An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer

Have fun with the LowFragmentationHeap

Windows 10 PE image loader (LDR) NTDLL component toolbox

Tooling to generate metadata for Win32 APIs in the Windows SDK.

Small application that can be used to log loader snaps and other debug output

A BOF that runs unmanaged PEs inline

LOJAX ROOTKIT (UEFI) +PDF Included[x]

Unlicensed tiny / small portable implementation of 128/256-bit AES encryption in C, x86, AMD64, ARM32 and ARM64 assembly

Enumerate various traits from Windows processes as an aid to threat hunting

See the Wiki for more information

WinDBG Anti-RootKit Extension

利用EFSRPC协议批量探测出网

For when DLLMain is the only way

A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.

Autonomous pre-boot DMA attack hardware implant for M.2 slot based on PicoEVB development board

Updated version of System Management Mode backdoor for UEFI based platforms: old dog, new tricks

Hardcore Debugging

Persistence via Shell Extensions

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Explore Kernel Objects on Windows

Signtool for expired certificates

Resolve DOS MZ executable symbols at runtime

Small tool to play with IOCs caused by Imageload events

yet another sleep encryption thing. also used the default github repo name for this one.

clone of armadillo patched for windows