Pinned Repositories
autochk-rootkit
Reverse engineered source code of the autochk rootkit
CodeMachineCourse
CVE-2025-21333-POC-driver-exploit
POC exploit for CVE-2025-21333 heap-based buffer overflow. It leverages WNF state data and I/O ring IOP_MC_BUFFER_ENTRY
doublepulsar-usermode-injector
A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
DreamLoader
Simple 32/64-bit PEs loader.
DrvMon
Advanced driver monitoring utility.
drvtricks
drvtriks kernel driver for Windows 7 SP1 and 8.1 x64, that tricks around in your system.
Harmony
A library for patching, replacing and decorating .NET and Mono methods during runtime
heap-exploitation
This book on heap exploitation is a guide to understanding the internals of glibc's heap and various attacks possible on the heap structure.
HyperBone
Minimalistic VT-x hypervisor with hooks
a10ncoder's Repositories
a10ncoder/al-khaser
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
a10ncoder/CobaltStrike
CobaltStrike's source code
a10ncoder/Cpp-High-Performance-Second-Edition
C++ High Performance Second Edition, published by Packt
a10ncoder/DefenderCheck
Identifies the bytes that Microsoft Defender flags on.
a10ncoder/DoublePulsarPayload
C++ implementation of DOUBLEPULSAR usermode shellcode. Yet another Reflective DLL loader.
a10ncoder/EvtMute
Apply a filter to the events being reported by windows event logging
a10ncoder/fibratus
A modern tool for the Windows kernel exploration and tracing
a10ncoder/FsMinfilterHooking
a10ncoder/ftrace-hook
Using ftrace for function hooking in Linux kernel
a10ncoder/go-shellcode
A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.
a10ncoder/herpaderping
Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
a10ncoder/HookLib
The functions interception library written on pure C and NativeAPI with UserMode and KernelMode support
a10ncoder/In-memory-Attack
In-memory Attack
a10ncoder/Injection_NtMapViewOfSection
A C++ POC for process injection using NtCreateSectrion, NtMapViewOfSection and RtlCreateUserThread. Credit to @spotheplanet for his notes.
a10ncoder/KasperskyHook
Hook system calls on Windows by using Kaspersky's hypervisor
a10ncoder/Kernel-Bridge
Windows kernel hacking framework, driver template, hypervisor and API written on C++
a10ncoder/kernel-codecave-poc
Proof of concept on how to bypass some limitations of a manual mapped driver
a10ncoder/moneta
Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
a10ncoder/openedr
Open EDR public repository
a10ncoder/PIC-Get-Privileges
Building and Executing Position Independent Shellcode from Object Files in Memory
a10ncoder/PPLKiller
Protected Processes Light Killer
a10ncoder/Probatorum-EDR-Userland-Hook-Checker
Project to check which Nt/Zw functions your local EDR is hooking
a10ncoder/Processes
list process in rust
a10ncoder/ProcMon-for-Linux
Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.
a10ncoder/ProcMonXv2
Process Monitor X v2
a10ncoder/rust-windows-shellcode
Windows shellcode development in Rust
a10ncoder/SassyKitdi
Kernel Mode TCP Sockets + LSASS Dump (Rust Shellcode)
a10ncoder/SimpleSvmHook
SimpleSvmHook is a research purpose hypervisor for Windows on AMD processors.
a10ncoder/syscall-detect
PoC capable of detecting manual syscalls from usermode.
a10ncoder/TiEtwAgent
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes