find dll base addresses without PEB WALK

Aether is a Windows memory-forensics and threat hunting tool that scans live process memory for malicious pattern, detect injection techniques, implant signatures, reflectively loaded .NET assembli…

Static devirtualizer for VMProtect 3.0-3.5. Lifts virtualized code to LLVM using Remill and strips the VM layer through optimization.

POC Highlighting Obfuscation Techniques used by FIN threat actors based on cmd.exe's replace functionality and cmd.exe/powershell.exe's stdin command invocation capabilities

Generate realistic synthetic security logs for cybersecurity threat hunting training and research

A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++

Mach-O file structure

Distill intent. Surface failure modes. Keep the plan current.

A pytest-native safety and security testing framework for agentic AI applications

A small, fast, JavaScript-based JavaScript parser

Recover and statically analyze manually-mapped DLLs whose PE headers are wiped at runtime. Pure-stdlib Python, no driver, no debugger required. Includes a Claude Code skill.

This repo contains the results of an internal re-write of impacket I undertook at my current company. It contains some of the IoCs found within the library

Autonomous Windows POC developer from patchwatch diff reports

A local tool for ingesting Windows Patch Tuesday CVEs, diffing patched binaries with Ghidriff and surfacing LLM-generated security analysis through a browser UI

Helping defenders learn and validate npm supply-chain detections with safe atomic tests.

Browse and diff ETW provider snapshots across Windows builds. Backed by ETWInspector.

LLVM based devirtualizer for the binaryshield software protector.

Shift Happens: Uncovering two built-in command injections in Windows context menus

Polymorphic PE rewriter for Windows x64 , rewrites binaries into semantically identical but byte-different variants

A curated list of Ransomware resources

Proof of concept to show that Edge stores credentials in cleartext

Set of PoC to abuse Windows minifilters functionality

IDA plugin for automatic deobfuscation of opaque predicates by lifting microcode to z3 for SMT reasoning.

Copy Fail (CVE-2026-31431): 9-year-old Linux kernel LPE found by Theori's Xint Code

Security audit tool for Claude Desktop and Claude Code on macOS — single-command visibility into MCP servers, extensions, plugins, connectors, scheduled tasks, and permissions.