Skip to content

ohtox/lib

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
README.md
README.md
 
 
lib.h
lib.h
 
 
usage.cpp
usage.cpp
 
 

Repository files navigation

NT Evasion

Windows syscall evasion framework. Does stack spoofing, module stomping, and anti-debug stuff without touching CRT.

What This Does

Gives you direct NT syscall access while evading detection. Syscalls get routed through randomized ROP gadgets instead of going straight to ntdll, so your calls look legitimate on the stack. Pairs with module stomping so your code lives in what looks like kernelbase.dll instead of a suspicious allocated region.

Also has hardware breakpoint hooks for ETW and AMSI if you need them(BROKEN patchless method needs fixing).

Basic Usage

#define NT_TRAMP_IMPL
#define EVASION_ENABLE_HWBP // broken for AMSI,ETW
#include "lib.h"

int main() {
    nt_init();
    evasion_init_all();
    
    void* buf = virtual_alloc(nullptr, 0x1000, MEM_COMMIT, PAGE_READWRITE);
    if (buf) {
        memcpy(buf, payload, size);
        ((void(*)())buf)();
    }
    
    return 0;
}

Build it:

clang++ -c main.cpp -O2 -DNT_TRAMP_IMPL -DEVASION_ENABLE_HWBP -march=native

How It Works

Spoofing - Syscalls go through gadget chains in ntdll instead of direct syscall instructions. The gadgets are randomized on each call, so there's no predictable pattern. Return addresses get swapped around so the stack looks normal.

Stomping - Code gets copied into a real DLL like kernelbase. Then the original module gets unlinked from the PEB so it doesn't show up in module enumeration. Debuggers and monitoring tools see legitimate system code instead.

Breakpoints - ETW and AMSI functions get hooked via hardware breakpoints (DR0-DR3). When they execute, a VEH handler catches the debug exception and returns whatever value you want. No code patches, no hooking DLLs, just register manipulation.

Hardening - Clears the BeingDebugged flag, hides your thread from debuggers, removes DLL notification callbacks, patches process exit with NOPs.

Key Functions

Setup

  • evasion_init_all() - init everything

Memory

  • virtual_alloc() / virtual_free() / virtual_protect() - all spoofed

Injection

  • module_stomp() - inject into DLL
  • register_fake_unwind() - add fake stack frames
  • peb_unlink() - hide from enumeration

Anti-debug

  • harden_peb_anti_debug() - clear flags
  • hide_thread_from_debugger() - hide thread

Hooks

  • install_evasion_veh() - enable breakpoint handler

Performance

Actually pretty fast because everything gets cached. Export tables parsed once, ntdll base looked up once, gadgets cached. Payload copying uses SSE2 so it's way faster than a byte-by-byte loop.

No CRT

Doesn't link anything from the C runtime. Memory operations use intrinsics:

  • memcpy_sse2() for fast copies
  • memcpy_fast() for qword operations
  • memset_qword() / memset_byte() for zeroing

Just Windows.h and intrin.h.

Requirements

  • x64
  • Visual Studio, Clang, or GCC
  • No external dependencies

TODO

  • Use better custom hashing to avoid YARA signatures
  • Compile time string encryption
  • Working patchless AMSI,ETW Bypass
  • More calls wrappers
  • OPSEC(Function names in the symbol table needs to get mapped to legitimate Windows APIs)

About

A bad library that imports indirect syscalls with Call stack spoofing and many more.

Topics

shellcode syscalls evasion fud edr indirect-syscall

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages