Security Researcher at Check Point (Former Forensic+Malware Analyst & Reverse Engineer - Military CERT)
Malware-analysis-and-Reverse-engineering. Some of my publicly available Malware analysis and Reverse engineering.
953IDA_PHNT_TYPES. Converted phnt (Native API header files from the System Informer project) to IDA TIL, IDC (Hex-Rays).
171EXE-or-DLL-or-ShellCode. Just a simple silly PoC demonstrating executable "exe" file that can be used like exe, dll or shellcode...
170ConfuserEx2_String_Decryptor. ConfuserEx2 String Decryptor & Full Deobfuscation Guide
103ghidra_scripts. Python
74sc2pe. Simple dotnet Native AOT app that uses AsmResolver to convert shellcode to PE
66Get-PDInvokeImports. Get-PDInvokeImports is tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke usage in assembly. Showing all locations from where they are referenced and Exports all to DnSpy_Bookmarks.xml
54Invoke-DetectItEasy. Invoke-DetectItEasy is a wrapper for excelent tool called Detect-It-Easy. This PS module is very useful for Threat Hunting and Forensics.
30Python3---Binary-Data-Manipulation. Python 3 - Manipulation and conversation with different data type (Bytes operations)
28Get-UnJlaive. Get-UnJlaive is tool which is able to reconstruct Jlaive (.NET Antivirus Evasion Tool (Exe2Bat)) to original Assembly and stub Assembly.
22CAPA_JsonConver. Converts exported results of CAPA tool from .json format to another formats supporting by different tools.
22CrackMe-Examples. Some of CrackMes made by me :)
18tiny_tracer_tag_to_cutter. Python
17VoiceC2_POC. Simple POC of Voice C2 using Speech Recognition
13Powershell-Tools. Collection of some easy of use tools - in powershell.
10sc2elf. Simple dotnet Native AOT app that uses LibObjectFile to convert shellcode to ELF
10Jlaive. .NET Antivirus Evasion Tool (Exe2Bat)
9Malware_TEMP. Temp files related to MA and RE
8Go_CrackMe. Little Reversing CrackMe written in GO
7capa. The FLARE team's open-source tool to identify capabilities in executable files.
5ghidra_scripts-1. Scripts for the Ghidra software reverse engineering suite.
4de4dot-cex. 📦 de4dot deobfuscator with full support for vanilla ConfuserEx
4AntiCrack-DotNet. .NET Project containing plenty of advanced techniques to detect various types of malicious actions on your software, with syscall support.
3minhook. The Minimalistic x86/x64 API Hooking Library for Windows
3process_overwriting. Yet another variant of Process Hollowing
3.NET-Deobfuscator. Lists of .NET Deobfuscator and Unpacker (Open Source)
3practical-python. Practical Python Programming (course by @dabeaz)
3tiny_tracer. A Pin Tool for tracing API calls etc
3de4dot. .NET deobfuscator and unpacker.
3VMPImportFixer. Fix VMProtect Import Protection
2SysmonTools. Utilities for Sysmon
2dp701. Dark theme for IDA Pro
2x64dbg---Dark-Theme. Alternative to x64dbg build in dark theme.
2hollows_hunter. Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
2CrossInject. 32 bit process inject shellcode to 32 bit process and 64 bit process
2apiscout. This project aims at simplifying Windows API import recovery on arbitrary memory dumps
2sandbox-attacksurface-analysis-tools. Set of tools to analyze Windows sandboxes for exposed attack surface.
2IDAPython-Malware-Scripts. Python
2pe-sieve. Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
2EDR-Freeze. EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
1signify. Module to generate and verify PE signatures
1FuncScanner. Collects extended function properties from IDA Pro databases
1idascope. An IDA Pro extension for easier (malware) reverse engineering
1SecHex-Spoofy. C# HWID Changer 🔑︎ Disk, Guid, Mac, Gpu, Pc-Name, Win-ID, EFI, SMBIOS Spoofing [Usermode]
1hrtng. IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition and various pseudocode transformations
1ghidra-nativeaot. Ghidra .NET Native AOT Analyzer Plugin
1dumbassembly. version 0.5.8
1dnSpy. .NET debugger and assembly editor
1SigFlip. SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
1phnt-single-header. Single header version of System Informer's phnt library.
1RETools. My reversing tools. Some custom, some not.
1