# tl;dr This post is about the release and usage of `noWatch`, a simple utility to aid in EDR evasion testing. The tool is available on [GitHub](https://github.com/zimnyaa/noWatch). # motivation This tool was created to serve as a drop-in replacement for a C2 implant when exploring EDR detections. It was designed to support a bare-minimum of actions that a legitimate C2 framework implements and provide an interactive console to try them out interactively. It also provides detection and runtime disassembly of userland hooks and some memory-enumeration functionality. # features Inline disassembly (both from GetProcAddress and arbitrary addresses) with `distorm3` (very unreliable): ![[Pasted image 20220424153724.png]] ![[Pasted image 20220424171716.png]] Basic in-memory evasion techniques represented by `refresh` FreshCopy unhooking, `unhook_bof`, `patchetw` and `patchamsi`: ![[Pasted image 20220424155750.png]] ![[Pasted image 20220424155756.png]] ![[Pasted image 20220424155804.png]] Managed code loading simulation with `loadclr` and `loadpsh`: ![[Pasted image 20220424171808.png]] Basic local and remote shellcode injection techniques: ![[Pasted image 20220424155812.png]] ![[Pasted image 20220424155817.png]] And some other miscellaneous stuff that can be used to simulate malicious activity: ![[Pasted image 20220424155834.png]] # usage scenarios `noWatch` can be used as a standalone executable to explore EDR hooks (or benchmark EDR solutions): ```j listdlls -> jmphooks -> disas HookedFunction -> disas_addr HookAddr ``` Alternatively, as `noWatch` allocates a new console window, it can be injected with a loader of your choice and then used to test various post-exploitation activities without setting up a dedicated testing C2. For injection, you'll need to compile the executable with a relocation table with `--passL:-Wl,--dynamicbase`.