Heap_Detective – The Simple Way To Detect Heap Memory Pitfalls In C++ And C

This tool uses the taint analysis technique for static analysis and aims to identify points of heap memory usage vulnerabilities in C and C++ languages. The tool uses a common approach in the first phase of static analysis, using tokenization to collect information. The second phase has a different approach to common lessons of theRead More

AceLdr – Cobalt Strike UDRL For Memory Scanner Evasion

A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.  Features Easy to Use Import a single CNA script before generating shellcode. Dynamic Memory Encryption Creates a new heap for any allocations from Beacon and encrypts entries before sleep. Code Obfuscation and Encryption Changes the memory containingRead More

MSMAP – Memory WebShell Generator

Msmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, WebShell / Proxy / Killer and Management Clients. 简体中文 The idea behind I, The idea behind II Function Dynamic Menu Automatic Compilation Generate Script Lite Mode Graphical Interface Container Java Tomcat7 Tomcat8 Tomcat9 Tomcat10 Resin3 Resin4 WebSphere GlassFish WebLogic JBoss Spring Netty JVM*Read More

Dismember – Scan Memory For Secrets And More

Dismember is a command-line toolkit for Linux that can be used to scan the memory of all processes (or particular ones) for common secrets and custom regular expressions, among other things. It will eventually become a full /proc toolkit. Using the grep command, it can match a regular expression across all memory for all (accessible)Read More

Collect-MemoryDump – Automated Creation Of Windows Memory Snapshots For DFIR

Collect-MemoryDump – Automated Creation of Windows Memory Snapshots for DFIR Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner). Features: Checks for Hostname and Physical Memory Size before starting memory acquisition Checks if you have enough free disk space to save memory dump fileRead More

Nim-RunPE – A Nim Implementation Of Reflective PE-Loading From Memory

A Nim implementation of reflective PE-Loading from memory. The base for this code was taken from RunPE-In-Memory – which I ported to Nim. You’ll need to install the following dependencies: nimble install ptr_math winim I did test this with Nim Version 1.6.2 only, so use that version for testing or I cannot guarantee no errorsRead More

Masky – Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS Without Dumping The LSASS Process Memory

Masky is a python library providing an alternative way to remotely dump domain users’ credentials thanks to an ADCS. A command line tool has been built on top of this library in order to easily gather PFX, NT hashes and TGT on a larger scope. This tool does not exploit any new vulnerability and doesRead More

Rip Raw – Small Tool To Analyse The Memory Of Compromised Linux Systems

Rip Raw is a small tool to analyse the memory of compromised Linux systems. It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools suchRead More

Autotimeliner – Automagically Extract Forensic Timeline From Volatile Memory Dump

Automagically extract forensic timeline from volatile memory dumps. Requirements Python 3 Volatility mactime (from SleuthKit) (Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5) How it works AutoTimeline automates this workflow: Identify correct volatility profile for the memory image. Runs the timeliner plugin against volatile memory dump using volatility. Runs the mftparserRead More

ThreadStackSpoofer – PoC For An Advanced In-Memory Evasion Technique Allowing To Better Hide Injected Shellcode’S Memory Allocation From Scanners And Analysts

[*] A PoC implementation for an advanced in-memory evasion technique that spoofs Thread Call Stack. This technique allows to bypass thread-based memory examination rules and better hide shellcodes while in-process memory. Intro This is an example implementation for Thread Stack Spoofing technique aiming to evade Malware Analysts, AVs and EDRs looking for references to shellcode’sRead More