benheise

ANGRYORCHARD

A kernel exploit leveraging NtUserHardErrorControl to elevate a thread to KernelMode and achieve arbitrary kernel R/W & more.

APCLdr

Payload Loader With Evasion Features

BlackLotus-1

BlackLotus UEFI Windows Bootkit

bootdoor

Former UEFI Firmware Rootkit Replicating MoonBounce / ESPECTRE

bootkit

UEFI bootkit: Hardware Implant. In-Progress

FilelessPELoader

Loading Remote AES Encrypted PE in memory , Decrypted it and run it

KUCSharedMemory

Kernel<->Usermode shared memory communcation using manually mapped driver

MalwareDev

Malware Snippets

TitanLdr

Titan: A crappy Reflective Loader written in C and assembly for Cobalt Strike. Redirects DNS Beacon over DoH

TrustedInstallerToken

Programatically acquires a token with TrustedInstaller permissions without having to start the TrustedInstaller service and steal its token

benheise/BlackLotus-1

BlackLotus UEFI Windows Bootkit

benheise/FilelessPELoader

Loading Remote AES Encrypted PE in memory , Decrypted it and run it

benheise/blacklotus

A attempt at replicating BLACKLOTUS capabilities, whilst not acting as a direct mimic.

benheise/bootdoor-1

An initial proof of concept of a bootkit based on Cr4sh's DMABackdoorBoot

benheise/CheckHooks-n-load

A Windows stager-cum-PELoader focusing Dynamic EDR Evasion, when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.

benheise/foliage-2

A proof of concept I developed to improve Gargoyle back in 2018 to achieve true memory obfuscation from position independent code

benheise/Spoofy

Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.

benheise/titanldr-ng

A newer iteration of TitanLdr with some newer hooks, and design. A generic user defined reflective DLL I built to prove a point to Mudge years ago.

benheise/Tokenizer

Kernel Mode Driver for Elevating Process Privileges

benheise/yetAnotherObfuscator

C# obfuscator that bypass windows defender

benheise/Black-Angel-Rootkit

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

benheise/bootlicker

A generic UEFI bootkit used to achieve initial usermode execution. It works with modifications.

benheise/CodeCave

A bunch of scripts and code i wrote.

benheise/Cronos-Rootkit

Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.

benheise/CVE-2022-21894

baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability

benheise/EntropyReducer

Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists

benheise/GhostTask

benheise/Havoc

The Havoc Framework

benheise/Marble

The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.

benheise/NativePayloads

All my Source Codes (Repos) for Red-Teaming & Pentesting + Blue Teaming

benheise/no-defender

A slightly more fun way to disable windows defender. (through the WSC api)

benheise/nullmap

Using CVE-2023-21768 to manual map kernel mode driver

benheise/Offensive-Rust

benheise/PEAs

benheise/PoolParty

A set of fully-undetectable process injection techniques abusing Windows Thread Pools

benheise/realoriginal-preboot

Experiment with d_olex's firmware and conducting "preboot" attack

benheise/reveng_rtkit

Linux Loadable Kernel Module (LKM) based rootkit (ring-0), capable of hiding itself, processes/implants, rmmod proof, has ability to bypass infamous rkhunter antirootkit.

benheise/ThreadlessInject-BOF

BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.

benheise/touch-vtt

Introduces touch screen support to FoundryVTT

benheise/WMIProcessWatcher

A CIA tradecraft technique to asynchronously detect when a process is created using WMI.