This tool demonstrates red team tradecraft for stealthy AMSI bypass and fileless PowerShell execution. Designed for penetration testers and security researchers, it leverages modern evasion techniques to bypass endpoint protections and execute encrypted payloads directly in memory.
- Dynamic AMSI Bypass:
Patches bothAmsiScanBufferandAmsiInitializefunctions dynamically at runtime. - Indirect Syscall Execution:
Implements syscall stomping via a custom trampoline forNtProtectVirtualMemory. - Encrypted Payload Execution:
Decrypts and executes PowerShell commands directly in memory for fileless operation. - Polymorphic Obfuscation:
Protects hardcoded strings and API names to evade static analysis. - Sandbox Detection:
Avoids execution in virtualized or monitored environments. - Runtime API Resolution:
No reliance on hardcoded module names or function addresses.
- Supported OS: Windows 10/11 or later.
- Tools: Visual Studio (or equivalent C/C++ compiler), admin privileges for execution.
- Dependencies:
mscoree.libfor CLR integration.- Windows SDK for syscall functionality.
git clone https://github.com/xorganic/Cloakk.git
cd stealth-amsi-bypass- Open the project in Visual Studio and build in Release mode.
- Using GCC from MinGW-w64, run the following command to compile the code into a Windows executable:
x86_64-w64-mingw32-gcc -o Cloakk.exe Cloakk.c -lmscoree -lkernel32 -luser32 -ladvapi32Cloakk.exeReplace the encryptedCommand with your XOR-encrypted PowerShell script:
const char* encryptedCommand = "\x15\x13\x12..."; // Encrypted payload
executeEncryptedPowerShell(encryptedCommand, 42); // Key for decryptionThis tool is intended for educational purposes only. Use it solely in authorized penetration testing environments with explicit consent from stakeholders. Misuse of this tool can lead to severe legal consequences.
- AMSI Patch Dynamically resolves AMSI-related APIs. Utilizes indirect syscalls to modify memory protections. Applies polymorphic patches (xor eax, eax; ret) to disable AMSI scanning.
- Encrypted PowerShell Execution The payload is XOR-encrypted for stealth. Decrypted at runtime and executed in a .NET CLR runspace.
- Sandbox Avoidance Detects common artifacts like VBoxGuest.dll or SbieDll.dll. Exits gracefully when a virtualized or debugged environment is detected.
Red Team Operations: Execute payloads while bypassing modern EDR/AV solutions. Security Research: Understand advanced techniques for AMSI evasion and PowerShell obfuscation. Blue Team Training: Develop detection rules and improve endpoint monitoring strategies.
This tool highlights the importance of staying ahead in cybersecurity. As defenders strengthen their systems, offensive techniques evolve. Sharing knowledge fosters growth and prepares both red and blue teams.
Found an issue? Have suggestions? Feel free to open a pull request or contact me!