Pinned Repositories
autochk-rootkit
Reverse engineered source code of the autochk rootkit
CodeMachineCourse
CVE-2025-21333-POC-driver-exploit
POC exploit for CVE-2025-21333 heap-based buffer overflow. It leverages WNF state data and I/O ring IOP_MC_BUFFER_ENTRY
doublepulsar-usermode-injector
A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
DreamLoader
Simple 32/64-bit PEs loader.
DrvMon
Advanced driver monitoring utility.
drvtricks
drvtriks kernel driver for Windows 7 SP1 and 8.1 x64, that tricks around in your system.
Harmony
A library for patching, replacing and decorating .NET and Mono methods during runtime
heap-exploitation
This book on heap exploitation is a guide to understanding the internals of glibc's heap and various attacks possible on the heap structure.
HyperBone
Minimalistic VT-x hypervisor with hooks
a10ncoder's Repositories
a10ncoder/al-khaser
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
a10ncoder/CallMon
CallMon is an experimental system call monitoring tool that works on Windows 10 versions 2004+ using PsAltSystemCallHandlers
a10ncoder/CheekyBlinder
Enumerating and removing kernel callbacks using signed vulnerable drivers
a10ncoder/christmas-obfuscated-C
Obuscated C Christmas programs
a10ncoder/CVE-2020-0796
CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
a10ncoder/CVE-2020-0796-LPE-POC
CVE-2020-0796 Local Privilege Escalation POC
a10ncoder/doublepulsar
DoublePulsar (Position-Independent) Shellcode (Windows 7 SP1 x64)
a10ncoder/etw-dns
A simple example application to collect DNS queries logs using etw-api
a10ncoder/Ghost-In-The-Logs
Evade sysmon and windows event logging
a10ncoder/infhook19041
a10ncoder/Kernel-Bridge
Windows kernel hacking framework, driver template, hypervisor and API written on C++
a10ncoder/MagicLib
Non organized Cpp code files I used for my research on Windows
a10ncoder/Mapping-Injection
Just another Windows Process Injection
a10ncoder/MemoryRanger
MemoryRanger protects kernel data and code by running drivers and hosting data in isolated kernel enclaves using VT-x and EPT features. MemoryRanger has been presented at the BlackHat, HITB, CDFSL.
a10ncoder/MiniVisorPkg
The research UEFI hypervisor that supports booting an operating system.
a10ncoder/PeaceMaker
PeaceMaker Threat Detection is a Windows kernel-based application that detects advanced techniques used by malware.
a10ncoder/pedigest
Helper functions for calculating the authenticode digest for a portable executable file
a10ncoder/phantom-dll-hollower-poc
Phantom DLL hollowing PoC
a10ncoder/PPLKiller
Protected Processes Light Killer
a10ncoder/Ps-Tools
Ps-Tools, an advanced process monitoring toolkit for offensive operations
a10ncoder/Sandboxie
Open Source Sandboxie
a10ncoder/SassyKitdi
Kernel Mode TCP Sockets + LSASS Dump (Rust Shellcode)
a10ncoder/Shark
Turn off PatchGuard in real time for win7 (7600) ~ win10 (19041).
a10ncoder/SimpleSvm
A minimalistic educational hypervisor for Windows on AMD processors.
a10ncoder/SimpleSvmHook
SimpleSvmHook is a research purpose hypervisor for Windows on AMD processors.
a10ncoder/spectre
A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine.
a10ncoder/SystemToken
Steal privileged token to obtain SYSTEM shell
a10ncoder/TelemetrySourcerer
Enumerate and disable common sources of telemetry used by AV/EDR.
a10ncoder/UefiVarMonitor
The runtime DXE driver monitoring access to the UEFI variables by hooking the runtime service table.
a10ncoder/windows-kernel-debugging-guide
Guide about remote Windows kernel debugging