This is your work, valued

London

Lloyd Davies

Expert
@LloydLabs

๐Ÿฅธ

delete-self-poc. A way to delete a locked file, or current running executable, on disk.

619

wsb-detect. wsb-detect enables you to detect if you are running in Windows Sandbox ("WSB")

373

ntqueueapcthreadex-ntdll-gadget-injection. This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.

266

Windows-API-Hashing. This is a simple example and explanation of obfuscating API resolution via hashing

239

shellcode-plain-sight. Hiding shellcode in plain sight within a large memory region. Inspired by technique used by Raspberry Robin's Roshtyak

211

elf-strings. elf-strings will programmatically read an ELF binary's string sections within a given binary. This is meant to be much like the strings UNIX utility, however is purpose built for ELF binaries.

140

dearg-thread-ipc-stealth. A novel technique to communicate between threads using the standard ETHREAD structure

116

process-enumeration-stealth. C

84

librini. Rini is a tiny, non-libc dependant, .ini file parser programmed from scratch in C99.

31

go-malwarebazaar. MalwareBazaar public API bindings for Go

8

sgrm-research. Repository to compliment my blog post on System Guard Runtime Monitor

5

pefile. pefile is a Python module to read and work with PE (Portable Executable) files

2

pafish-macos. A macOS pafish-like port to detect analysis/virtual environments

2

yara. The pattern matching swiss knife

1