Windows Post-Exploitation / Malware Forward Engineering
- asynclog - basic keylogger using GetAsyncKeyState()
- asyncdebounce - adds debouncing to the basic keylogger
- hooklog - keylogger using LowLevelKeyboardProc() callback
- IGO - pre-main execution with C++ initialization
- tlscallback - pre-main execution with Thread Local Storage callback
- importless - PE using WinAPI that has no imports
- printscreen - takes a screenshot by simulation of printscreen keypress
- screenshot - takes a screenshot using device context and GDI+
- reverseshell - basic reverse TCP shell
- passfilter - password complexity filter DLL with logging
- locklogger - injects into winlogon.exe and keylogs
- puppetstrings - take a free ride into ring 0
- ThreadContinue - injection using SetThreadContext() and NtContinue()
- getsystem - gets system using Named Pipe impersonation
- steamroll - brute forces login credentials
- combrowser - using IE COM object to make web requests
- httpbrowser - using HTTP API to make web requests
- toxicserpent - log all network traffic, poison, port knock C2
- RunShellcode - run shellcode from .NET
- offsetfix - converting static analysis offsets with ASLR
- rawhook - simple example showing function prologue hooking
- wmiquery - shows how to look up AV using WMI
All example code has been stripped down to barebones functionality for simplicity and demonstration purposes. As such, there may not be appropriate error checking.
Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code.
Special thanks to research done by the following individuals: