A multi-layered evasion framework combining Hellβs Hall indirect syscalls, PEB-based API hashing, IAT camouflage, custom CRT removal, ntdll unhooking via KnownDlls, sandbox detection, self-deletion, and Fiber-based shellcode execution β built to understand and demonstrate how modern offensive tooling evades EDR/AV at every layer.
A shellcode injector that bypasses userland hooks by resolving and calling NT syscalls directly β no Win32 API strings, no GetProcAddress, no GetModuleHandle. Custom PEB walk, export table parsing, and compile-time Djb2 hashing.
Combining PPID Spoofing, Module Stomping, RC4 encryption, and native NT API enumeration into a single injection framework β built from scratch to understand how modern evasion techniques work under the hood.
Overview GHOUL is an educational Command & Control (C2) framework built on top of the Discord REST API. The project covers the full stack: a Windows agent written in C, and an operator bot written in Python using discord.py. The goal was to build something that goes beyond a toy example β implementing real techniques used by modern implants, with every design decision documented and explained. The result is a working C2 with encrypted beaconing, multiple AV/EDR evasion layers, and a per-agent interactive shell system, all over a transport that blends into normal network traffic. ...