whichbuffer

whichbuffer's Stars

• VirusTotal/yara

  The pattern matching swiss knife

  Language:C8.4k3181.1k1.5k

• Yara-Rules/rules

  Repository of yara rules

  Language:YARA4.2k3501931k

• CyberMonitor/APT_CyberCriminal_Campagin_Collections

  APT & CyberCriminal Campaign Collection

  Language:YARA3.8k46290943

• achillean/shodan-python

  The official Python library for Shodan

  Language:Python2.5k132142571

• optiv/Freeze

  Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods

  Language:Go1.4k2914183

• 0xnobody/vmpdump

  A dynamic VMP dumper and import fixer, powered by VTIL.

  Language:C++1.2k3926213

• signalapp/Signal-TLS-Proxy

  Language:Shell927340137

• kyleavery/AceLdr

  Cobalt Strike UDRL for memory scanner evasion.

  Language:C8921414161

• mgeeky/PackMyPayload

  A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX

  Language:Python879179138

• reversinglabs/reversinglabs-yara-rules

  ReversingLabs YARA Rules

  Language:YARA778740110

• mrexodia/dumpulator

  An easy-to-use library for emulating memory dumps. Useful for malware analysis (config extraction, unpacking) and dynamic analysis in general (sandboxing).

  Language:C758213144

• Idov31/Cronos

  PoC for a sleep obfuscation technique leveraging waitable timers to evade memory scanners.

  Language:C5669263

• GhostPack/Koh

  The Token Stealer

  Language:C#48710366

• rad9800/TamperingSyscalls

  Language:C++46411172

• Neo23x0/sysmon-config

  Sysmon configuration file template with default high-quality event tracing

  45838761

• WithSecureLabs/CallStackSpoofer

  A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)

  Language:C++4476163

• R3MRUM/PSDecode

  PowerShell script for deobfuscating encoded PowerShell scripts

  Language:PowerShell420231378

• kagurazakasanae/Mhyprot2DrvControl

  A lib that allows using mhyprot2 driver for enum process modules, r/w process memory and kill process.

  Language:C#3447585

• memN0ps/venom-rs

  Rusty Injection - Shellcode Reflective DLL Injection (sRDI) in Rust (Codename: Venom)

  Language:Rust3266041

• Kudaes/DInvoke_rs

  Dynamically invoke arbitrary unmanaged code

  Language:Rust3234640

• kkent030315/evil-mhyprot-cli

  A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process.

  Language:C++31911868

• NUL0x4C/KnownDllUnhook

  Replace the .txt section of the current loaded modules from \KnownDlls\ to bypass edrs

  Language:C2897039

• Kudaes/Dumpy

  Reuse open handles to dynamically dump LSASS.

  Language:Rust2355523

• huntandhackett/concealed_code_execution

  Tools and technical write-ups describing attacking techniques that rely on concealing code execution on Windows

  Language:C2006026

• janoglezcampos/rust_syscalls

  Single stub direct and indirect syscalling with runtime SSN resolving for windows.

  Language:Rust2003330

• mez-0/InMemoryNET

  Exploring in-memory execution of .NET

  Language:C++1345226

• sourceincite/DashOverride

  This is a pre-authenticated RCE exploit for VMware vRealize Operations Manager

  Language:Python484118

• crummie5/Freshycalls_PoC

  A simple dumper as FreshyCalls' PoC. That's what's trendy, isn't it? ¯\_(ツ)_/¯

  Language:C++39206

• c3rb3ru5d3d53c/signatures

  Community Detection Signature Build and Distribution Pipeline for YARA, Suricata, Snort and Sigma

  Language:Python272145

• CodeXTF2/evasion-adventures-files

  Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"

  Language:C++24307