Pinned Repositories
SharpSploit
SharpSploit is a .NET post-exploitation library written in C#
CertStealer
A .NET tool for exporting and importing certificates without touching disk.
DInvoke
Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
donut
Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
donut-demos
Demos of Donut used in conferences, etc. Mostly for my use, but free for others to use as a reference.
EasyNet
Simple packer for arbitrary data using only .NET API calls. Produces a unique signature with every usage. Standalone program and library. Algorithm: Data <-> GZip <-> AES-256 <-> Base64.
GhostLoader
GhostLoader - AppDomainManager - Injection - 攻壳机动队
Manager
Library of tools and examples for loading/bootstrapping managed code from unmanaged code in .NET
ModuleMonitor
Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.
TheWover.github.io
Blog. Watch the repo to subscribe
TheWover's Repositories
TheWover/pe_to_shellcode
Converts PE into a shellcode
TheWover/clrinject
Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
TheWover/hollows_hunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
TheWover/nopowershell
PowerShell rebuilt in C# for Red Teaming purposes
TheWover/pinvoke-interop-assistant
PInvoke Interop Assistant
TheWover/WinXRunPE-x86_x64
💉 Two C# RunPE's capable of x86 and x64 injections 💉
TheWover/ADTimeline
PowerShell script creating a timeline with Active Directory replication metadata
TheWover/AggressorCollection
Collection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
TheWover/AmsiScanBufferBypass
TheWover/AndrewSpecial
AndrewSpecial, dumping lsass' memory stealthily and bypassing "Cilence" since 2019.
TheWover/ATTACK-Tools
Utilities for MITRE™ ATT&CK
TheWover/COMHijacker
Persistent through COM Hijacking
TheWover/consoleframework
Cross-platform toolkit for easy development of TUI applications.
TheWover/csharp
Various C# projects for offensive security
TheWover/DKMC
DKMC - Dont kill my cat - Malicious payload evasion tool
TheWover/dll_to_exe
Converts a DLL into EXE
TheWover/DllExport
.NET DllExport
TheWover/Ebowla
Framework for Making Environmental Keyed Payloads (NO LONGER SUPPORTED)
TheWover/external_c2_framework
Python api for usage with cobalt strike's External C2 specification
TheWover/IAT_patcher
Persistent IAT hooking application - based on bearparser
TheWover/krabsetw
KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
TheWover/LimeUSB
Malware USB Spread | Example
TheWover/MemScan
Quick Proof of Concept for reading a processes memory and searching for a specific string.
TheWover/pe-sieve
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
TheWover/pocs
Proof of Concepts (PE, PDF...)
TheWover/shed
.NET runtime inspector
TheWover/Superior-Injector
C# LoadLibrary and ManualMap injector
TheWover/Testura.Code
Testura.Code is a wrapper around the Roslyn API and used for generation, saving and compiling C# code. It provides methods and helpers to generate classes, methods, statements and expressions.
TheWover/VBA-RunPE
A VBA implementation of the RunPE technique or how to bypass application whitelisting.
TheWover/WinObjEx64
Windows Object Explorer 64-bit