Avanguard is the Windows anti-injection library written on C++.
- [✔️] Threads filter (against of CreateRemoteThread)
- [✔️] Modules filter
- [✔️] Memory filter (support of JIT-based languages)
- [✔️] Stacktrace checker
- [✔️] Windows hooks detection
- [✔️] AppInit_DLLs disabler
- [✔️] Memory mapping based injects detection
- [✔️] APC filter
- [✔️] Threads context filter (to prevent a context steal)
- [❌] HWIDs collector
- [❌] Java/C#/Delphi bindings and API
- [❌] Anti-macroses (virtual input blocking)
- [❌] Anti-debugging techniques
- [❌] Self-modification support
- [❌] DACLs-based protection
- HookLib - lightweight and convenient hook library written on pure C and NativeAPI
- Zydis - extremely lightweight disassembler
- t1ha - the fastest hash ever
- xorstr - a heavily vectorized C++17 compile-time strings encryptor
First of all, clone it with all dependencies:
git clone --recursive https://github.com/HoShiMin/Avanguard.git
All you need is to build the Avanguard.dll and add it to your application's import table.
#include <cstdio>
#include <Windows.h>
#include <AvnApi.h>
#pragma comment(lib, "Avanguard.lib")
int main()
{
// Using of Avanguard's symbols binds it to your app:
printf("[i] AvnStub: %p\n", Stub);
while (true);
}Or you can add it to import table manually using PE editors like CFF Explorer:
- Right click on your exe/dll
- Open with CFF Explorer
Import Addertree entry -> Add -> Choose Avanguard.dll- Choose
Stub-> Import by name -> Rebuild import table - Go to
Import directorytree entry - Right click on Avanguard.dll -> Move up
- Move it on the top of import list (it allows Avanguard.dll to load before of all another dlls)
- Press
savebutton (💾 button at the top) - Done! Now put the Avanguard.dll to the same folder as your exe/dll.
You can change enabled features in the AvnDefinitions.h file.
If you want to use it with JIT, you MUST enable FEATURE_MEMORY_FILTER to prevent a false detections.