benheise

FilelessPELoader

Loading Remote AES Encrypted PE in memory , Decrypted it and run it

blacklotus

A attempt at replicating BLACKLOTUS capabilities, whilst not acting as a direct mimic.

BlackLotus-1

BlackLotus UEFI Windows Bootkit

bootdoor-1

An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot

CheckHooks-n-load

A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.

foliage-2

A proof of concept I developed to improve Gargoyle back in 2018 to achieve true memory obfuscation from position independent code

Spoofy

Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.

titanldr-ng

A newer iteration of TitanLdr with some newer hooks, and design. A generic user defined reflective DLL I built to prove a point to Mudge years ago.

Tokenizer

Kernel Mode Driver for Elevating Process Privileges

yetAnotherObfuscator

C# obfuscator that bypass windows defender

Black-Angel-Rootkit

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

bootlicker

A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.

CodeCave

A bunch of scripts and code i wrote.

Cronos-Rootkit

Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.

CVE-2022-21894

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability

EntropyReducer

Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists

GhostTask

Havoc

The Havoc Framework

Marble

The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.

NativePayloads

All my Source Codes (Repos) for Red-Teaming & Pentesting + Blue Teaming

no-defender

A slightly more fun way to disable windows defender. (through the WSC api)

nullmap

Using CVE-2023-21768 to manual map kernel mode driver

Offensive-Rust

PEAs

PoolParty

A set of fully-undetectable process injection techniques abusing Windows Thread Pools

realoriginal-preboot

Experiment with d_olex's firmware and conducting "preboot" attack

reveng_rtkit

Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.

ThreadlessInject-BOF

BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.

touch-vtt

Introduces touch screen support to FoundryVTT

WMIProcessWatcher

A CIA tradecraft technique to asynchronously detect when a process is created using WMI.