This tool uses the taint analysis technique for static analysis and aims to identify points of heap memory usage vulnerabilities in C and C++ languages. The tool uses a common approach in the first phase of static analysis, using tokenization to collect information. The second phase has a different approach to common lessons of theRead More
A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect. Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containingRead More
Msmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, WebShell / Proxy / Killer and Management Clients. 简体中文 The idea behind I, The idea behind II Function Dynamic Menu Automatic Compilation Generate Script Lite Mode Graphical Interface Container Java Tomcat7 Tomcat8 Tomcat9 Tomcat10 Resin3 Resin4 WebSphere GlassFish WebLogic JBoss Spring Netty JVM*Read More
Dismember is a command-line toolkit for Linux that can be used to scan the memory of all processes (or particular ones) for common secrets and custom regular expressions, among other things. It will eventually become a full /proc toolkit. Using the grep command, it can match a regular expression across all memory for all (accessible)Read More
Collect-MemoryDump – Automated Creation of Windows Memory Snapshots for DFIR Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner). Features: Checks for Hostname and Physical Memory Size before starting memory acquisition Checks if you have enough free disk space to save memory dump fileRead More
A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory – which I ported to Nim. You’ll need to install the following dependencies: nimble install ptr_math winim I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errorsRead More
Masky is a python library providing an alternative way to remotely dump domain users’ credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope. This tool does not exploit any new vulnerability and doesRead More
Rip Raw is a small tool to analyse the memory of compromised Linux systems. It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools suchRead More
Automagically extract forensic timeline from volatile memory dumps. Requirements Python 3 Volatility mactime (from SleuthKit) (Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5) How it works AutoTimeline automates this workflow: Identify correct volatility profile for the memory image. Runs the timeliner plugin against volatile memory dump using volatility. Runs the mftparserRead More
[*] A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory. Intro This is an example implementation for Thread Stack Spoofing technique aiming to evade Malware Analysts, AVs and EDRs looking for references to shellcode’sRead More
