# Archive - [Notice](https://steve-s.gitbook.io/0xtriboulet/archive/notice.md) - [ZeroTotal](https://steve-s.gitbook.io/0xtriboulet/archive/notice/zerototal.md): An ongoing series demonstrating various techniques for achieving zero hits on VirusTotal - [ZeroTotal: Msfvenom Calc](https://steve-s.gitbook.io/0xtriboulet/archive/notice/zerototal/zerototal-msfvenom-calc.md): The quest for an undetectable calc payload on VirtusTotal - [ZeroTotal: Self-Injecting Calc](https://steve-s.gitbook.io/0xtriboulet/archive/notice/zerototal/zerototal-self-injecting-calc.md): The quest to achieve an undetected self-injecting calc implant - [ZeroTotal: Rusty Calc](https://steve-s.gitbook.io/0xtriboulet/archive/notice/zerototal/zerototal-rusty-calc.md): The quest to achieve an undetectable self-injecting calc implant using Rust - [Achieving Access](https://steve-s.gitbook.io/0xtriboulet/archive/notice/achieving-access.md): A series describing techniques to quickly achieve reverse shells on Windows 10 and Windows 11 targets with Windows Defender enabled - [achieving access: implantv1](https://steve-s.gitbook.io/0xtriboulet/archive/notice/achieving-access/achieving-access-implantv1.md): Using classic methodology to get develop a detectable payload on Windows 10 and Windows 11. We'll use this as a springboard to more successful implants in the following sections - [achieving access: implantv2](https://steve-s.gitbook.io/0xtriboulet/archive/notice/achieving-access/achieving-access-implantv2.md): Using a development workflow that allows for customizable reverse shell payloads - [achieving access: implantv3](https://steve-s.gitbook.io/0xtriboulet/archive/notice/achieving-access/achieving-access-implantv3.md): We reimplement the code we developed in implantv2 using the VX-API. This API is designed with malware development in mind and is a powerful addition to your development environments - [Deceiving Defender](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender.md): A series documenting some easy ways to bypass Windows Defender and leverage existing tooling on Windows 10 and Windows 11 machines. - [Deceiving Defender: Making nc.exe viable again](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-making-nc.exe-viable-again.md): nc.exe is a powerful utility that allows for cross-platform connections. Many modern antivirus definitions detect nc.exe and prevent its use for Red Team operations - [Deceiving Defender: Classic Bypass](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-classic-bypass.md): A practical workflow for bypassing Windows Defender disk detection using ThreatCheck, Ghidra, and Cpp - [Deceiving Defender: Name Bypass](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-name-bypass.md): A simple name checking technique that bypasses Windows Defender protections on Windows 11 and Windows 10 - [Deceiving Defender: The Texas Two Step](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-the-texas-two-step.md): Utilizing a novel high-level methodology to bypass the increased protections of Windows Defender on Windows 11 systems in order to make mimikatz.exe viable again - [Deceiving Defender: The Big Stack Bypass](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-the-big-stack-bypass.md): Defeating Windows Defender detection on Windows 10 by creating a large (>2MB) payload allocated on the stack - [Making Meterpreter Viable Again](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-the-big-stack-bypass/making-meterpreter-viable-again.md): In this demonstration of the Big Stack Bypass, we take one of the most signatured payloads in offensive security and successfully bypass Windows Defender and other AV engines - [Deceiving Defender: Meterpreter](https://steve-s.gitbook.io/0xtriboulet/archive/notice/deceiving-defender/deceiving-defender-meterpreter.md): Demonstrating manual manipulation of a meterpreter payload in order to bypass Windows Defender - [Making Malware](https://steve-s.gitbook.io/0xtriboulet/archive/notice/making-malware.md): A series exploring the capabilities and utility of the VX-API for custom tooling - [making malware #0](https://steve-s.gitbook.io/0xtriboulet/archive/notice/making-malware/making-malware-0.md): We analyze some of the capabilities of the default implant in the VX-API and discuss some of the capabilities that VX-API provides for development - [making malware #1](https://steve-s.gitbook.io/0xtriboulet/archive/notice/making-malware/making-malware-1.md): Let's