[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80554":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":18,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":43,"readmeContent":44,"aiSummary":45,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":46,"discoverSource":47},80554,"Project-Onyx","X-3306\u002FProject-Onyx","X-3306","Advanced EDR Evasion via AI Telemetry Spoofing & WASM Sandboxing. Project Onyx is a PoC Red Team pipeline designed to demonstrate advanced evasion techniques against modern EDR systems. It shifts away from traditional signature-based obfuscation towards behavioral camouflage and strict environmental keying.","",null,"C",100,13,2,0,3,14,1,3.44,"GNU General Public License v3.0",false,"main",true,[25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42],"ai","av-bypass","chain","cpp","cryptography","edr-evasion","in-memory-execution","malware-development","monolithic","onnx","onnxruntime","redteam","reverse-engineering","security-research","systems-security","wasm","webassembly","windows","2026-06-12 02:04:03","![Banner](banner.png)\n\n# Project Onyx\nAdvanced EDR Evasion via AI Telemetry Spoofing & WASM Sandboxing. Project Onyx is a PoC Red Team pipeline designed to demonstrate advanced evasion techniques against modern EDR systems. It shifts away from traditional signature-based obfuscation towards behavioral camouflage and strict environmental keying.\n\nResearch Perspective: The goal of Project Onyx is not to claim a working bypass of production EDR systems, it is to explore what an unconventional, multi-layer pipeline could look like if each concept were developed further. The individual components (AI telemetry camouflage, environmental keying, in-memory WASM execution) are implemented and functional as a chain, but each layer would require significantly deeper research to be meaningful against real-world defenses. This project is best understood as an architectural sketch and a starting point for that kind of exploration.\n\n## Core Concepts\n\n1. **AI Decoy (Behavioral Camouflage):** Modern EDRs monitor API calls and execution flows. Project Onyx embeds a legitimate, functional ONNX neural network (a tiny MLP). Before any malicious logic is executed, the host runs a real tensor inference workload using Microsoft's `onnxruntime`. This generates legitimate AI execution telemetry, masking the true intent of the process.\n2. **Environmental Keying:** The payload cannot be analyzed in a sandbox or by a reverse engineer without the exact target machine. The decryption keys are dynamically derived from a SHA-256 hash of the target's `MachineGuid`, `Volume Serial`, and `Current User SID`.\n3. **WASM Sandboxing:** The actual payload is compiled to WebAssembly (WASM) and executed entirely in-memory using the `wasm3` interpreter. The host C++ application acts merely as a loader and API bridge, exposing safe host functions to the WASM sandbox.\n4. **Cryptographic Vault:** The AES-256 key required to decrypt the WASM payload is not stored in the binary. It is locked inside the ONNX model's metadata, protected by PBKDF2-HMAC-SHA256 and HKDF-SHA256 key derivation, and verified via constant-time HMAC checks.\n\n![Project Onyx Chain](diagram0.png)\n\nSee `docs\u002Farchitecture.md` for the full end-to-end technical sketch.\n\n## ⚠️ Legal Disclaimer\n\nThis project is created solely for educational purposes, security research, and authorized Red Team operations. \n\nThe techniques demonstrated in this repository (Project Onyx) are intended to help security professionals understand advanced evasion methods and improve endpoint defenses (EDR\u002FXDR). \n\n**Do not use this software on any system or network that you do not own or have explicit, written permission to test.**\n\nThe author of this project (X-3306) assume no liability and are not responsible for any misuse, damage, or illegal activities caused by the use of this software. By downloading, compiling, or using this code, you agree to take full responsibility for your actions.\n\n## Repository Layout\n\n- `DiagnosticsTool.cpp` - C++ Windows host and Wasm3\u002FONNX integration.\n- `DiagnosticsTool.rc` \u002F `resource.h` - resource bindings for generated assets.\n- `build.py` - helper for fingerprinting, ONNX bait\u002Fvault generation, and WASM encryption.