hfiref0x

UACME

Defeating Windows User Account Control

KDU

Kernel Driver Utility

WinObjEx64

Windows Object Explorer 64-bit

SyscallTables

Windows NT x64 Syscall tables

TDL

Driver loader for bypassing Windows x64 Driver Signature Enforcement

VBoxHardenedLoader

VirtualBox VM detection mitigation loader

UPGDSED

Universal PatchGuard and Driver Signature Enforcement Disable

DSEFix

Windows x64 Driver Signature Enforcement Overrider

NtCall64

Windows NT x64 syscall fuzzer

WDExtract

Extract Windows Defender database from vdm files and unpack it

CVE-2015-1701

Win32k LPE vulnerability used in APT attack

WubbabooMark

Debugger Anti-Detection Benchmark

LightFTP

Small x86-32/x64 FTP Server

VMDE

Source from VMDE paper, adapted to 2015

ZeroAccess

ZeroAccess v3 toolkit

SXSEXP

Expand compressed files from WinSxS folder

Stryker

Multi-purpose proof-of-concept tool based on CPU-Z CVE-2017-15303

AuthHashCalc

Authenticode Hash Calculator for PE32/PE32+ files

MpEnum

Enumerate Windows Defender threat families and dump their names according category

Misc

Miscellaneous Code and Docs

ROCALL

ReactOS x86-32 syscall fuzzer

BSODScreen

BSOD Screensaver

AsIo3Unlock

ASUSTeK AsIO3 I/O driver unlock

al-khaser

(This is a fork used primarily to submit patches into upstream repository) Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.

RpcView

(This is a fork used primarily to submit patches into upstream repository) RpcView is a free tool to explore and decompile Microsoft RPC interfaces

LightFTP_win

Vault

Various code from the past (for historical purposes)

hfiref0x.github.io

pdbex

(This is a fork used primarily to submit patches into upstream repository) pdbex is a utility for reconstructing structures and unions from the PDB into compilable C headers

AR4FFC

Archive repository for fast fact-checks