The Hunters Hut
The Hunters Hut

0xHossam/Killer

Article Excerpt

It's a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD.

property
value
tags
bloodhound,cyber-deception,pkm-pocket-pipeline,summarize-article,threat-hunting
url
https://github.com/0xHossam/Killer
original_word_count
490

Long Summary

Killer Tool (EDR Evasion) is a tool created to bypass security tools for learning. It is currently FUD (Fully UnDetectable) and has several features to help with this. It has module stomping for memory scanning evasion, DLL unhooking by fresh ntdll copy, IAT hiding and obfuscation & API unhooking, ETW patching for bypassing some security controls, sandbox evasion techniques & basic anti-debugging, fully obfuscated functions, keys and shellcode by XOR-ing, shellcode reversed and encrypted, moving payload into hallowed memory without using APIs, GetProcAddress & GetModuleHandle implementation, and runs without creating new thread and supports x64 and x86 architectures.

To use the tool, one must generate their shellcode with the msfvenom tool and copy the output into the encryptor XOR function. This is not easy for script kiddies. The tool was developed with the help of Abdallah Mohammed, who can be found on Facebook and Github. It is important to note that the tool is for educational purposes only and should be compiled with the Visual Studio Compiler.

A proof-of-concept (PoC) is available to demonstrate the tool's effectiveness. The PoC shows that the tool is successful in bypassing security controls. Killer Tool (EDR Evasion) is a powerful tool for learning and bypassing security controls. It is important to note that it is for educational purposes only and should be used responsibly.

Short Summary

šŸ““ 0xHossam/Killer

šŸ‘‰šŸ½ It's a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD. šŸ‘‰šŸ½ Killer Tool (EDR Evasion) bypasses security tools for learning. šŸ‘‰šŸ½ It is currently FUD and has several features to aid in evasion. šŸ‘‰šŸ½ Module stomping for memory scanning evasion. šŸ‘‰šŸ½ DLL unhooking by fresh ntdll copy. šŸ‘‰šŸ½ IAT hiding and obfuscation & API unhooking. šŸ‘‰šŸ½ ETW patching for bypassing some security controls. šŸ‘‰šŸ½ Sandbox evasion techniques & basic anti-debugging. šŸ‘‰šŸ½ Fully obfuscated functions, keys, and shellcode by XOR-ing. šŸ‘‰šŸ½ Runs without creating new thread and supports x64 and x86 architectures. šŸ‘‰šŸ½ The tool is for educational purposes only and should be compiled with the Visual Studio Compiler.

šŸ”— source link: https://github.com/0xHossam/Killer

šŸ”— summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/0xhossamkiller

#KillerTool #EDREvasion #SecurityBypass #FUD #EducationalPurposesOnly

LinkedIn

ThreatHunterz.com