Sheng-Hao Ma

Run a Exe File (PE Module) in memory (like an Application Loader)

some gadgets about windows process and ready to use :)

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

著作《Windows APT Warfare：惡意程式前線戰術指南》各章節技術實作之原始碼內容

PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

easy ransomware module base on csharp.

Windows PE - TLS (Thread Local Storage) Injector in C/C++

PoC: Rebuild A New Path Back to the Heaven's Gate (HITB 2021)

開源台灣房市在線實價登錄分析工具

simple compiler based on mingw to build uncrackable windows application against analysis tools

Call 32bit NtDLL API directly from WoW64 Layer

tool for building windows shellcode in C by MinGW

Windows x86 PE Packer In C++

Windows PE Signature Thief in C++

氛圍閱讀 Vibe Reading — 離線 PDF 逐段翻譯 Chrome 擴充，基於 Chrome 內建 Gemini Nano / Translator API

Chrome extension that translates academic PDF documents offline and side-by-side using AI built directly into your browser, no API fees, no internet connection needed, and no data leaves your machine.

Out-of-the-Box Tool to Obfuscate Excel XLS. Include Obfuscation & Hide for Cell Labels & BoundSheets

Malware Sandbox Emulation in Python @ HITCON 2018

The Purified Windows 11: without Defender, Updater, Patches, System Health, etc.

One Click Tool to Scan All the Enabled Protection of current Windows NT Kernel

(PoC) Tiny Excel BIFF8 Generator, to Embedded 4.0 Macros in xls files without Excel.

Ring3 Rootkit Backdoor.

A PoC to demo modifying cmdline of the child process dynamically. It might be useful against process log tracing, AV or EDR.

Play PokémonGo From Home, No Jailbreak!

No description.

Windows Injection 101: from Zero to ROP (HITCON 2017)

No description.

Useful Plugin for IDA to Trace Function Call Tree

MapleStory Hack Plugin

PoC for DEF CON 26: Playing Malware Injection with Exploit thoughts

Windows Application Loader Running *.Exe files in Memory against Scrylla

No description.

義守管家線上雲端服務

白癡喔還要下 pip install 誰會用啦—隨開即用 Windows 版 OpenAI Whisper 逐字稿產生器

Windows 桌面 AI 搜尋列、翻譯面板、本地 AI 助手。OpenClam 提供類似 PowerToys Run / Fluent Search 的懸浮搜尋體驗，並整合本地 AI 問答與即時翻譯。

Play PokémonGo without hands, Based on Python, and Easy to fix.

Tiny Windows x86 Assembly Compiler in C++ and Keystone Engine

Garena 競時通順暢開遊戲小補丁

Catch All HTTP Request In IE WebBrowser Control In C#

Auto Move Your Cursor to the Focused Window while You Alt-Tab or Touchboard for Windows

inline hook functions in memory on OSX

Make stored PkZIP file unarchive in C

Instagram 限時動態自動閱讀器

NTUSTxTDOH 2015/11/15~29 Easy Crack Me

一些演算法學習筆記

用CBuilder自幹Win32的除錯器.(搭配WinAPI)

.NET PE file parser in C/C++

基於 NodeJS 開發的英文克漏字線上測驗系統

Word2Vec written in pure Numpy

CIL (MSIL) Disassembler Written In Pure C/C++. Rewrite from Mono Project

Control-Flow-Graph Analysis based on Radare2 In Python3

Easy Process Spy For Windows7 x32bit

Guaranteed compile-time string literal obfuscation header-only library for C++14

Powerful batch script to dismantle complete windows defender protection and even bypass tamper protection

Unorthodox and stealthy way to inject a DLL into the explorer using icons

以C++Builder開發的會自我更新的POE流亡闇道多開.

a simple CPU0 simulator in C++

Source code of Windows XP (NT5). Leaks are not from me. I just extracted the archive and cabinet files.

No description.

白癡喔，打個 CyberPunk 一直卡中文輸入法怎玩啦？

No description.

酷狗音樂破解

Exploit targeting NT kernel in 24H2 Windows Insider Preview

Google Search Ninja based on Python

No description.

The FLARE team's open-source tool to identify capabilities in executable files.

Cross Platform Kernel Fuzzer Framework

An even funnier way to disable windows defender. (through WSC api)

Control Graph based JIT Engine as PE Packer (Python3 + Radare2 + Keystone)

My implementation of enSilo's Process Doppelganging (PE injection technique)

No description.

Kernel mode WinDbg extension and PoCs for token privilege investigation.

QAC Thread DLL Inector

封裝的CBuilder HTTPs封包處理類別,支持本地儲存Cookie,UA設定

pytorch 包教不包会

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.

Converting wrongly typed English strings back to Zhuyin.

a tool with GUI is used to check all digital signature of modules in the process.

High performance and correct x86/x64 disassembler, assembler, decoder, encoder for .NET, Rust, JavaScript

A collection of weird ways to execute unmanaged code in .NET

No description.

Resources and demos from the DEFCON 30 Brief "Space Jam: Exploring Radio Frequency Attacks in Outer Space" by James Pavur

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC

No description.

记录自己编写、修改的部分工具

Source of VMProtect (NOT OFFICIALLY)

Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths

No description.

This repo covers some code execution and AV Evasion methods for Macros in Office documents

An implementation in TensorFlow of a convolutional neural network (CNN) to perform sentiment classification on tweets.

CVE-2024-30090 - LPE PoC

Tutorials on implementing a few sequence-to-sequence (seq2seq) models with PyTorch and TorchText.

