// offensive security training dashboard
Building position-independent loaders
Deep dive into reflective DLL loading, return address spoofing, IAT hooking, and the FOLIAGE sleep mask. Master Windows memory internals from PE parsing to full evasion chains.
Build position-independent C++20 shellcode from scratch. No PE headers, no DLL, no loader stub — pure PIC implant code with compile-time hashing, PEB walking, and module stomping.
Position-independent reflective DLL loading built with Crystal Palace: spec-driven PIC linker, LibTCG PE loading, LibGate indirect syscalls, DFR, Beacon User Data, and extending loaders beyond PoC.
Convert any EXE, DLL, VBScript, JScript, or .NET assembly into position-independent shellcode. In-memory PE loading, CLR hosting, Chaskey encryption, and AMSI/ETW/WLDP bypass stubs.
Load and execute Beacon Object Files outside Cobalt Strike. COFF parsing, section loading, symbol resolution, relocation processing, and implementing the Beacon API compatibility layer.
Stealthy OS interaction
Resolve System Service Numbers at runtime from ntdll stubs, execute direct syscalls from user-mode, and bypass EDR hooks entirely. Covers Halo's Gate and TartarusGate extensions.
Generate legitimate call stack frames with indirect syscalls by abusing Vectored Exception Handling. Hardware breakpoints, CPU trap flags, and context manipulation to bypass user-land EDR hooks.
Generate shellcode loaders with comprehensive evasion. Injection techniques, syscall gates, NTDLL unhooking, AMSI/ETW patching, sandbox detection — all from a Go library and CLI generator.
Getting code into remote processes
Abuse Windows thread pool internals for stealthy process injection. Eight variants targeting TP_WORK, TP_TIMER, TP_WAIT, TP_IO, ALPC, and TP_DIRECT — bypassing all major EDRs.
Inject into remote processes without creating threads. Hook a target function in the remote process so existing threads trigger your shellcode — zero CreateRemoteThread, zero ETW thread creation events.
Create processes from delete-pending files that AV/EDR cannot scan. Write a payload to a temp file, mark it delete-pending, create a section, spawn the process, then close the handle — the file vanishes.
Execute shellcode one instruction at a time using INT3 breakpoints and VEH handlers. Only one byte is ever decrypted in memory — the ultimate minimal decryption surface for memory scanner evasion.
Hiding in memory at rest
Timer-based sleep obfuscation using ROP chains, RC4 encryption, and NtContinue context manipulation. Encrypt implant memory during sleep to evade idle-time memory scanners.
Toggle shellcode memory between encrypted RW and executable RX on every sleep cycle. Hook Sleep to XOR-encrypt shellcode during idle, defeating Moneta, pe-sieve, and BeaconEye scanners.
Compiler-level per-function self-masking via LLVM backend modifications. XOR encryption keeps ~98% of code masked even at sleep 0, defeating memory scanners while maintaining CET compatibility.
Spoofing execution traces
Dynamically spoof call stacks to defeat EDR stack walking. Stack desynchronization, synthetic RUNTIME_FUNCTION entries, ROP-driven frame fabrication, and full syscall dispatch with clean stacks.
Construct synthetic call stacks that fool EDR stack walkers. Beacon Object Files, x64 unwind metadata parsing, JMP RBX gadgets, and indirect syscalls — making shellcode look like normal thread initialization.
Polymorphism, encoding, and ring 0
Generate polymorphic shellcode with unique decoder stubs on every run. RC4 + random block cipher encryption, asmjit-powered runtime assembly, junk code insertion, and anti-analysis tricks.
Ring 0 offensive techniques: DKOM process hiding, ETW provider disabling, kernel callback removal, registry/file protection, and memory scanner evasion — all through a kernel driver framework.