Pinned Repositories
concealed_position
Bring your own print driver privilege escalation tool
GhidraSnippets
Python snippets for Ghidra's Program and Decompiler APIs
kdmapper
KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
kernel_callbacks
Bypasses for Windows kernel callbacks PatchGuard protection
mdm
Windows MDM Research Utilities
MDMatador
MDM-based Agentless C2 System
memhunter
Live hunting of code injection techniques
nanodump
Dump LSASS like you mean it
presentations
This is a curated collection of resources and materials from various talks, presentations, and workshops that I have conducted
sysmonx
SysmonX - An Augmented Drop-In Replacement of Sysmon
marcosd4h's Repositories
marcosd4h/nanodump
Dump LSASS like you mean it
marcosd4h/kdmapper
KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
marcosd4h/RefleXXion
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
marcosd4h/knownDlls_Poison
marcosd4h/MalMemDetect
Detect strange memory regions and DLLs
marcosd4h/SinMapper
usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything due to being inside of legit memory (signed legit driver).
marcosd4h/TokenStomp
C# implementation of the token privilege removal flaw discovered by @GabrielLandau/Elastic
marcosd4h/BackupOperatorToDA
From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
marcosd4h/CandyPotato
Pure C++, weaponized, fully automated implementation of RottenPotatoNG
marcosd4h/capa-rules
Standard collection of rules for capa: the tool for enumerating the capabilities of programs
marcosd4h/exploitkitpub
marcosd4h/FindETWProviderImage
Quickly search for references to a GUID in DLLs, EXEs, and drivers
marcosd4h/Hunt-Sleeping-Beacons
Aims to identify sleeping beacons
marcosd4h/LiquidSnake
LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
marcosd4h/MalSeclogon
A little tool to play with the Seclogon service
marcosd4h/PDBRipper
PDBRipper is a utility for extract an information from PDB-files.
marcosd4h/PR0CESS
some gadgets about windows process and ready to use :)
marcosd4h/Privexec
Run the program with the specified permission level (C++17 required)
marcosd4h/process-governor
This application allows you to put various limits on a Windows process.
marcosd4h/RestrictedAdmin
Remotely enables Restricted Admin Mode
marcosd4h/shakeitoff
Windows LPE 0-day
marcosd4h/small
C++ small containers
marcosd4h/unDefender
Killing your preferred antimalware by abusing native symbolic links and NT paths.
marcosd4h/unicorn_pe
Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
marcosd4h/windows-hardening-scripts
Windows 10/11 hardening scripts
marcosd4h/winrmdll
C++ WinRM API via Reflective DLL
marcosd4h/WinSys
C++ library for low-level Windows development
marcosd4h/WPBT-Builder
The simple UEFI application to create a Windows Platform Binary Table (WPBT) from the UEFI shell.
marcosd4h/xntsv
XNTSV program for detailed viewing of system structures for Windows.
marcosd4h/zerosharp
Demo of the potential of C# for systems programming with the .NET native ahead-of-time compilation technology.