This is your work, valued

Poland

hasherezade

Elite
@hasherezade

pe-sieve. Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

3.8k

pe-bear. Portable Executable reversing tool with a friendly GUI

3.7k

pe_to_shellcode. Converts PE into a shellcode

2.8k

hollows_hunter. Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

2.4k

malware_training_vol1. Materials for Windows Malware Analysis training (volume 1)

2.1k

tiny_tracer. A Pin Tool for tracing API calls etc

1.7k

libpeconv. A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl

1.4k

exe_to_dll. Converts a EXE into DLL

1.4k

mal_unpack. Dynamic unpacker based on PE-sieve

818

dll_to_exe. Converts a DLL into EXE

814

demos. Demos of various injection techniques found in malware

786

pe-bear-releases. PE-bear (builds only)

779

process_ghosting. Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

691

bearparser. Portable Executable parsing library (from PE-bear)

655

process_doppelganging. My implementation of enSilo's Process Doppelganging (PE injection technique)

648

transacted_hollowing. Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

580

ida_ifl. IFL - Interactive Functions List (plugin for IDA Pro)

494

process_overwriting. Yet another variant of Process Hollowing

468

malware_analysis. Various snippets created during malware analysis

464

module_overloading. A more stealthy variant of "DLL hollowing"

366

thread_namecalling. Process Injection using Thread Name

310

IAT_patcher. Persistent IAT hooking application - based on bearparser

266

waiting_thread_hijacking. Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread

264

chimera_pe. ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side

230

persistence_demos. Demos of various (also non standard) persistence methods used by malware

228

masm_shc. A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.

190

dll_injector. A simple commandline injector using classic DLL injection

158

shellconv. Small tool for disassembling shellcode (using objdump)

149

antianalysis_demos. Set of antianalysis techniques found in malware

133

password_scrambler. Password scrambler - a deterministic password re-generator (alternative to a password manager)

132

pe_unmapper. Small tool to convert beteween the PE alignments (raw and virtual).

116

process_chameleon. A process overwriting its own PEB to make an illusion that it has been loaded from a different path.

98

funky_malware_formats. Parsers for custom malware formats ("Funky malware formats")

97

crypto_utils. Set of my small utils related to cryptography, encoding, decoding etc

96

mal_unpack_drv. MalUnpack companion driver

96

ViDi. ViDi Visual Disassembler (experimental)

79

pe2pic. Small visualizator for PE files

70

petya_key. A decoder for Petya victim keys, using the Janus' masterkey.

62

pin_n_sieve. An experimental dynamic malware unpacker based on Intel Pin and PE-sieve

62

paramkit. A small library helping to parse commandline parameters (for C/C++)

60

hidden_bee_tools. Parser for a custom executable formats from Hidden Bee and Rhadamanthys malware

58

petya_recovery. Application for cracking Red Petya key based on genetic algorithms.

56

libpeconv_tpl. A ready-made template for a project based on libpeconv.

54

shellc_encoder. Standalone Metasploit-like XOR encoder for shellcode

52

pesieve-go. Golang bindings for PE-sieve

43

sig_finder. Signature finder (from PE-bear)

40

pe_utils. A set of small utilities, helpers for PIN tracers

40

mal_sort. Various scripts helpful in sorting collections of malware samples.

39

flareon2024. Python

39

flareon2019. Flare-On solutions

37

IAT_patcher_samples. Sample libraries to be used with IAT Patcher

37

mal_unpack_py. Python wrappers for mal_unpack

37

metasploit_modules. My metasploit modules

24

asm16_projects. My small projects writen in 16 bit asm (NOTE: those are my practice projects that I wrote when I was 15, I give no warranty for this code!)

22

loaderine. A demo implementation of a well-known technique used by some malware to evade userland hooking, using my library: libpeconv.

20

bunitu_tests. Scripts for communication with Bunitu Trojan C&Cs

19

7ev3n_decoders. Decoders for 7ev3n ransomware

17

drawings. Some of my drawings

12

libpeconv_demo. Demo projects and utilities made with the help of libPeConv

11

SweetDreams. Implementation of Advanced Module Stomping and Heap/Stack Encryption

10