Simple proof of concept -code to manipulate the memory of a usermode process from kernelmode of a windows NT operating system. This is complished by using the undocumented NT API "MmCopyVirtualMemory" function in ntoskrnl.exe.
This works for both x64 & x86 processes.
WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i
CSGO-P2C-Dumper is a process memory dumper aimed to target CS:GO internal cheats, while offering additional reversing aid.
CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a
PAD (Process Android Dumper) This dumper is made for il2cpp game but you can use it in any app you want How To Use Run the process Open PADumper Put p
kt Kernel file/process/object tool killav bypass av dump lsass basic vs2019 + cpp + wdk usage(64-bit only) kdu -map sys.sys kt -F -d c:\windows\notepa
altdumper Simple, fully external, smart, fast, JSON-configurated, feature-rich Windows x86 DLL Memory Dumper with Code Generation. Written in Modern C
Thread Stack Spoofing PoC A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to byp
Shellcode Fluctuation PoC A PoC implementation for an another in-memory evasion technique that cyclically encrypts and decrypts shellcode's contents t
Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje
usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything due to being inside of legit memory (signed legit driver).
This is a simple project of a driver + usermode.
The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.
ProcessVmAccess Two PoC of accessing process virtual memory via NT Kernel Detail You've never interested in accessing process virtual memory through N
syscall-detect PoC capable of detecting manual syscalls from usermode. More information available at: https://winternl.com/detecting-manual-syscalls-f
communicate between usermode and kernelmode through a swapped qword ptr argument
Treexy is a library that implements a compact hierarchical data structure that can store and manipulate volumetric data, discretized on a three-dimens
QEEntmod A Quake Enhanced mod to manipulate entities. Inspired by the Half-Life metamod plugin 'Entmod' Can be used standalone or easily implemented i
Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable
HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj
55 Jul 21, 2022
20 Dec 13, 2022
188 Dec 25, 2022
11 Nov 27, 2022
62 Nov 30, 2022
14 Sep 9, 2022
761 Jan 9, 2023
307 Dec 28, 2022
170 Dec 29, 2022
39 Dec 31, 2022
1.7k Jan 2, 2023
16 Aug 11, 2022
125 Dec 26, 2022
35 Nov 29, 2022
324 Jan 4, 2023
2 Jul 5, 2022
514 Jan 3, 2023
203 Dec 20, 2022