Lists (16)
Stars
Manual mapper that uses PTE manipulation, Virtual Address Descriptor (VAD) manipulation, and forceful memory allocation to hide executable pages. (VAD hide / NX bit swapping)
.NET assembly loader with patchless AMSI and ETW bypass
Ps-Tools, an advanced process monitoring toolkit for offensive operations
Linux post-exploitation agent that uses io_uring to stealthily bypass EDR detection by avoiding traditional syscalls.
A tiny Reverse Sock5 Proxy written in C :V
LLVM plugin to transparently apply stack spoofing and indirect syscalls to Windows x64 native calls at compile time.
Research on Windows Kernel Executive Callback Objects
Replace the .txt section of the current loaded modules from \KnownDlls\
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
A collection of proof-of-concept exploit scripts written by the STAR Labs team for various CVEs that they discovered or found by others.
DLL that hooks the NtQuerySystemInformation API and hides a process name
Hide Driver By MiProcessLoaderEntry
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking
Cobalt Strike BOF for evasive .NET assembly execution
WindowSpy is a Cobalt Strike Beacon Object File meant for automated and targeted user surveillance.
Huffman Coding in Shellcode Obfuscation & Dynamic Indirect Syscalls Loader.
A high performance LLVM-based dynamic binary instrumentation framework
Porting of BOF InlineExecute-Assembly to load .NET assembly in process but with patchless AMSI and ETW bypass using hardware breakpoint.