NimDump - Stealthy LSASS Dumping Using Only NTAPIs in Nim
NimDump is a port of NativeDump written in Nim, designed to dump the LSASS process using only NTAPI functions.
Playing with malicious Network Provider DLLs
NPPSpy and NPPSPy2 are great tools to retrieve user credentials. In this repository, I will add some extra functionality to them, such as encryption and different exfiltration techniques.
NativeTokenImpersonate - Token Impersonation using only NTAPIs
Tool to impersonate users by stealing their tokens using only NTAPI functions. It supports two types of impersonation, one similar to CreateProcessWithToken and the other to ImpersonateLoggedOnUser.
NativeNtdllRemap - Stealthy ntdll.dll Remapping
Use only NTAPI functions to stealthily remap ntdll.dll from a clean .text section of a suspended process. This technique bypasses user-mode API monitoring and enhances evasion against security solutions.
RCE via malicious plugin in EMQX Dashboard
This is a malicious plugin for EMQX Dashboard which allows to execute commands remotely in versions below 5.8.6. Written in Erlang, it is based on one of the latest releases of the EMQX plugin template repository.
Exploring Crystal language
These days I decided to explore the Crystal programming language, a high-performance, statically-typed programming language with Ruby-inspired syntax. To do so, I decided to port NativeDump and TrickDump to it.
NativeBypassCredGuard - Bypass Credential Guard using only NTAPIs
NativeBypassCredGuard is a tool designed to bypass Credential Guard by patching WDigest.dll using only NTAPI functions (functions exported by ntdll.dll). It is available in two flavours: C# and C++.
FakeRebootAlert - Deceive users to reboot a system upon login
Windows Forms App designed to display a popup asking users to reboot their machine. It can be useful in scenarios where a system restart is necessary for changes to take effect, such as when modifications have been made to registry keys (e.g., Protected Process Light (PPL) settings).