donut. Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
4.7kDInvoke. Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
788CertStealer. A .NET tool for exporting and importing certificates without touching disk.
501GhostLoader. GhostLoader - AppDomainManager - Injection - 攻壳机动队
172EasyNet. Simple packer for arbitrary data using only .NET API calls. Produces a unique signature with every usage. Standalone program and library. Algorithm: Data <-> GZip <-> AES-256 <-> Base64.
93Manager. Library of tools and examples for loading/bootstrapping managed code from unmanaged code in .NET
62ModuleMonitor. Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.
42donut-demos. Demos of Donut used in conferences, etc. Mostly for my use, but free for others to use as a reference.
30AssemblyLoader. Loads .NET Assembly Via CLR Loader
17ProcessManager. ps-like .NET Assembly for enumerating processes on the current machine or a remote machine.
13AsyncRAT-VB.NET. Remote Administration Tool For Windows VB.NET
12MemProcFS. MemProcFS (fork that allows reading dumps of the lsass process)
9HVNC. HVNC for C# (from TinyNuke)
9beercode. Free beerware-quality code in exchange for beer money (if you are so inclined). ;-)
8TelemetrySourcerer. Enumerate and disable common sources of telemetry used by AV/EDR.
8TheWover.github.io. Blog. Watch the repo to subscribe
7PELoader. Load PE via XML Attribute
6AsyncRAT-C-Sharp. Remote Administration Tool For Windows C#
6LEOPARDSEAL. A simple Linux in-memory .so loader
5LetMeowIn. A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
4NativeDump. Dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!)
4DotNetInjections. Loading Assemblies Into Processes, the All Natural Organic way
4Ghost-In-The-Logs. Evade sysmon and windows event logging
4DLLHijackTest. DLL and PowerShell script to assist with finding DLL hijacks
4SharpSploit. SharpSploit is a .NET post-exploitation library written in C#
4SharpRDP. Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
4Sharp-InvokeWMIExec. C#
3RdpThief. Extracting Clear Text Passwords from mstsc.exe using API Hooking.
3Windows-Internals. My repository to upload drivers from different books and all the information related to windows internals.
3Family. Collection of Malware source code by Language and Family.
3pinjectra. Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
3Bleak. A Windows native DLL injection library written in C# that supports several methods of injection.
3eBook-BypassingAVsByCSharp. eBook "Bypassing AVS by C#.NET Programming" (Free Chapters only)
3APT_REPORT. Interesting apt report collection and some special ioc express
3Driver-Template. Bare template for a Kernel Mode Driver
2StandIn. StandIn is a small .NET35/45 AD post-exploitation toolkit
2herpaderping. Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
2Scripts. Small scripts that make life better
2Koppeling. Adaptive DLL hijacking / dynamic export forwarding
2community-threats. The largest, public library of adversary emulation plans in JSON. A place to share custom SCYTHE threats with the community. #ThreatThursday
2winget-cli. Windows Package Manager CLI (aka winget)
2Mandark. 💉 Tiny 64-bit RunPE written in C# 💉
2SignatureKid. C++
2TDL. Driver loader for bypassing Windows x64 Driver Signature Enforcement
2spoofing-office-macro. :fish: PoC of a VBA macro spawning a process with a spoofed parent and command line.
2self-morphing-csharp-binary. C# binary that mutates its own code, encrypts and obfuscates itself on runtime
2Lunar. A lightweight native DLL mapping library that supports mapping directly from memory
2SharPyShell. SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
2ReflectivePELoader. Reflective PE loader for DLL injection
2AggressorScripts. Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
2UEFIWriteCSharp. C#
1CVE-2025-24813-PoC. Apache Tomcat 远程代码执行漏洞批量检测脚本(CVE-2025-24813)
1AllTheThingsExec. Executes Blended Managed/Unmanged Exports
1Vx-Engines. Collection of source code for Polymorphic, Metamorphic, and Permutation Engines used in Malware
1Covenant. Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
1SharpKatz. Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
1Empire. Empire is a PowerShell and Python 3.x post-exploitation framework.
1