delete-self-poc. A way to delete a locked file, or current running executable, on disk.
619wsb-detect. wsb-detect enables you to detect if you are running in Windows Sandbox ("WSB")
373ntqueueapcthreadex-ntdll-gadget-injection. This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
266Windows-API-Hashing. This is a simple example and explanation of obfuscating API resolution via hashing
239shellcode-plain-sight. Hiding shellcode in plain sight within a large memory region. Inspired by technique used by Raspberry Robin's Roshtyak
211elf-strings. elf-strings will programmatically read an ELF binary's string sections within a given binary. This is meant to be much like the strings UNIX utility, however is purpose built for ELF binaries.
140dearg-thread-ipc-stealth. A novel technique to communicate between threads using the standard ETHREAD structure
116process-enumeration-stealth. C
84librini. Rini is a tiny, non-libc dependant, .ini file parser programmed from scratch in C99.
31go-malwarebazaar. MalwareBazaar public API bindings for Go
8sgrm-research. Repository to compliment my blog post on System Guard Runtime Monitor
5pefile. pefile is a Python module to read and work with PE (Portable Executable) files
2pafish-macos. A macOS pafish-like port to detect analysis/virtual environments
2yara. The pattern matching swiss knife
1