This is your work, valued
pe-sieve. Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
3.8kpe-bear. Portable Executable reversing tool with a friendly GUI
3.7kpe_to_shellcode. Converts PE into a shellcode
2.8khollows_hunter. Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
2.4kmalware_training_vol1. Materials for Windows Malware Analysis training (volume 1)
2.1ktiny_tracer. A Pin Tool for tracing API calls etc
1.7klibpeconv. A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl
1.4kexe_to_dll. Converts a EXE into DLL
1.4kmal_unpack. Dynamic unpacker based on PE-sieve
818dll_to_exe. Converts a DLL into EXE
814demos. Demos of various injection techniques found in malware
786pe-bear-releases. PE-bear (builds only)
779process_ghosting. Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
691bearparser. Portable Executable parsing library (from PE-bear)
655process_doppelganging. My implementation of enSilo's Process Doppelganging (PE injection technique)
648transacted_hollowing. Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
580ida_ifl. IFL - Interactive Functions List (plugin for IDA Pro)
494process_overwriting. Yet another variant of Process Hollowing
468malware_analysis. Various snippets created during malware analysis
464module_overloading. A more stealthy variant of "DLL hollowing"
366thread_namecalling. Process Injection using Thread Name
310IAT_patcher. Persistent IAT hooking application - based on bearparser
266waiting_thread_hijacking. Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread
264chimera_pe. ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side
230persistence_demos. Demos of various (also non standard) persistence methods used by malware
228masm_shc. A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.
190dll_injector. A simple commandline injector using classic DLL injection
158shellconv. Small tool for disassembling shellcode (using objdump)
149antianalysis_demos. Set of antianalysis techniques found in malware
133password_scrambler. Password scrambler - a deterministic password re-generator (alternative to a password manager)
132pe_unmapper. Small tool to convert beteween the PE alignments (raw and virtual).
116process_chameleon. A process overwriting its own PEB to make an illusion that it has been loaded from a different path.
98funky_malware_formats. Parsers for custom malware formats ("Funky malware formats")
97crypto_utils. Set of my small utils related to cryptography, encoding, decoding etc
96mal_unpack_drv. MalUnpack companion driver
96ViDi. ViDi Visual Disassembler (experimental)
79pe2pic. Small visualizator for PE files
70petya_key. A decoder for Petya victim keys, using the Janus' masterkey.
62pin_n_sieve. An experimental dynamic malware unpacker based on Intel Pin and PE-sieve
62paramkit. A small library helping to parse commandline parameters (for C/C++)
60hidden_bee_tools. Parser for a custom executable formats from Hidden Bee and Rhadamanthys malware
58petya_recovery. Application for cracking Red Petya key based on genetic algorithms.
56libpeconv_tpl. A ready-made template for a project based on libpeconv.
54shellc_encoder. Standalone Metasploit-like XOR encoder for shellcode
52pesieve-go. Golang bindings for PE-sieve
43sig_finder. Signature finder (from PE-bear)
40pe_utils. A set of small utilities, helpers for PIN tracers
40mal_sort. Various scripts helpful in sorting collections of malware samples.
39flareon2024. Python
39flareon2019. Flare-On solutions
37IAT_patcher_samples. Sample libraries to be used with IAT Patcher
37mal_unpack_py. Python wrappers for mal_unpack
37metasploit_modules. My metasploit modules
24asm16_projects. My small projects writen in 16 bit asm (NOTE: those are my practice projects that I wrote when I was 15, I give no warranty for this code!)
22loaderine. A demo implementation of a well-known technique used by some malware to evade userland hooking, using my library: libpeconv.
20bunitu_tests. Scripts for communication with Bunitu Trojan C&Cs
197ev3n_decoders. Decoders for 7ev3n ransomware
17drawings. Some of my drawings
12libpeconv_demo. Demo projects and utilities made with the help of libPeConv
11SweetDreams. Implementation of Advanced Module Stomping and Heap/Stack Encryption
10