\n- `wasm_license_module\u002F` - Rust source for the WebAssembly heartbeat module.\n- `wasm3\u002Fsource\u002F` - minimal vendored Wasm3 source required by the CMake build.\n- `assets\u002FREADME.md` - generated asset formats.\n- `docs\u002Farchitecture.md` - full runtime chain and architecture notes.\n- `docs\u002Ftechnical-writeup.md` - short narrative for the PoC.\n\n## Prerequisites\n\nInstall these on Windows before building:\n\n- Visual Studio 2022 with Desktop development with C++.\n- CMake 3.25 or newer.\n- Python 3.10 or newer.\n- Rustup and Cargo.\n- Git.\n\nPython dependencies:\n\n```powershell\npy -m pip install onnx numpy cryptography\n```\n\nRust target:\n\n```powershell\nrustup target add wasm32-unknown-unknown\n```\n\n## ONNX Runtime Static Build\n\nThe CMake file expects an ONNX Runtime source\u002Fbuild tree at `.\u002Fonnxruntime` and\nlinks the static component libraries from:\n\n- `onnxruntime\u002Fbuild\u002FWindows\u002FRelease\u002FRelease`\n- `onnxruntime\u002Fbuild\u002FWindows\u002FRelease\u002Fvcpkg_installed\u002Fx64-windows-static-md\u002Flib`\n\nFrom a Developer PowerShell for VS 2022, build ONNX Runtime like this:\n\n```powershell\ngit clone --recursive https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fonnxruntime.git onnxruntime\n.\\onnxruntime\\build.bat --config Release --parallel --compile_no_warning_as_error --skip_tests --build_shared_lib --use_vcpkg --cmake_extra_defines VCPKG_TARGET_TRIPLET=x64-windows-static-md onnxruntime_BUILD_UNIT_TESTS=OFF\n```\n\nThe generated `onnxruntime.dll` is not shipped with Project Onyx. Project Onyx\nlinks the static component `.lib` files and the final executable should not list\n`onnxruntime.dll` in `dumpbin \u002FDEPENDENTS`.\n\n## Generate Assets\n\nGet the fingerprint hash for the current Windows device:\n\n```powershell\npython build.py fingerprint --show-components\n```\n\nUse the second printed line as the `--trigger` value.\n\nBuild the Rust WebAssembly module:\n\n```powershell\ncargo build --manifest-path wasm_license_module\u002FCargo.toml --target wasm32-unknown-unknown --release\n```\n\nGenerate `assets\u002Fmodel.onnx` and `assets\u002Flicense_module.wasm.aes`:\n\n```powershell\npython build.py build `\n  --trigger \"\u003C64-char lowercase fingerprint hash>\" `\n  --secret \"\u003Cexactly-32-demo-key-chars>\" `\n  --model-output assets\u002Fmodel.onnx `\n  --wasm-input wasm_license_module\u002Ftarget\u002Fwasm32-unknown-unknown\u002Frelease\u002Fwasm_license_module.wasm `\n  --wasm-output assets\u002Flicense_module.wasm.aes\n```\n\nVerify the ONNX metadata vault:\n\n```powershell\npython build.py verify --trigger \"\u003C64-char lowercase fingerprint hash>\" --model assets\u002Fmodel.onnx\n```\n\n## Final Build\n\nConfigure and build the release executable:\n\n```powershell\ncmake -S . -B build -G \"Visual Studio 17 2022\" -A x64\ncmake --build build --config Release\n```\n\nThe final executable is:\n\n```text\nbuild\\Release\\ProjectOnyx.exe\n```\n\nOptional dependency check:\n\n```powershell\n& \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\VC\\Tools\\MSVC\\14.44.35207\\bin\\Hostx64\\x64\\dumpbin.exe\" \u002FDEPENDENTS build\\Release\\ProjectOnyx.exe\n```\n\nExpected: no `onnxruntime.dll` dependency.\n\n## Webhook Configuration\n\nProject do not embed a real webhook URL. For authorized lab runs, set:\n\n```powershell\n$env:PROJECT_ONYX_SLACK_WEBHOOK_URL = \"https:\u002F\u002Fhooks.slack.com\u002Fservices\u002F...\"\n.\\build\\Release\\ProjectOnyx.exe\n```\n(You can also use Teams)\n\nThe variable must be visible to the process that starts `ProjectOnyx.exe`. If\nyou double-click the executable, set it as a user or system environment variable\nfirst, then open a new terminal or restart Explorer.\n\n## Scope\n\nThe demo does not include persistence, privilege escalation, credential access,\nlateral movement, command execution, destructive behavior, or bundled private\nwebhook tokens. The WebAssembly module is constrained to formatting and\nreturning a heartbeat JSON as a simple PoC.\n","Project Onyx 是一个用于演示针对现代 EDR 系统的高级逃避技术的概念验证项目。它通过 AI 生成的遥测伪装和 WASM 沙箱技术，实现了从传统基于签名的混淆向行为伪装和严格的环境键控转变的核心功能。项目采用 C 语言编写，利用 ONNX 和 WebAssembly 技术来实现恶意代码的行为隐藏与内存执行，同时通过环境特异性密钥确保只有在特定目标机器上才能解密并运行有效载荷。适用于安全研究人员、红队成员以及对端点防御机制感兴趣的开发者，在合法授权的安全测试场景中使用。","2026-06-11 04:01:13","CREATED_QUERY"]