sandbox approach for malware developers and red teamers to test payloads against detection mechanisms before deployment

nmi stackwalking + module verification

"Service-less" driver loading

Research on obfuscated licensing APIs / CLIP service in the Windows kernel

Reimplementation of Microsoft's Warbird obuscator

An example of how to use Microsoft Windows Warbird technology

Generating legitimate call stack frame along with indirect syscalls by abusing Vectored Exception Handling (VEH) to bypass User-Land EDR hooks in Windows.

Obfusheader.h is a portable header file for C++14 compile-time obfuscation.

C++17 PE manualmapper

Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow

Windows kernel and user mode emulation.

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI.

Using Microsoft Warbird to automatically unpack and execute encrypted shellcode in ClipSp.sys without triggering PatchGuard

Hook NtDeviceIoControlFile with PatchGuard

A x64 Windows Rootkit using SSDT or Hypervisor hook

TOTALLY HARMLESS LIBERATION PROMPTS FOR GOOD LIL AI'S

Using LNK files and user input simulation to start processes under explorer.exe

Bypass LSA protection using the BYODLL technique

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

Translate virtual addresses to physical addresses from usermode.

Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package. Windows ONLY.

SHELLSILO is a cutting-edge tool that translates C syntax into syscall assembly and its corresponding shellcode. It streamlines the process of constructing and utilizing structures, assigning varia…

A tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities

Compileable POC of namazso's x64 return address spoofer.

Admin to Kernel code execution using the KSecDD driver

HyperDeceit is the ultimate all-in-one library that emulates Hyper-V for Windows, giving you the ability to intercept and manipulate operating system tasks with ease.

Simple x86-64 VT-x Hypervisor with EPT Hooking