evasion-technique-integrate

No malware is implemented directly in this snippet (it is declarative JSON). However, the configuration explicitly instructs integration of multiple offensive evasion techniques (anti-debug/AMSI/unhooking/bypass/syscall/api-hashing) into an attack-payload methodology and is designed to steer automated tool/LLM retrieval via expected skill-read/list calls. This is a suspicious, abuse-enabling supply-chain artifact and warrants review of the consuming harness/workflow and the origin/permissioning of any content it retrieves or generates.

MALICIOUS. The skill is explicitly designed to help an AI agent enhance loaders with stealth, bypass, and anti-analysis techniques associated with malware evasion. Even without external downloads or credential theft, its purpose and execution flow are fundamentally incompatible with benign agent assistance.

This artifact is not a benign software module; it is a high-risk instruction/prompt specification that directly guides implementation of stealthy Windows shellcode/loader evasion techniques (RW→RX permission flipping using VirtualProtect and runtime API resolution via API hashing and PEB/LDR export lookup). No executable behavior occurs in this snippet, but the explicit malicious intent and specificity make it a strong supply-chain security concern.

This JSON manifest is a dual-use offensive techniques catalogue that primarily documents actionable Windows evasion, injection, and privilege-escalation methods with concrete code templates and byte-level examples. While the file itself is not executable, its content materially lowers the effort to build malware: it contains ready-to-use primitives (syscall stubs, memory patching, AMSI/ETW bypass patterns, driver IOCTL abuse, payload download/decode flows). Inclusion of this document in a software package intended for general use constitutes a significant supply-chain security risk and should be treated as potentially malicious/abusable content. Recommend blocking or isolating use, performing code provenance review, and ensuring packages exposing or compiling these templates are not used in production environments without strict oversight.

This snippet is highly suspicious and aligns with malware/loader defense-evasion guidance: it describes executable-memory staging (RW→RX), anti-analysis termination, AMSI bypass via in-memory patching of AmsiScanBuffer, syscall/hook-evading execution patterns, and ntdll unhooking by remapping and overwriting .text. Even though it is reference/documentation-style rather than a complete program, the provided actionable tradecraft indicates malicious intent. Treat any package distributing such content as high risk until proven otherwise by broader context and usage analysis.