This is your work, valued

TheWover

Elite
@TheWover

donut. Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

4.7k

DInvoke. Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.

788

CertStealer. A .NET tool for exporting and importing certificates without touching disk.

501

GhostLoader. GhostLoader - AppDomainManager - Injection - 攻壳机动队

172

EasyNet. Simple packer for arbitrary data using only .NET API calls. Produces a unique signature with every usage. Standalone program and library. Algorithm: Data <-> GZip <-> AES-256 <-> Base64.

93

Manager. Library of tools and examples for loading/bootstrapping managed code from unmanaged code in .NET

62

ModuleMonitor. Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.

42

donut-demos. Demos of Donut used in conferences, etc. Mostly for my use, but free for others to use as a reference.

30

AssemblyLoader. Loads .NET Assembly Via CLR Loader

17

ProcessManager. ps-like .NET Assembly for enumerating processes on the current machine or a remote machine.

13

AsyncRAT-VB.NET. Remote Administration Tool For Windows VB.NET

12

MemProcFS. MemProcFS (fork that allows reading dumps of the lsass process)

9

HVNC. HVNC for C# (from TinyNuke)

9

beercode. Free beerware-quality code in exchange for beer money (if you are so inclined). ;-)

8

TelemetrySourcerer. Enumerate and disable common sources of telemetry used by AV/EDR.

8

TheWover.github.io. Blog. Watch the repo to subscribe

7

PELoader. Load PE via XML Attribute

6

AsyncRAT-C-Sharp. Remote Administration Tool For Windows C#

6

LEOPARDSEAL. A simple Linux in-memory .so loader

5

LetMeowIn. A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.

4

NativeDump. Dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!)

4

DotNetInjections. Loading Assemblies Into Processes, the All Natural Organic way

4

Ghost-In-The-Logs. Evade sysmon and windows event logging

4

DLLHijackTest. DLL and PowerShell script to assist with finding DLL hijacks

4

SharpSploit. SharpSploit is a .NET post-exploitation library written in C#

4

SharpRDP. Remote Desktop Protocol .NET Console Application for Authenticated Command Execution

4

Sharp-InvokeWMIExec. C#

3

RdpThief. Extracting Clear Text Passwords from mstsc.exe using API Hooking.

3

Windows-Internals. My repository to upload drivers from different books and all the information related to windows internals.

3

Family. Collection of Malware source code by Language and Family.

3

pinjectra. Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)

3

Bleak. A Windows native DLL injection library written in C# that supports several methods of injection.

3

eBook-BypassingAVsByCSharp. eBook "Bypassing AVS by C#.NET Programming" (Free Chapters only)

3

APT_REPORT. Interesting apt report collection and some special ioc express

3

Driver-Template. Bare template for a Kernel Mode Driver

2

StandIn. StandIn is a small .NET35/45 AD post-exploitation toolkit

2

herpaderping. Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.

2

Scripts. Small scripts that make life better

2

Koppeling. Adaptive DLL hijacking / dynamic export forwarding

2

community-threats. The largest, public library of adversary emulation plans in JSON. A place to share custom SCYTHE threats with the community. #ThreatThursday

2

winget-cli. Windows Package Manager CLI (aka winget)

2

Mandark. 💉 Tiny 64-bit RunPE written in C# 💉

2

SignatureKid. C++

2

TDL. Driver loader for bypassing Windows x64 Driver Signature Enforcement

2

spoofing-office-macro. :fish: PoC of a VBA macro spawning a process with a spoofed parent and command line.

2

self-morphing-csharp-binary. C# binary that mutates its own code, encrypts and obfuscates itself on runtime

2

Lunar. A lightweight native DLL mapping library that supports mapping directly from memory

2

SharPyShell. SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications

2

ReflectivePELoader. Reflective PE loader for DLL injection

2

AggressorScripts. Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources

2

UEFIWriteCSharp. C#

1

CVE-2025-24813-PoC. Apache Tomcat 远程代码执行漏洞批量检测脚本(CVE-2025-24813)

1

AllTheThingsExec. Executes Blended Managed/Unmanged Exports

1

Vx-Engines. Collection of source code for Polymorphic, Metamorphic, and Permutation Engines used in Malware

1

Covenant. Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.

1

SharpKatz. Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

1

Empire. Empire is a PowerShell and Python 3.x post-exploitation framework.

1