{"id":25726900,"url":"https://github.com/neyrian/dll-injector","last_synced_at":"2026-04-30T02:37:22.597Z","repository":{"id":278045954,"uuid":"932701717","full_name":"Neyrian/DLL-Injector","owner":"Neyrian","description":"A stealthy DLL injector for Windows 10/11, capable of injecting a specified DLL into a suspended process and evade detection","archived":false,"fork":false,"pushed_at":"2025-04-17T07:09:45.000Z","size":71,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-13T16:06:44.742Z","etag":null,"topics":["c","defense-evasion","dll-injection","dll-injector","edr-evasion","evasion","suspend-process","windows10","windows11"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Neyrian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-14T11:08:23.000Z","updated_at":"2025-05-15T07:05:20.000Z","dependencies_parsed_at":"2025-02-17T18:31:39.693Z","dependency_job_id":"eb3cb77b-3437-4211-8e05-c7391864534c","html_url":"https://github.com/Neyrian/DLL-Injector","commit_stats":null,"previous_names":["neyrian/dll-injector"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Neyrian/DLL-Injector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neyrian%2FDLL-Injector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neyrian%2FDLL-Injector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neyrian%2FDLL-Injector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neyrian%2FDLL-Injector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Neyrian","download_url":"https://codeload.github.com/Neyrian/DLL-Injector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Neyrian%2FDLL-Injector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32452741,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T22:27:22.272Z","status":"online","status_checked_at":"2026-04-30T02:00:05.929Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","defense-evasion","dll-injection","dll-injector","edr-evasion","evasion","suspend-process","windows10","windows11"],"created_at":"2025-02-25T23:27:46.208Z","updated_at":"2026-04-30T02:37:22.580Z","avatar_url":"https://github.com/Neyrian.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚀 Advanced DLL Injector with EDR/AV/Sandbox Evasion\n\n## 🔥 Overview\nThis project implements a **stealthy DLL injector** for **Windows 10 and 11** with advanced evasion techniques. It includes mechanisms to **bypass EDR, AV, and sandbox detections** while using direct syscalls and obfuscation to reduce detection rates. The injector creates a suspended process, injects a DLL, and executes its entry point in a stealthy manner.\n\n---\n\n## 📌 **Features**\n\n✅ **Stealthy Injection:** Creates a suspended process and injects a DLL without using common Windows API calls.\n\n✅ **EDR/AV/Sandbox Evasion:** Implements multiple checks to detect sandbox environments, VM detection, and EDR hooks.\n\n✅ **Direct Syscalls:** Uses Hell's Gate \u0026 SysWhispers to bypass API hooks in `ntdll.dll`.\n\n✅ **Avoid calling GetModuleHandle:** Uses `PEB walk` to retrieve functions in modules.\n\n✅ **Obfuscation:** Base64 encoding and decoding of DLL names, function names, and suspicious artifacts.\n\n✅ **Cryptography:** Implements its own cryptography functions, avoiding the usage of wincrypt\n\n✅ **Decoy Execution:** The injector executes a decoy function to mimic legitimate software behavior.\n\n---\n\n## 🚀 **Usage**\n### **1️⃣ Compilation**\n```info\nRequirements:\n  - gcc-mingw-w64-x86-64-win32\n  - nasm\n  - make\n```\nUse **makefile** or manual compilation below\n\n```bash\nnasm -f win64 syscalls.asm -o syscalls.o\nx86_64-w64-mingw32-gcc -o injector.exe dllinjector.c detector.h detector.c evasion.c evasion.h syscalls.o -Wno-array-bounds -Wall -lshlwapi -Wl,--section-alignment,4096 -Wl,--gc-sections -Wl,--strip-debug -Wl,--image-base,0x140000000 -O2\nx86_64-w64-mingw32-objcopy --rename-section .CRT=.data injector.exe\nx86_64-w64-mingw32-strip --strip-debug --strip-unneeded injector.exe\nx86_64-w64-mingw32-gcc -shared -o malDLL.dll malDLL.c -Wl,--subsystem,windows -mwindows\n```\n\n### **2️⃣ Running the Injector**\n```powershell\ninjector.exe C:\\path\\to\\dll\n```\n\u003e **Note**: Replace `C:\\path\\to\\dll` with the actual path of your DLL (you can use the dll in this repo for testing)\n---\n\n## 🐍 **EDR, AV, and Sandbox Evasion**\n### ✅ **EDR Detection (`detector.c`)**\n- Scans `C:\\Windows\\System32\\drivers\\` for known **EDR \u0026 AV drivers** (Carbon Black, CrowdStrike, SentinelOne, etc.).