A multi-layered evasion framework combining Hellβs Hall indirect syscalls, PEB-based API hashing, IAT camouflage, custom CRT removal, ntdll unhooking via KnownDlls, sandbox detection, self-deletion, and Fiber-based shellcode execution β built to understand and demonstrate how modern offensive tooling evades EDR/AV at every layer.
A shellcode injector that bypasses userland hooks by resolving and calling NT syscalls directly β no Win32 API strings, no GetProcAddress, no GetModuleHandle. Custom PEB walk, export table parsing, and compile-time Djb2 hashing.
Combining PPID Spoofing, Module Stomping, RC4 encryption, and native NT API enumeration into a single injection framework β built from scratch to understand how modern evasion techniques work under the hood.
Six chambers, six encryption/obfuscation methods. A CTF-style tool for practicing Ghidra analysis and decryption routine writing β from XOR to AES-256 CBC to UUID obfuscation.
Manual PE backdooring from scratch: code cave injection, new section addition, XOR evasion, and Adaptix C2 beacon delivery inside a legitimate PuTTY binary.
Deep dive into the Windows PE file format and runtime process inspection via PEB walking β parsing headers, import/export tables, and the loader module list.