A improved memory obfuscation primitive using a combination of special and 'normal' Asynchronous Procedural Calls

Another unfinished doublepulsar RDP variant from years ago. Demonstrates hooking McsDispatch, never wrote the hook itself

An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer

Have fun with the LowFragmentationHeap

Windows 10 PE image loader (LDR) NTDLL component toolbox

Tooling to generate metadata for Win32 APIs in the Windows SDK.

Small application that can be used to log loader snaps and other debug output

A BOF that runs unmanaged PEs inline

LOJAX ROOTKIT (UEFI) +PDF Included[x]

An old memory introspection framework from 2019.

Unlicensed tiny / small portable implementation of 128/256-bit AES encryption in C, x86, AMD64, ARM32 and ARM64 assembly

Enumerate various traits from Windows processes as an aid to threat hunting

See the Wiki for more information

WinDBG Anti-RootKit Extension

利用EFSRPC协议批量探测出网

For when DLLMain is the only way

A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.

Autonomous pre-boot DMA attack hardware implant for M.2 slot based on PicoEVB development board

Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks

Memory hacking library powered by AMD SVM

Hardcore Debugging

Persistence via Shell Extensions

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Explore Kernel Objects on Windows

Signtool for expired certificates

Resolve DOS MZ executable symbols at runtime