꿀보's repositories
AppCompatCacheParser
AppCompatCache (shimcache) parser. Supports Windows 7 (x86 and x64), Windows 8.x, and Windows 10
bug-bounty
list of bug bounty writeups
bulk_extractor
This is the development tree. Production downloads are at:
ceload
Loading dbk64.sys and grabbing a handle to it
donut
Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
eac-mapper
undetected eac mapper
ept-hook-detection
Different aproaches to detecting EPT hooks
hygieia
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.
hypervisor
Hypervisor and EPT hooking experiments.
KernelCallbackTable-Injection
Code used in this post https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html
KillDefender
A small POC to make defender useless by removing its token privileges and lowering the token integrity
MapPage
Mapping your code on a 0x1000 size page
ntfstool
Forensics tool for NTFS (parser, mft, bitlocker, deleted files)
Prefetch
Windows Prefetch parser. Supports all known versions from Windows XP to Windows 10.
PrivFu
Kernel mode WinDbg extension and PoCs for token privilege investigation.
Process-Hollowing
Great explanation of Process Hollowing (a Technique often used in Malware)
process_ghosting
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
process_overwriting
Yet another variant of Process Hollowing
PSBits
Simple (mainly PowerShell) solutions allowing you to dig a bit deeper than usual.
RECmd
Command line access to the Registry
Registry
Full featured, offline Registry parser in C#
RIPPL
RIPPL is a tool that abuses a usermode only exploit to manipulate PPL processes on Windows
Shark
Turn off PatchGuard in real time for win7 (7600) ~ later
srum-dump
A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
transacted_hollowing
Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
WinToast
WinToast is a lightly library written in C++ which brings a complete integration of the modern toast notifications of Windows 8 & Windows 10. Toast notifications allows your app to inform the users about relevant information and timely events that they should see and take action upon inside your app, such as a new instant message, a new friend request, breaking news, or a calendar event.