• Much more of a library; use Rasta’s fork for a more minimal implementation (adding the NuGet package to a project is an easy way to get flagged)
• Comes with 4 Main stuff (click to expand)
  • Dynamic API calling ⇒ we do not need to explicitly import the exported functions of a DLL like in Pinvoke, rather, we can find its location in memory of our process and execute it
  • Module Mapping ⇒ Read a dll from disk and manually map it into memory. Because it is read from disk, EDR will not have the functions within it hooked. We can then dynamically call the exported functions within that mapped dll.
  • Direct Syscalls ⇒ Read ntdll from disk to find the syscall of the respective NtFunction we want, map it into memory, write the syscall into memory, execute it, then free both our mapped ntdll and the syscall.
  • Module Overloading ⇒ Read a dll from disk and manually map it into memory. Then, overwrite the dll with a payload to execute (like shellcode).