Stealthy .NET assembly loading using AssemblyNative::LoadFromBuffer

Sigma Rules Engine inside the Linux Kernel using eBPF. Focusing on prevention capabilities

The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.

A Cobalt Strike RL built with Crystal Palace — module overloading, NtContinue entry transfer, call stack spoofing, sleep masking, and static signature removal.

We took PersistenceSniper, merged it with Python, and misspelled it on purpose. Meet PyrsistenceSniper.

A small experiment on assigning a processes threads a specific CPU and then blocking it with a high priority thread

Project for generating and identifying deceptive LNK files.

AV/EDR evasion via direct and indirect system calls Windows NT 3.1 through Windows 11 24H2 · x64 · x86 · WoW64 · ARM64

eBPF-powered silent observer for containerized runtimes, built for malware analysis sandboxes and Agentic AI monitoring.

practice made claude perfect

Iosevka configuration to mimic the look and feel of Berkeley Mono as closely as possible.

Inter-binary control flow graphing

Tools for interacting with authentication packages using their individual message protocols

Tips and tricks I use to optimize my experience with Claude Code.

Audiodg.exe DLL hijacking for LPE with reboot-free restart primitive. Executes code as LOCAL SERVICE, escalates to SYSTEM via Scheduled Tasks.

Database diagrams editor that allows you to visualize and design your DB with a single query.

Rust Windows EDR (user-mode, no driver): ETW → Sysmon-style normalization → Sigma/Yara/IOC detection → ECS NDJSON alerts.

Triage automation tool

A curated list of funding programs supporting the awesome work of Open Source maintainers.

An ultra-simplified explanation to design patterns

The different ways to dump lsass

Tool that gathers a customizable set of ETW telemetry and generates user-defined detections

Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers …

This map lists the essential techniques to bypass anti-virus and EDR

Loading Remote AES Encrypted PE in memory , Decrypted it and run it

Demonstrates consuming from a SecurityTrace ETW session by consuming from the Threat-Intelligence ETW provider without a driver or PPL privilege

A proof-of-concept to demonstrate randomized execution paths and their impact on call stack signatures — ideal for EDR testing, behavior-based detection research, and evasion analysis.

Example of call stack spoofing trough the construction of syntetic frames and stack manipulation