{"id":13577568,"url":"https://github.com/icyguider/LightsOut","last_synced_at":"2025-04-05T12:30:41.868Z","repository":{"id":171768542,"uuid":"648259342","full_name":"icyguider/LightsOut","owner":"icyguider","description":"Generate an obfuscated DLL that will disable AMSI \u0026 ETW","archived":false,"fork":false,"pushed_at":"2024-07-15T21:29:16.000Z","size":33,"stargazers_count":319,"open_issues_count":0,"forks_count":44,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-30T09:06:36.470Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/icyguider.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-01T14:57:44.000Z","updated_at":"2025-03-21T09:07:17.000Z","dependencies_parsed_at":"2024-01-16T20:28:27.802Z","dependency_job_id":"413511de-572d-4e42-a93d-89504dcb138e","html_url":"https://github.com/icyguider/LightsOut","commit_stats":null,"previous_names":["icyguider/lightsout"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icyguider%2FLightsOut","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icyguider%2FLightsOut/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icyguider%2FLightsOut/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/icyguider%2FLightsOut/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/icyguider","download_url":"https://codeload.github.com/icyguider/LightsOut/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247338518,"owners_count":20922985,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T15:01:22.554Z","updated_at":"2025-04-05T12:30:36.861Z","avatar_url":"https://github.com/icyguider.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# LightsOut\nLightsOut will generate an obfuscated DLL that will disable AMSI \u0026amp; ETW while trying to evade AV. This is done by randomizing all WinAPI functions used, xor encoding strings, and utilizing basic sandbox checks. Mingw-w64 is used to compile the obfuscated C code into a DLL that can be loaded into any process where AMSI or ETW are present (i.e. PowerShell).\n\nLightsOut is designed to work on Linux systems with `python3` and `mingw-w64` installed. No other dependencies are required.\n\nFeatures currently include:\n* XOR encoding for strings\n* WinAPI function name randomization\n* Multiple sandbox check options\n* Hardware breakpoint bypass option\n\n```\n _______________________\n|                       |\n|   AMSI + ETW          |\n|                       |\n|        LIGHTS OUT     |\n|        _______        |\n|       ||     ||       |\n|       ||_____||       |\n|       |/    /||       |\n|       /    / ||       |\n|      /____/ /-'       |\n|      |____|/          |\n|                       |\n|          @icyguider   |\n|                       |\n|                     RG|\n`-----------------------'\nusage: lightsout.py [-h] [-m \u003cmethod\u003e] [-s \u003coption\u003e] [-sa \u003cvalue\u003e] [-k \u003ckey\u003e] [-o \u003coutfile\u003e] [-p \u003cpid\u003e]\n\nGenerate an obfuscated DLL that will disable AMSI \u0026 ETW\n\noptions:\n  -h, --help            show this help message and exit\n  -m \u003cmethod\u003e, --method \u003cmethod\u003e\n                        Bypass technique (Options: patch, hwbp, remote_patch) (Default: patch)\n  -s \u003coption\u003e, --sandbox \u003coption\u003e\n                        Sandbox evasion technique (Options: mathsleep, username, hostname, domain) (Default: mathsleep)\n  -sa \u003cvalue\u003e, --sandbox-arg \u003cvalue\u003e\n                        Argument for sandbox evasion technique (Ex: WIN10CO-DESKTOP, testlab.local)\n  -k \u003ckey\u003e, --key \u003ckey\u003e\n                        Key to encode strings with (randomly generated by default)\n  -o \u003coutfile\u003e, --outfile \u003coutfile\u003e\n                        File to save DLL to\n\nRemote options:\n  -p \u003cpid\u003e, --pid \u003cpid\u003e\n                        PID of remote process to patch\n```\n\n**Intended Use/Opsec Considerations**\n\nThis tool was designed to be used on pentests, primarily to execute malicious powershell scripts without getting *blocked* by AV/EDR. Because of this, the tool is very barebones and a lot can be added to improve opsec. Do not expect this tool to completely evade detection by EDR.\n\n**Usage Examples**\n\nYou can transfer the output DLL to your target system and load it into powershell various ways. For example, it can be done via P/Invoke with LoadLibrary:\n\n![image](https://github.com/icyguider/LightsOut/assets/79864975/75358813-e1bf-4a2b-8059-d539ac97c510)\n\nOr even easier, copy powershell to an arbitrary location and side load the DLL!\n\n![image](https://github.com/icyguider/LightsOut/assets/79864975/e79c8cca-5e4e-4fb8-a4b5-4b888006b4cf)\n\n**Greetz/Credit/Further Reference:**\n* [@RastaMouse](https://twitter.com/_RastaMouse) for their blog post on patching AMSI: https://rastamouse.me/memory-patching-amsi-bypass/\n* [@CCob/EthicalChaos](https://twitter.com/_EthicalChaos_) for their blog post on patchless AMSI bypasses via hardware breakpoints: https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/\n* [@rad9800](https://twitter.com/rad9800) for their code which this tool uses to bypass AMSI and ETW with hardware breakpoints: https://github.com/rad9800/misc/tree/main/hooks\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficyguider%2FLightsOut","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ficyguider%2FLightsOut","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficyguider%2FLightsOut/lists"}