memfd_elf is a Linux fileless execution framework that downloads and executes ELF binaries in memory using memfd_create() , featuring self-deletion and process spoofing for security research and re…

Non HVCI Block listed - Microsoft signed driver exploited to kill AV/EDR's processes

A Windows 32-bit PE executable emulator for running classic Windows games and applications on modern systems.

An Open Phone Agent Model & Framework. Unlocking the AI Phone for Everyone

A tool to transform Chromium browsers into a C2 Implant

Windows Session Hijacking via COM

Command-line utility to turn on/off Windows Defender and Tamper Protection. Bypasses forced UAC dialogs and GUI interface requirements in Windows 11. Supports latest Windows 11 25H2. Features invis…

Phantom Keylogger is an advanced, stealth-enabled keystroke and visual intelligence gathering system.

Evade behavioral analysis by executing malicious code within trusted Microsoft call stacks, patchless hooking library IAT/EAT.

A tool to easily perform GitHub Device Code Phishing on red team engagements

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Pers…

Dynamic return address and stack call spoofer

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.

Modern security products (CrowdStrike, Bitdefender, SentinelOne, etc.) hook the nLoadImage function inside clr.dll to intercept and scan in-memory .NET assembly loads. This tool unhooks that functi…

High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)

Using Chromium-based browsers as a proxy for C2 traffic.

A next.js web application that integrates AI capabilities with draw.io diagrams. This app allows you to create, modify, and enhance diagrams through natural language commands and AI-assisted visual…

Supports RSC fingerprinting and exploitation of the React component vulnerability CVE-2025-55182.

Windows 11 kernel research framework demonstrating DSE bypass on Windows 11 25H2 through boot-time execution. Loads unsigned drivers by surgically patching SeCiCallbacks via native subsystem. Inclu…

A PICO for Crystal Palace that implements CLR hosting to execute a .NET assembly in memory.

An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.

A C# utility for interacting with SCOM

Minimalistic HTTP(S) client for the NT kernel

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.

Patchless AMSI bypass using hardware breakpoints and a vectored exception handler to intercept AmsiScanBuffer and AmsiScanString before they execute. The bypass reads the 5th parameter (the AMSI re…

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals…

stealthy memory allocation

PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.

Agent for AdaptixC2 containing lateral movement capabilities ( WMI, SCM, WinRM, DCOM), bof/dotnet/shellocde in memory executions, postex modules with shellcode and bof with possibilities of fork ex…