Exploring Crystal language
These days I decided to explore the Crystal programming language, a high-performance, statically-typed programming language with Ruby-inspired syntax. To do so, I decided to port NativeDump and TrickDump to it.
NativeBypassCredGuard - Bypass Credential Guard using only NTAPIs
NativeBypassCredGuard is a tool designed to bypass Credential Guard by patching WDigest.dll using only NTAPI functions (functions exported by ntdll.dll). It is available in two flavours: C# and C++.
FakeRebootAlert - Deceive users to reboot a system upon login
Windows Forms App designed to display a popup asking users to reboot their machine. It can be useful in scenarios where a system restart is necessary for changes to take effect, such as when modifications have been made to registry keys (e.g., Protected Process Light (PPL) settings).
TrickDump update - BOF File and C/C++ ports
Updating TrickDump and creating a BOF File.
NativeDump update - BOF File and C/C++ ports
Updating NativeDump and creating a BOF File.
TrickDump - Dump lsass without generating a Minidump file
TrickDump allows to dump the lsass process without generating a Minidump file, generating instead three JSON files and one zip file with memory regions’ dumps.
NativeDump update - Python and Golang ports
NativeDump allows to dump the lsass process using only NTAPIs. The original project is written in .NET and has been ported to Python and Golang, allowing file exfiltration and 3 methods for ntdll overwrite (both optional).