Tools and Techniques for Blue Team / Incident Response

Multi-class malware classification using Deep Learning

Simple PE packer with RtlCompressBuffer

A demo to bypass windows 10 default UAC configuration using IFileOperation and dll hijacking

An open-source, free protector for .NET applications

Code for the book "Mastering OpenCV with Practical Computer Vision Projects" by Packt Publishing 2012.

C implementation of the MD5 algorithm

No description.

Helper library for x86 programs that runs under WOW64 layer on x64 versions of Microsoft Windows operating systems.

bypass uac

fork from A-Protect

SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader

LINE Messaging's private API

Explore .NET Processes and Dump files

Windows Privilege Escalation

base64 c implementation

C++17, x86/x64 Hooking Libary v2.0

The OpenSource Disassembler

面向编译器开发人员的V8内部实现文档

YourtionOS 基于 30dayMakeOS (OSASK) 构建你自己的操作系统

Demonstrates hosting CLR objects from x86_64 assembly

A .NET tool for exporting and importing certificates without touching disk.

heavily vectorized c++17 compile time string encryption.

Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.

A static devirtualizer for VMProtect x64 3.x. powered by VTIL.

Create fake certs for binaries using windows binaries and the power of bat files

Hacker Disassembler Engine 64 Copyright (c) 2008-2009, Vyacheslav Patkov. * All rights reserved.

Python library for reading and writing Windows shortcut files (.lnk). Python 3 only.

FileSquatting Exploitation by Example

No description.

An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer

No description.

VMPilot: A Modern C++ Virtual Machine SDK

A small PoC that creates processes in Windows

BOF and C++ implementation of the Windows Defender sandboxing technique described by Elastic Security Labs/Gabriel Landau.

Analyse your malware to surgically obfuscate it

A kernel vulnerability used to achieve arbitrary read-write on Windows prior to July 2022

.NET Assembly Dumper

No description.

Mediatek Fuzzing Workshop in HITCON 2021

Towards Generic Deobfuscation of Windows API Calls

FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Checksec, but for Windows: static detection of security mitigations in executables

A cross-platform library for verifying Authenticode signatures

Official Implementation of SIPIT from "Language Models are Injective and Hence Invertible" (ICLR 2026) :trophy:

Clone of "Compiler-Agnostic Function Detection in Binaries" source code

This is the implementation of "Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features"

No description.

A C++ proof of concept demonstrating the exploitation of Windows Protected Process Light (PPL) by leveraging COM-to-.NET redirection and reflection techniques for code injection. This PoC showcases bypassing code integrity checks and loading malicious payloads in highly protected processes such as LSASS. Based on research from James Forshaw.

Reverse Engineering: Decompiling Binary Code with Large Language Models

Github repo with tutorials to fine tune transformers for diff NLP tasks

No description.

Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.

《机器翻译：基础与模型》肖桐 朱靖波 著 - Machine Translation: Foundations and Models

TeamViewer User to Kernel Elevation of Privilege PoC. CVE-2024-7479 and CVE-2024-7481. ZDI-24-1289 and ZDI-24-1290. TV-2024-1006.

Sample use cases of the .NET native code hooking technique

No description.

Native API header files for the System Informer project.

Code examples in pyTorch and Tensorflow for CS230

注意力机制实践

Official implementation of AsmDepictor, "A Transformer-based Function Symbol Name Inference Model from an Assembly Language for Binary Reversing", In the 18th ACM Asia Conference on Computer and Communications Security AsiaCCS '2023

The Definitive Guide To Process Cloning on Windows

Admin to Kernel code execution using the KSecDD driver

The nanoGPT-style implementation of RWKV Language Model - an RNN with GPT-level LLM performance.

Create file system symbolic links from low privileged user accounts within PowerShell

MS Office and Windows HTML RCE (CVE-2023-36884) - PoC and exploit

No description.

Stop Windows Defender programmatically

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes

This repository includes code and IoCs that are the product of research done in Akamai's various security research teams.

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.

A library to develop kernel level Windows payloads for post HVCI era

No description.

HyperDeceit is the ultimate all-in-one library that emulates Hyper-V for Windows, giving you the ability to intercept and manipulate operating system tasks with ease.

No description.

UI tool for fine-tuning and testing your own LoRA models with LLaMA. One-click run on Google Colab.

Bypassing PatchGuard on modern x64 systems

Kernel Exploits

No description.

A new AMSI Bypass technique using .NET ALI Call Hooking.

It's pointy and it hurts!

火绒剑独立版

Patch PE, ELF, Mach-O binaries with shellcode new version in development, available only to sponsors

This is a collection of interesting codes about Windows Process creation.

Enumerate and disable common sources of telemetry used by AV/EDR.

Static Binary Instrumentation

No description.

小型主动防御引擎

CVE-2021-40444 PoC

Shikata ga nai (仕方がない) encoder ported into go with several improvements

This C++ app allows to run custom C# method from compiled C# .dll on Linux and OS X using coreCLR.

macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to final document generation. It also provides a lot of helpful features useful for redteam or security research.

Powerful script for logical obfuscation of powershell scripts

No description.

A C/C++ implementation of Microsoft's Antimalware Scan Interface

Porting Windows Dynamic Link Libraries to Linux

Windows - Weaponizing privileged file writes with the Update Session Orchestrator service

.NET library for hooking and dumping Clr

Dump native and .NET assemblies

A tool for Windows that can make any program work within file-system transactions.

BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.

A fake AMSI Provider which can be used for persistence.

Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.

Run some secret code invisible from debugger single step.(x86 process on x64 windows only)

Evasive Process Hollowing Techniques

A set of tutorials about code injection for Windows.

Copy of Subtee's Repository That's Taken Down