Debugger Anti-Detection Benchmark

Module extending manual mapper

A more stealthy variant of "DLL hollowing"

It's a minifilter used for transparent-encrypting.

PVE Debain Ubuntu ArchLinux virtual machine emulates a physical machine to avoid(or anti) detection（pve Debian Ubuntu ArchLinux虚拟机模拟真实机器防检测）

远程shellcode加载&权限维持+小功能

Hide Driver By MiProcessLoaderEntry

PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

Win32k LPE vulnerability used in APT attack

Process Injection using Thread Name

Utilizing TLS callbacks to execute a payload without spawning any threads in a remote process

This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

Small x86-32/x64 FTP Server

Kernel driver loader using vulnerable gigabyte driver (https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities) to load a unsigned driver

Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread

ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side

modify from memorymodule. support exception

Kernel DLL Injector using NX Bit Swapping and VAD hide for hiding injected DLL

x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

Proof of Concepts code for Bring Your Own Vulnerable Driver techniques

Source from VMDE paper, adapted to 2015

CIA UAC bypass implementation that utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administrator.

免杀主流防病毒软件

一个用来做windows内核hook的框架

轻量级VT框架和Ept无痕HOOK，测试环境：WIN10 1903，WIN7

ZeroAccess v3 toolkit

Expand compressed files from WinSxS folder

KDP compatible unsigned driver loader leveraging a write primitive in one of the IOCTLs of gdrv.sys