benheise
Ben Heise is an information security professional who specializes in performing penetration testing, adversarial (red team) operations.
https://rallysecurity.com
Pinned Repositories
ANGRYORCHARD
A kernel exploit leveraging NtUserHardErrorControl to elevate a thread to KernelMode and achieve arbitrary kernel R/W & more.
APCLdr
Payload Loader With Evasion Features
BlackLotus-1
BlackLotus UEFI Windows Bootkit
bootdoor
Former UEFI Firmware Rootkit Replicating MoonBounce / ESPECTRE
bootkit
UEFI bootkit: Hardware Implant. In-Progress
FilelessPELoader
Loading Remote AES Encrypted PE in memory , Decrypted it and run it
KUCSharedMemory
Kernel<->Usermode shared memory communcation using manually mapped driver
MalwareDev
Malware Snippets
TitanLdr
Titan: A crappy Reflective Loader written in C and assembly for Cobalt Strike. Redirects DNS Beacon over DoH
TrustedInstallerToken
Programatically acquires a token with TrustedInstaller permissions without having to start the TrustedInstaller service and steal its token
benheise's Repositories
benheise/BlackLotus-1
BlackLotus UEFI Windows Bootkit
benheise/FilelessPELoader
Loading Remote AES Encrypted PE in memory , Decrypted it and run it
benheise/blacklotus
A attempt at replicating BLACKLOTUS capabilities, whilst not acting as a direct mimic.
benheise/bootdoor-1
An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot
benheise/CheckHooks-n-load
A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.
benheise/foliage-2
A proof of concept I developed to improve Gargoyle back in 2018 to achieve true memory obfuscation from position independent code
benheise/Spoofy
Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.
benheise/titanldr-ng
A newer iteration of TitanLdr with some newer hooks, and design. A generic user defined reflective DLL I built to prove a point to Mudge years ago.
benheise/Tokenizer
Kernel Mode Driver for Elevating Process Privileges
benheise/yetAnotherObfuscator
C# obfuscator that bypass windows defender
benheise/Black-Angel-Rootkit
Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
benheise/bootlicker
A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.
benheise/CodeCave
A bunch of scripts and code i wrote.
benheise/Cronos-Rootkit
Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
benheise/CVE-2022-21894
baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability
benheise/EntropyReducer
Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists
benheise/GhostTask
benheise/Havoc
The Havoc Framework
benheise/Marble
The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
benheise/NativePayloads
All my Source Codes (Repos) for Red-Teaming & Pentesting + Blue Teaming
benheise/no-defender
A slightly more fun way to disable windows defender. (through the WSC api)
benheise/nullmap
Using CVE-2023-21768 to manual map kernel mode driver
benheise/Offensive-Rust
benheise/PEAs
benheise/PoolParty
A set of fully-undetectable process injection techniques abusing Windows Thread Pools
benheise/realoriginal-preboot
Experiment with d_olex's firmware and conducting "preboot" attack
benheise/reveng_rtkit
Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.
benheise/ThreadlessInject-BOF
BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
benheise/touch-vtt
Introduces touch screen support to FoundryVTT
benheise/WMIProcessWatcher
A CIA tradecraft technique to asynchronously detect when a process is created using WMI.