Reverse Engineering
Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.
Our efforts in Reverse engineering aids in identifying vulnerabilities, understanding threats, and formulating robust defense mechanisms, making it integral to maintaining a secure and resilient digital environment.
Our focus in malware research involves dissecting and understanding the operation of malicious software. By documenting their behavior and impact, we provide crucial insights that aid in devising effective defensive strategies, contributing to a better understanding and stronger defense against emerging cyber threats.
We offer penetration testing services, identifying vulnerabilities by simulating real-world attacks on your digital infrastructure. Our process uncovers potential threats, providing actionable insights for improved security measures, ensuring robust defense and resilience for your business operations.
Our involvement in open-source focuses on offensive security techniques and tools. We utilize and contribute to community-driven projects. This collaborative approach promotes innovative solutions, ultimately strengthening defense against evolving cyber threats.
New code snippet that demonstrate how Malware authors create self-deleting application. This technique rely on an external command line interpreter process that attempt to delete malware sample when sample process is terminated.
1 year, 3 months ago
FastResize
option was removed. 1 year, 6 months ago
The purpose of this tool is to allow users to run applications with system-level privileges in the context of their current active Windows session, using only the Microsoft Windows Task Scheduler.
Unlike other common tools, this technique does not require any external software or services, and can be easily configured to launch the system terminal and run the desired application within the current session. This allows users to access system-level functionality and interact with the application in real time.
1 year, 6 months ago
Invoke-RemoteDesktopServer
error fixed during module import.1 year, 7 months ago
1 year, 7 months ago
1 year, 7 months ago
PowerRunAsAttached is a ported version of RunAsAttached in pure PowerShell.
1 year, 7 months ago
PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell.
1 year, 7 months ago
CTRL+C
SecureString
for authentication password.1 year, 7 months ago
TransportMode
option removed.1 year, 8 months ago
1 year, 8 months ago
SecureString
to handle password.1 year, 8 months ago
1 year, 8 months ago
1 year, 8 months ago
1 year, 8 months ago
Power Remote Desktop is a powerful and easy-to-use remote desktop application that is written entirely in PowerShell. Unlike other remote desktop solutions, it does not rely on any external software or protocols to function, making it quick and easy to install and use. Its primary advantage is its use of PowerShell, which allows for seamless integration with other scripts and tools, as well as its user-friendly interface. Power Remote Desktop is a versatile and reliable solution for anyone needing to access and control remote computers.
1 year, 8 months ago
The tool is a PowerShell module that allows you to load and execute .NET assemblies from memory, transferred over a network connection such as HTTP. It consists in retrieving the .NET assembly located at an URL. It then loads the assembly into memory and executes with given parameters.
This tool is useful for anyone who needs to load and execute .NET assemblies over a network connection, such as during a penetration testing engagement or when working with remote systems. It allows you to easily load and execute assemblies from memory, without the need to save them to disk first.
1 year, 11 months ago
This proof of concept (PoC) project emphasizes the potential risks associated with InnoSetup installers. Such installers should always be regarded with caution. They can not only harbor malware but it's also possible to construct a fully functional piece of malware utilizing their embedded scripting engines.
In this PoC, we delve into the InnoSetup scripting engine (derived from Pascal) to execute a shellcode generated with msfvenom.
2 years, 2 months ago
SubSeven (Sub7) Legacy
"SubSeven Legacy is a complete remake of the infamous SubSeven Backdoor (also known as Sub7), a popular remote access trojan from the late 90s. More information about the original Sub7 Backdoor can be found on the official Wikipedia page.
Like the original Sub7 program, SubSeven Legacy is entirely coded in Delphi and supports the latest version of the Delphi IDE/Compiler. However, unlike the original Sub7, SubSeven Legacy does not include any malicious features.
To preserve the old look and feel and prevent misuse, SubSeven Legacy still functions as a direct connection remote access tool and is installed as a Microsoft Windows service (which requires administrative privileges) to provide more control over the remote system.
The main goal of this project is to bring back good memories for those who, like me, grew up with such awesome projects."
2 years, 3 months ago
New code snippet that demonstrate how Malware authors create self-deleting application. This technique rely on code injection to a remote process that is tasked to inspect for malware sample process end.
2 years, 7 months ago
PostgreSQL allows developers to create their own functions, known as UDFs (User Defined Functions). These functions can be used to perform a variety of tasks within the database, such as data manipulation or analysis. However, if a UDF is not properly secured, it could potentially be exploited by a malicious actor to execute arbitrary code, such as shellcode, on the server.
To exploit a UDF, an attacker would need to have sufficient privileges to register a new function. This may be achieved through a vulnerability in an application connected to the database, such as a SQL injection. The attacker could then create and register a UDF that contains the desired shellcode, and trigger it to execute on the server.
It is important to note that this is just one example of how a UDF could potentially be exploited. It is crucial to secure your database and applications to prevent such attacks from being successful. This includes properly input validation, sanitization, and proper user privilege management.
2 years, 9 months ago
YASE (Yet Another Sub Encoder) Encoder is python project created during my OSCE (Offensive Security Certified Expert) preparation to better understand and simplify the process of sub encoding shellcode in order to escape bad character restriction.
2 years, 9 months ago
New code snippet to demonstrate an alternative of famous GetProcAddress
Windows API through parsing target DLL PE Header.
2 years, 10 months ago
New code snippet that demonstrate how to automatically detect code caves in Microsoft Windows PE Files.
It is then possible to inject a shellcode in located code-cave (optionally encrypted) and redirect PE file entrypoint to shellcode.
This was a common technique used by old school viruses to inject other applications and self-replicate.
Available commands:
-f
/ --file
: Valid PE File location (Ex: /path/to/calc.exe).-p
/ --payload
: Shellcode Payload (Example: "\x01\x02\x03…\x0a").-x
/ --encrypt
: Encrypt main section (entry point section).-k
/ --encryption-key
: Define custom encryption key (1 Byte only).-c
/ --cave-opcodes
: Define code opcode list to search for.-s
/ --cave-min-size
: Minimum size of region to be considered as code cave.-e
/ --egg
: Define a custom egg name (ESP Restore Mechanism).2 years, 10 months ago
New snippet that demonstrate the use of Windows API OutputDebugStringA and OutputDebugStringW to detect the presence of debuggers.
3 years ago
New code snippet that demonstrate the usage of SuspendThread to detect the presence of debuggers.
3 years ago
New code snippet that demonstrate how Malware authors detects the presence of debuggers using both Microsoft Windows API's: FindWindowA and FindWindowW API's.
3 years ago
New code snippet that demonstrate how Malware authors detects the presence of debuggers using both Microsoft Windows API's: FindWindowA and FindWindowW API's.
3 years ago
New code snippet that demonstrate how malware control the Debug
flag from a running process PEB (Process Environment Block) in order to detect the presence of a debugger.
3 years, 1 month ago