Saad AHLA's repositories
FilelessPELoader
Loading Remote AES Encrypted PE in memory , Decrypted it and run it
Shellcode-Hide
This repo contains : simple shellcode Loader , Encoders (base64 - custom - UUID - IPv4 - MAC), Encryptors (AES), Fileless Loader (Winhttp, socket)
NTDLLReflection
Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table
UnhookingPatch
Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
PE-Obfuscator
PE obfuscator with Evasion in mind
ntdlll-unhooking-collection
different ntdll unhooking techniques : unhooking ntdll from disk, from KnownDlls, from suspended process, from remote server (fileless)
BlockOpenHandle
Block any Process to open HANDLE to your process , only SYTEM is allowed to open handle to your process ,with that you can avoid remote memory scanners
D1rkInject
Another approach of Threadless injection discovered by @_EthicalChaos_ in c that loads a module into the target process and stomps it, and reverting back memory protections and original memory state
StackCrypt
Create a new thread that will suspend every thread and encrypt its stack, then going to sleep , then decrypt the stacks and resume threads
AMSI_patch
Patching AmsiOpenSession by forcing an error branching
VT-stealer
VirusTotal Stealer is a DATA Exfiltration tool that exfitrate office documents and tunnel them over VirusTotal API to the Team Server
BlockNonMSModules
Set the process mitigation policy for loading only Microsoft Modules , and block any userland 3rd party modules
APTs_clone
This repository focuses on replicating the behavioral patterns observed in well-documented APT campaigns.
SweetDreams
Implementation of Advanced Module Stomping and Heap/Stack Encryption
ocd-mindmaps
Orange Cyberdefense mindmaps