\n- If found, decoy is executed instead of the injection.\n\n### ✅ **Anti-Sandbox Techniques**\n- **Detects Virtual Machine Artifacts**:\n  - Checks for **VMware**, **VirtualBox**, and **Hyper-V files**.\n- **Detects Sleep Patching**:\n  - Measures the **execution time** of `Sleep(10000)`.\n  - If altered, execution is stopped.\n- **Detects Filename Hash Matching**:\n  - Checks if the **binary filename matches its MD5 hash** (common in packed malware).\n- **Detects Sandbox DLLs**:\n  - Checks for the presence of sandbox's DLLs.\n### ✅ **Anti-Debugger Techniques**\n- **Detect if NtGlobalFlag is present in PEB.**\n- **Detect debugger flags in HEAP**\n\n---\n\n## 📝 **Project Structure**\n```\n📂 Project Folder\n│── detector.c       # EDR/AV/Sandbox detection\n│── detector.h       # Header file for detection functions\n│── dllinjector.c    # Main DLL injector\n│── evasion.c        # Evasion functions (syscalls, b64decode...) and decoy\n│── evasion.h        # Header file for evasion functions and decoy\n|── makefile         # easy to compile\n|── malDLL.c         # Source DLL that can be used for testing\n│── README.md        # This documentation\n│── syscalls.asm     # Direct Syscalls Functions\n```\n---\n## Modules Breakdown\n### **1️⃣ dllinjector.c - Main DLL Injector**\n- Creates a **suspended** process (`SearchProtocolHost.exe` or `explorer.exe`).\n- Uses **direct syscalls** to allocate memory and write the DLL path.\n- Executes the entry point of the injected DLL stealthily.\n\n### **2️⃣ detector.c \u0026 detector.h - EDR/AV/Sandbox Detection**\n- Detects **common AV/EDR drivers** in `C:\\Windows\\System32\\drivers`.\n- Checks for **sandbox-specific DLLs** like `cuckoomon.dll`, `VBox*.dll`, etc.\n- Uses `NtQuerySystemInformation` to determine if the environment is a VM.\n- Implements **cursor movement \u0026 sleep patching** to evade automated sandboxes.\n\n### **3️⃣ evasion.c \u0026 evasion.h - Evasion Functions \u0026 Decoy Execution**\n- Implements **Base64 encoding \u0026 decoding** to hide DLL and function names.\n- **Legitimate Decoy Execution**: The injector executes a CPU-intensive function to simulate legitimate software behavior.\n- Use PEB walk to retrieve function in modules without API.\n\n### **4️⃣ syscalls.asm - Direct Syscalls for Hell’s Gate \u0026 SysWhispers**\n- Implements **NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory** using direct syscalls.\n- Dynamically resolves syscall numbers at runtime to avoid static detection.\n\n---\n\n## **Test**\n\n- [x] Windows 10 (22H2)\n- [x] Windows 11 (11 24H2)\n\n---\n\n## ⚠️ **Legal Disclaimer**\n\u003e **This tool is for educational and research purposes only.**  \n\u003e Do not use it for malicious activities. The author is not responsible for any misuse.\n\n---\n\n## 📬 **Contributing**\nFeel free to **submit issues or pull requests** to improve the project.  \n\n---\n\n## 📜 **References**\n- 🔗 **MITRE ATT\u0026CK Framework**: [T1202 - Indirect Command Execution](https://attack.mitre.org/techniques/T1202/)  \n- 🔗 **AV \u0026 EDR Detection**: [Exe_Who GitHub](https://github.com/Nariod/exe_who)\n- 🔗 **Pikabot Campaign TM**: [Trend Micro: Pikabot Spam Wave](https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html)\n- 🔗 **Pikabot Campaign Mitre**: [MITRE ATT\u0026CK: Pikabot Campaign (C0037)](https://attack.mitre.org/campaigns/C0037/)\n\n---\n\n🚀 **Happy Coding!**\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneyrian%2Fdll-injector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneyrian%2Fdll-injector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneyrian%2Fdll-injector/lists"}