NixImports A .NET malware loader, using API-Hashing and dynamic invoking to evade static analysis. NixImports aims to build a loader with little to no direct function calls and reduce referenced methods to a minimum....
Html Smuggling HTML smuggling is a malicious technique used by hackers to hide malware payloads in an encoded script in a specially crafted HTML attachment or web page. The malicious script decodes and deploys...
PE-Obfuscator PE obfuscator with Evasion in mind needs Admin Privilege in order to load the RTCore64 driver. The Obfuscator: – Gets xored Fileless PE from a remote server – Drop the Loader in the...
RecycledInjector (Currently) Fully Undetected same-process native/.NET assembly shellcode injector based on RecycledGate by thefLink, which is also based on HellsGate + HalosGate + TartarusGate to ensure undetectable native syscalls even if one technique fails. To remain...
ShellGhost A memory-based evasion technique which makes shellcode invisible from process start to end. Handling the Thread Execution Flow ShellGhost relies on Vectored Exception Handling in combination with software breakpoints to cyclically stop thread...
Sshimpanzee Sshimpanzee allows you to build a static reverse ssh server. Instead of listening on a port and waiting for connections, the ssh server will initiate a reverse connection to the attacker’s ip, just like a regular reverse...
Freeze.rs Freeze.rs is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. Freeze.rs utilizes multiple techniques to not only remove Userland EDR hooks but to also...
SharpFtpC2 SharpFtpC2 is a small, experimental project aimed at exploring the possibility of using FTP(S) for relaying commands and responses between two remote computers. It employs the FTP protocol as a makeshift tunnel through...
JNDI-Injection-Exploit-Plus JNDI-Injection-Exploit-Plus is a tool for generating workable JNDI links and providing background services by starting the RMI server, LDAP server, and HTTP server. Using this tool allows you to get JNDI links, you can...
PythonMemoryModule pure-python implementation of MemoryModule technique to load a dll or unmanaged exe entirely from memory PythonMemoryModule is a Python ctypes porting of the MemoryModule technique originally published by Joachim Bauch. It can load a dll or...
EPI EPI (Entry Point Injection) is a tool that leverages a new threadless process injection technique that relies on hijacking loaded dll’s entry points. To achieve this goal, EPI patches the target process’ PEB such...
LightsOut LightsOut will generate an obfuscated DLL that will disable AMSI & ETW while trying to evade AV. This is done by randomizing all WinAPI functions used, xor encoding strings, and utilizing basic sandbox...
Commander Commander is a command and control framework (C2) written in Python, Flask, and SQLite. It comes with two agents written in Python and C. Features Fully encrypted communication (TLS) Multiple Agents Obfuscation Interactive...
KittyStager KittyStager is a stage 0 C2 comprising an API, client, and malware. The API is responsible for delivering basic tasks and shellcodes to be injected into memory by the malware. The client also...
Aladdin Aladdin is a payload generation technique based on the work of James Forshaw (@tiraniddo) that allows the deseriallization of a .NET payload and execution in memory. The original vector was documented on https://www.tiraniddo.dev/2017/07/dg-on-windows-10-s-executing-arbitrary.html. By...
Secure Your Connection
