There are 18 repositories under windows-internals topic.
PoCs and tools for investigation of Windows process execution techniques
An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
An advanced tool for working with access tokens and Windows security policy.
A wrapper library around native windows sytem APIs
:fish: PoC of a VBA macro spawning a process with a spoofed parent and command line.
My notes while studying Windows internals
Manipulating and Abusing Windows Access Tokens.
The history of Windows Internals via symbols.
Livro: Engenharia Reversa - Fundamentos e Prática
Intercept Windows Named Pipes communication using Burp or similar HTTP proxy tools
Single header version of System Informer's phnt library.
A reference of Windows API function calls, including functions for file operations, process management, memory management, thread management, dynamic-link library (DLL) management, synchronization, interprocess communication, Unicode string manipulation, error handling, Winsock networking operations, and registry operations.
Delphi library for system programming on Windows using Native API
WNF Utilities 4 Newbies (WNFUN)
Research project - make an anti-cheat to detect: memory editing, debugging, injected modules, test signing mode, etc
DLL Injector (LoadLibrary) in C++ (x86 / x64) - LoadLibrary DLL injector
An example of a client and server using Windows' ALPC functions to send and receive data.
Static user/kernel mode library that allows access to all functions and global variables by extracting offsets from the PDB
Custom LoadLibrary / GetProcAddress (x86 / x64) - Load DLL and retrieve functions manually
PoC for detecting and dumping code injection (built and extended on UnRunPE)
Tool to find code cave in PE image (x86 / x64) - Find empty space to place code in PE files
PE Explorer in C++ (x86 / x64) - PE file parser, retrieve exports and imports
Driver demonstrating how to register a DPC to asynchronously wait on an object
Windows 10 PE image loader (LDR) NTDLL component toolbox
Slides from various conference talks
A class to gather information about a process, its threads and modules.
An example of how to use Microsoft Windows Warbird technology
A small library to extend the functionality of GetModuleHandle and GetProcAddress to other processes
Shellcode execution via x86 inline assembly based on MSVC syntax
Dump syscall numbers from ntdll.dll