Ghost Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR Detection 1 – kernel callbacks kernel callbacks are implemented by an EDR to harness...
VOIDMAW This is a new bypass technique for memory scanners. It is useful in hiding problematic code that will be flagged by the antivirus vendors. This is basically an improved version of Voidgate, but without...
SharpExclusionFinder This C# program finds Windows Defender folder exclusions using Windows Defender through its command-line tool (MpCmdRun.exe). The program processes directories recursively, with configurable depth and thread usage, and outputs information about exclusions and scan progress....
capa capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the...
ronin Ronin is a free and Open Source Ruby toolkit for security research and development. Ronin contains many different CLI commands and Ruby libraries for a variety of security tasks, such as encoding/decoding data, filter IPs/hosts/URLs, querying ASNs, querying DNS, HTTP, scanning...
DriverJack DriverJack is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques. These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also...
IconJector This is a Windows Explorer DLL injection technique that uses the change icon dialog on Windows. How does it work? Firstly, a folder is created in the temp directory, and the properties of...
Immoral Fiber This repository contains two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) PhantomThread (An evolved callstack-masking implementation) It also contains an example test...
GoDefender This Go package provides functionality to detect and defend against various forms of debugging tools and virtualization environments Anti-Virtualization Triage Detection: Detects if the system is running in a triage or analysis environment....
MagicDot A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue. MagicDot Python Package Implements MagicDot’s rootkit-like techniques: Files/Directories named with dots only Bonus – Such...
ASPJinjaObfuscator A heavily obfuscated Windows–based ASP web shell generation tool utilizing the power of Python’s Jinja2 templating engine. Generates a web shell with randomized variable/function names and HTML strings of random lengths, XOR encrypted strings with base64...
