Nim-RunPE – A Nim Implementation Of Reflective PE-Loading From Memory

A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory – which I ported to Nim. You’ll need to install the following dependencies: nimble install ptr_math winim I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errorsRead More

Masky – Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS Without Dumping The LSASS Process Memory

Masky is a python library providing an alternative way to remotely dump domain users’ credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope. This tool does not exploit any new vulnerability and doesRead More

Rip Raw – Small Tool To Analyse The Memory Of Compromised Linux Systems

Rip Raw is a small tool to analyse the memory of compromised Linux systems. It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools suchRead More

Autotimeliner – Automagically Extract Forensic Timeline From Volatile Memory Dump

Automagically extract forensic timeline from volatile memory dumps. Requirements Python 3 Volatility mactime (from SleuthKit) (Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5) How it works AutoTimeline automates this workflow: Identify correct volatility profile for the memory image. Runs the timeliner plugin against volatile memory dump using volatility. Runs the mftparserRead More

ThreadStackSpoofer – PoC For An Advanced In-Memory Evasion Technique Allowing To Better Hide Injected Shellcode’S Memory Allocation From Scanners And Analysts

[*] A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory. Intro This is an example implementation for Thread Stack Spoofing technique aiming to evade Malware Analysts, AVs and EDRs looking for references to shellcode’sRead More

Process-Dump – Windows Tool For Dumping Malware PE Files From Memory Back To Disk For Analysis

Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. Often malware files are packed and obfuscated before they are executed in order to avoid AV scanners, however when these files are executed they will often unpack or inject a clean version of the malware code inRead More

CSIRT-Collect – PowerShell Script To Collect Memory And (Triage) Disk Forensics

A PowerShell script to collect memory and (triage) disk forensics for incident response investigations. The script leverages a network share, from which it will access and copy the required executables and subsequently upload the acquired evidence to the same share post-collection. Permission requirements for said directory will be dependent on the nuances of the environmentRead More

Injector – Complete Arsenal Of Memory Injection And Other Techniques For Red-Teaming In Windows

Complete Arsenal of Memory injection and other techniques for red-teaming in Windows What does Injector do? Process injection support for shellcode located at remote server as well as local storage. Just specify the shellcode file and it will do the rest. It will by default inject into notepad.exe and if not found, it will createRead More

FRIDA-DEXDump – Fast Search And Dump Dex On Memory

Features support fuzzy search broken header dex. fix struct data of dex-header. compatible with all android version(frida supported). support loading as objection plugin ~ pypi package has been released ~ Requires frida: pip install frida [optional] click pip install click Installation From pypi pip3 install frida-dexdumpfrida-dexdump -h From source git clone FRIDA-DEXDump/frida-dexdumppython3 -hRead More

Squalr – Squalr Memory Editor – Game Hacking Tool Written In C#

Squalr Official Website Join us on our Discord Channel Squalr is performant Memory Editing software that allows users to create and share cheats in their windows desktop games. This includes memory scanning, pointers, x86/x64 assembly injection, and so on. Squalr achieves fast scans through multi-threading combined with SIMD instructions. See this article: SIMD in .NET.Read More