# tl;dr
This post is about the release and usage of `noWatch`, a simple utility to aid in EDR evasion testing.
The tool is available on [GitHub](https://github.com/zimnyaa/noWatch).
# motivation
This tool was created to serve as a drop-in replacement for a C2 implant when exploring EDR detections. It was designed to support a bare-minimum of actions that a legitimate C2 framework implements and provide an interactive console to try them out interactively.
It also provides detection and runtime disassembly of userland hooks and some memory-enumeration functionality.
# features
Inline disassembly (both from GetProcAddress and arbitrary addresses) with `distorm3` (very unreliable):
![[Pasted image 20220424153724.png]]
![[Pasted image 20220424171716.png]]
Basic in-memory evasion techniques represented by `refresh` FreshCopy unhooking, `unhook_bof`, `patchetw` and `patchamsi`:
![[Pasted image 20220424155750.png]]
![[Pasted image 20220424155756.png]]
![[Pasted image 20220424155804.png]]
Managed code loading simulation with `loadclr` and `loadpsh`:
![[Pasted image 20220424171808.png]]
Basic local and remote shellcode injection techniques:
![[Pasted image 20220424155812.png]]
![[Pasted image 20220424155817.png]]
And some other miscellaneous stuff that can be used to simulate malicious activity:
![[Pasted image 20220424155834.png]]
# usage scenarios
`noWatch` can be used as a standalone executable to explore EDR hooks (or benchmark EDR solutions):
```j
listdlls ->
jmphooks ->
disas HookedFunction ->
disas_addr HookAddr
```
Alternatively, as `noWatch` allocates a new console window, it can be injected with a loader of your choice and then used to test various post-exploitation activities without setting up a dedicated testing C2.
For injection, you'll need to compile the executable with a relocation table with `--passL:-Wl,--dynamicbase`.