall-related functions resolved or used via IAT |\n| Static Strings           | **Hashed/Encrypted** — no plaintext syscall names or known IOC markers |\n| API Usage                | **None (Direct Syscall Stubs)** — completely bypasses Win32 and ntdll API layers |\n| Memory Artefacts         | **Ephemeral / Zeroed** — stub memory is wiped after use, and mapping is transient |\n| Disk Presence            | **None** — no dropped files, modules, or persistent presence on disk |\n| Thread Context           | **Isolated** — dispatcher runs in its own stealth thread, separate from caller context |\n\n---\n\n### Example: Hooked API Flow vs ActiveBreach\n\n```\nUser Process\n    │\n    ├──▶ CreateFile (Wrapper, kernel32.dll)\n    │         │\n    │         ▼\n    │    NtCreateFile (ntdll.dll)   \u003c─── [Hooked by AntiVirus/AntiCheat]\n    │         │ \n    │         ▼\n    │   [Hook Handler]  \u003c─── (Monitoring, logging, blocking, etc...)\n    │         │\n    │         ▼\n    │  Kernel (Syscall)  \u003c─── (Actual system call after handling)\n    │ \n    ▼ \n  Return \n```\n\n---\n\n### **ActiveBreach API call**\n```\nUser Process\n    │\n    ├──▶ ab_call(\"NtCreateFile\")  \u003c─── (Not using \"CreateFile\" as ActiveBreach only supports Nt functions)\n    │         │\n    │         │\n    │         │\n    │         │\n    │         │\n    │         ▼\n    │  Kernel (Syscall)  \u003c─── (Direct system call without passing through `ntdll.dll`)\n    │ \n    ▼ \n  Return\n```\n\n---\n\n## Usage\nSee [USAGE.md](USAGE.md) for full setup \u0026 examples in **C, C++ \u0026 Rust**.\n\n---\n\n## License\n\n**Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)**  \n\n[Full License](https://creativecommons.org/licenses/by-nc/4.0/)\n\n---\n\n## Disclaimer\nThis tool is for educational and research use only. Use at your own risk. You are solely responsible for how you use this code.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdutchpsycho%2Factivebreach-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdutchpsycho%2Factivebreach-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdutchpsycho%2Factivebreach-engine/lists"}