Skip to content

README.md

Latest commit

 

History

History
139 lines (101 loc) · 4.21 KB

README.md

File metadata and controls

139 lines (101 loc) · 4.21 KB

Cloakware

Process injection and memory cloaking research library for Windows.

Cloakware catalogs and implements known process injection techniques, memory hiding methods, and provides analysis tools for studying how security products detect these operations. Built for security researchers, red teamers, and detection engineers.

Features

Injection Techniques

  • Classic Remote Thread - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
  • APC Injection - QueueUserAPC / NtQueueApcThread / Early Bird variants
  • Thread Hijacking - SuspendThread + SetThreadContext + ResumeThread
  • Section Injection - NtCreateSection + NtMapViewOfSection shared mapping
  • Process Hollowing - Create suspended, unmap, remap with TLS support

Memory Cloaking

  • VEH Guard Pages - PAGE_GUARD + Vectored Exception Handler for on-demand reveal
  • Timer-Based Cycling - Periodic PAGE_NOACCESS / PAGE_EXECUTE_READ permission flipping
  • Module Stomping - Overwrite legitimate DLL .text sections (.NET assembly support)
  • PE Header Wiping - Erase MZ/PE/Rich signatures from memory

Analysis Tools

  • Memory Scanner - Detect unbacked executable regions, RWX memory, wiped headers, injected threads

Infrastructure

  • Direct Syscalls - Bypass ntdll hooks via runtime SSN resolution
  • Indirect Syscalls - Jump to ntdll syscall gadgets for clean call stacks
  • Process Utilities - Privilege adjustment, process/thread enumeration

Building

mkdir build && cd build
cmake .. -G "Visual Studio 17 2022" -A x64
cmake --build . --config Release

Or with CMake presets:

cmake --preset default
cmake --build --preset release

Usage

# List all available techniques
cloakware list

# Inject shellcode via classic remote thread
cloakware inject classic <pid> <shellcode.bin>

# Inject via APC (early bird variant)
cloakware inject earlybird <pid> <shellcode.bin> <target_exe>

# Scan a process for injected code
cloakware scan <pid>
cloakware scan <pid> --verbose

# Cloak a memory region
cloakware cloak guard <hex_address> <size>
cloakware cloak timer <hex_address> <size>

Library API

#include "inject/classic_inject.h"
#include "cloak/memory_cloak.h"
#include "analysis/memory_scanner.h"

// Inject shellcode
cloakware::inject::InjectOptions opts;
opts.bypassCFG = true;
opts.useSyscall = true;
auto result = cloakware::inject::ClassicInject(pid, shellcode, size, opts);

// Cloak memory
auto& cloak = cloakware::cloak::MemoryCloak::Instance();
cloak.Initialize();
cloak.CloakRegion(address, size, CloakMethod::GuardPage);

// Scan for injections
cloakware::analysis::MemoryScanner scanner;
auto findings = scanner.ScanProcess(pid);

Documentation

Project Structure

src/
  inject/          Injection technique implementations
  cloak/           Memory cloaking and hiding techniques
  analysis/        Detection and scanning tools
  utils/           Process utilities and syscall stubs
tests/             Unit tests
docs/              Technical documentation

Requirements

  • Windows 10/11 (x64)
  • Visual Studio 2019+ or MinGW-w64
  • CMake 3.15+

Disclaimer

This software is provided for authorized security research and educational purposes only. Use of these techniques against systems without explicit authorization is illegal. The authors are not responsible for misuse.

Contact

Support

Help keep BypassCore open-source and independent.

Network Address
Polygon 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Ethereum 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
BSC 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Arbitrum 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Optimism 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Avalanche 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a

USDT / USDC / ETH / BNB accepted on all networks.

License

MIT License - Copyright (c) 2018-2026 BypassCore Labs