Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic by using Raw Socket,helps you Bypass UDP FireWalls(or Unstable UDP Environment)

Windows memory hacking library

Advanced usermode anti-anti-debugger. Forked from https://bitbucket.org/NtQuery/scyllahide

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Open EDR public repository

Alternative Shellcode Execution Via Callbacks

This project has been moved to:

Great explanation of Process Hollowing (a Technique often used in Malware)

An Active Defense and EDR software to empower Blue Teams

Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.

A set of fully-undetectable process injection techniques abusing Windows Thread Pools

An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents

A Simple Ransomware Vaccine

Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes

kill anti-malware protected processes ( BYOVD) ( Microsoft Won)

Tool to bypass LSA Protection (aka Protected Process Light)

Loading Remote AES Encrypted PE in memory , Decrypted it and run it

Run a Exe File (PE Module) in memory (like an Application Loader)

Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)

Enumerate and disable common sources of telemetry used by AV/EDR.

Killer is a simple tool designed to bypass AV/EDR security tools using various evasive techniques.

Evasive shellcode loader for bypassing event-based injection detection (PoC)

PoC Implementation of a fully dynamic call stack spoofer

Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs

HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.