Stars
An even funnier way to disable windows defender. (through WSC api)
Nidhogg is an all-in-one simple to use windows kernel rootkit.
Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback...
Deploy stealthy reverse shells using advanced process hollowing with GhostStrike – a C++ tool for ethical hacking and Red Team operations.
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encry…
This is the tool to dump the LSASS process on modern Windows 11
A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
DCOM Lateral movement POC abusing the IMsiServer interface - uploads and executes a payload remotely
Obfusk8: lightweight Obfuscation library based on C++17 / Header Only for windows binaries
Tools for interacting with authentication packages using their individual message protocols
A C++ proof of concept demonstrating the exploitation of Windows Protected Process Light (PPL) by leveraging COM-to-.NET redirection and reflection techniques for code injection. This PoC showcases…
Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.
This is the loader that supports running a program with Protected Process Light (PPL) protection functionality.
Bypass Credential Guard by patching WDigest.dll using only NTAPI functions
HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. When it receives signals from the actual target…
SetupHijack is a security research tool that exploits race conditions and insecure file handling in Windows applications installer and update processes.
KittyLoader is a highly evasive loader written in C / Assembly
Run native PE or .NET executables entirely in-memory. Build the loader as an .exe or .dll—DllMain is Cobalt Strike UDRL-compatible
A user-mode code and its rootkit that will Kill EDR Processes permanently by leveraging the power of Process Creation Blocking Kernel Callback Routine registering and ZwTerminateProcess.
RunAs Utility Credential Stealer implementing 3 techniques : Hooking CreateProcessWithLogonW, Smart Keylogging, Remote Debugging
Lightweight HTTP client with modern GUI for Linux
Library that eases the use of indirect syscalls. Quite interesting AV/EDR bypass as PoC.
Remote DLL Injection with Timer-based Shellcode Execution