analyze some of the capabilities of the VX-API and demonstrate the practical utility of this API against a modern Windows 10 end-user target - [making malware #2](https://steve-s.gitbook.io/0xtriboulet/archive/notice/making-malware/making-malware-2.md): In this writeup we extend the development of our previous implant to achieve reverse shell access on a mondern Windows 10 machine! - [Just Malicious](https://steve-s.gitbook.io/0xtriboulet/archive/notice/just-malicious.md): A miscellaneous repository of interesting topics that don't fit anywhere else on my blog - [Advanced String Obfuscation](https://steve-s.gitbook.io/0xtriboulet/archive/notice/just-malicious/advanced-string-obfuscation.md): Sunday, December 3, 2023 - [From C, with inline assembly, to shellcode](https://steve-s.gitbook.io/0xtriboulet/archive/notice/just-malicious/from-c-with-inline-assembly-to-shellcode.md): Friday, August 11, 2023 - [Thnks4RWX](https://steve-s.gitbook.io/0xtriboulet/archive/notice/just-malicious/thnks4rwx.md): Compile an implant with RWX sections of memory to simulate a dropper with dynamic functionality in its own .text section - [Unholy Unhooking](https://steve-s.gitbook.io/0xtriboulet/archive/notice/unholy-unhooking.md): A series that discusses using modern tools to re-apply classic methodologies and overcome Windows AV mitigations - [Unholy Unhooking: byoDLL](https://steve-s.gitbook.io/0xtriboulet/archive/notice/unholy-unhooking/unholy-unhooking-byodll.md): Using our own copy of ntdll.dll, our implant will clear AV hooks and execute a malicious payload. - [Unholy Unhooking: FrByoDLL](https://steve-s.gitbook.io/0xtriboulet/archive/notice/unholy-unhooking/unholy-unhooking-frbyodll.md): Using pe2shc, we'll load a clean copy of ntdll.dll in memory, unhook our program, and execute our malicious payload. - [Unholy Unhooking: Rusty Fart](https://steve-s.gitbook.io/0xtriboulet/archive/notice/unholy-unhooking/unholy-unhooking-rusty-fart.md): An overview of Perun's Fart implemented in Rust - [TTPs](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps.md): A series focused on the review, analysis, proposal, and improvement of Tactics, Techniques, and Procedures used by open source security researchers. - [TTPs: Embedding Payloads with MSFVenom (x86)](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps/ttps-embedding-payloads-with-msfvenom-x86.md): A indepth analysis of the mechanics behind embedded payloads using MSFVenom - [TTPs: Embedding Payloads with MSFVenom (x64)](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps/ttps-embedding-payloads-with-msfvenom-x64.md): Demonstrating a workflow to achieve embeded payloads on x64 executables using MSFVenom, BinaryNinja, and x64Dbg - [TTPs: Rust vs C++](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps/ttps-rust-vs-c++.md): A comparative analysis of C++ and Rust implant binaries - [TTPs: JmpNoCall](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps/ttps-jmpnocall.md): A proof of concept demonstration of custom payload and implant implementations that results in clean call stack execution of malicious code - [TTPs: BadAsm](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps/ttps-badasm.md): In this writeup we use the capabilities of inline assembly to overwrite part of our program's .text section and achieve non-standard payload self-injection and execution - [TTPs: BadStrings](https://steve-s.gitbook.io/0xtriboulet/archive/notice/ttps/ttps-badstrings.md): In this writeup we discuss a mutli-step methodology for beating string detection by Mandiant's FLOSS string deobfuscator - [Weird Windows](https://steve-s.gitbook.io/0xtriboulet/archive/notice/weird-windows.md): A series discussing weird features of Windows - [Command Hijacking with .COM](https://steve-s.gitbook.io/0xtriboulet/archive/notice/weird-windows/command-hijacking-with-.com.md): In this writeup we talk demonstrate a technique that allows for command interception from a target user's command prompt or powershell on modern Windows systems - [Non-Existent File Paths](https://steve-s.gitbook.io/0xtriboulet/archive/notice/weird-windows/non-existent-file-paths.md): This writeup will discuss the use of non-existent file paths and present a use case --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://steve-s.gitbook.io/0xtriboulet/archive.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.