kleiton0x00/RtlHijack

Readme badge preview -

If you own this repo, copy the snippet below and add it to your README.md

[![RelatedRepos](https://img.shields.io/badge/related-repos-yellow)](https://relatedrepos.com/gh/kleiton0x00/RtlHijack)

kleiton0x00 / RtlHijack

Alternative Read and Write primitives using Rtl* functions the unintended way.

☆79

Alternatives and similar repositories for RtlHijack

Users that are interested in RtlHijack are comparing it to the libraries listed below

Sorting:

zero2504 / Early-Cryo-Bird-Injections
View on GitHub
Early Bird Cryo Injections – APC-based DLL & Shellcode Injection via Pre-Frozen Job Objects
☆138Apr 6, 2025Updated 11 months ago
Teach2Breach / snapinject_rs
View on GitHub
A remote process injection using process snapshotting based on https://gitlab.com/ORCA000/snaploader , in rust. It creates a sacrificial …
☆50Jan 25, 2025Updated last year
ColeHouston / theHandler-BOF
View on GitHub
Dump protected process memory by using BYOVD to tamper with handle objects in the kernel.
☆38Aug 5, 2025Updated 7 months ago
0xTriboulet / rdll-rs
View on GitHub
A reflective DLL development template for the Rust programming language
☆115Nov 4, 2025Updated 4 months ago
0xflux / Vectored-Exception-Handling-Squared
View on GitHub
Vectored Exception Handling Squared
☆30Dec 27, 2025Updated 2 months ago
winsecurity / AMSI-Bypass-HWBP
View on GitHub
☆26Aug 11, 2025Updated 6 months ago
tijme / relocatable
View on GitHub
Boilerplate to develop raw and truly Position Independent Code (PIC).
☆117Jan 20, 2025Updated last year
artemy-ccrsky / DecryptRecoveryLAPS_RPC
View on GitHub
A way to maintain long-term access to Windows LAPS for lateral movement in AD via installing an Offensive LAPS RPC backdoor on a DC.
☆29Jun 9, 2025Updated 9 months ago
akamai / Mirage
View on GitHub
Mirage is a PoC memory evasion technique that relies on a vulnerable VBS enclave to hide shellcode within VTL1.
☆103Feb 25, 2025Updated last year
Teach2Breach / moonwalk
View on GitHub
find dll base addresses without PEB WALK
☆161Jul 13, 2025Updated 7 months ago
ricardojoserf / NativeTokenImpersonate
View on GitHub
Impersonate Tokens using only NTAPI functions
☆84Apr 4, 2025Updated 11 months ago
MythicAgents / Xenon
View on GitHub
A Mythic agent for Windows written in C
☆159Mar 1, 2026Updated last week
susMdT / ForsHops
View on GitHub
ForsHops
☆59Mar 25, 2025Updated 11 months ago
Teach2Breach / early_cascade_inj_rs
View on GitHub
early cascade injection PoC based on Outflanks blog post, in rust
☆62Nov 8, 2024Updated last year
JayGLXR / NomadLoader
View on GitHub
An advanced utility for converting Windows Portable Executable (PE) files to position-independent code (PIC) shellcode. It enables execut…
☆65Mar 1, 2025Updated last year
Teach2Breach / dll2shell
View on GitHub
converts sRDI compatible dlls to shellcode
☆35Jan 20, 2025Updated last year
0xflux / Hells-Hollow
View on GitHub
Hells Hollow Windows 11 Rootkit technique to Hook the SSDT via Alt Syscalls
☆218Aug 31, 2025Updated 6 months ago
0xNinjaCyclone / EarlyCascade
View on GitHub
A PoC for Early Cascade process injection technique.
☆211Jan 30, 2025Updated last year
safedv / Rustic64
View on GitHub
64-bit, position-independent implant template for Windows in Rust.
☆175Nov 28, 2025Updated 3 months ago
iilegacyyii / DataInject-BOF
View on GitHub
Hijacks code execution via overwriting Control Flow Guard pointers in combase.dll
☆145Apr 18, 2025Updated 10 months ago
NtDallas / KrakenMask
View on GitHub
Sleep obfuscation
☆270Dec 13, 2024Updated last year
KingOfTheNOPs / Get-NetNTLM
View on GitHub
Internal Monologue BOF
☆79Dec 28, 2024Updated last year
Teach2Breach / stargate
View on GitHub
Locate dlls and function addresses without PEB Walk and EAT parsing
☆105Nov 7, 2025Updated 4 months ago
JayGLXR / Rusty-Stardust
View on GitHub
A modern Rust implementation of the original Stardust project, providing a sophisticated 32/64-bit shellcode template that features posit…
☆59Mar 17, 2025Updated 11 months ago
ZephrFish / QoL-BOFs
View on GitHub
Curated list of public Beacon Object Files(BOFs) build in as submodules for easy cloning
☆137Dec 7, 2025Updated 3 months ago
EvanMcBroom / sleepy
View on GitHub
A lexer and parser for Sleep
☆20Feb 20, 2026Updated 2 weeks ago
logangoins / Stifle
View on GitHub
.NET Post-Exploitation Utility for Abusing Strong Explicit Certificate Mappings in ADCS
☆150Feb 10, 2025Updated last year
Cracked5pider / earlycascade-injection
View on GitHub
early cascade injection PoC based on Outflanks blog post
☆237Nov 7, 2024Updated last year
passthehashbrowns / VectoredExceptionHandling
View on GitHub
☆108Aug 21, 2024Updated last year
dr4ndrei / OHFFLdr
View on GitHub
One-header configurable C++20 COFF loader
☆21Jul 21, 2025Updated 7 months ago
AlmondOffSec / DCOMRunAs
View on GitHub
Lateral movement with DCOM DLL hijacking
☆176Jul 4, 2025Updated 8 months ago
0xtengu / Cloak64
View on GitHub
☆49Dec 21, 2025Updated 2 months ago
Teach2Breach / rpeloader
View on GitHub
use python on windows with full submodule support without installation
☆30Jan 23, 2025Updated last year
xforcered / ForsHops
View on GitHub
ForsHops
☆152Mar 25, 2025Updated 11 months ago
TwoSevenOneT / CreateProcessAsPPL
View on GitHub
This is the loader that supports running a program with Protected Process Light (PPL) protection functionality.
☆295Nov 1, 2025Updated 4 months ago
Faran-17 / Hellshazzard
View on GitHub
Indirect Syscall implementation to bypass userland NTAPIs hooking.
☆85Aug 13, 2024Updated last year
Ridter / netsync
View on GitHub
Use the Netlogon Remote Protocol (MS-NRPC) to dump the target hash.
☆62Feb 25, 2025Updated last year
CodeXTF2 / WebcamBOF
View on GitHub
Webcam capture capability for Cobalt Strike as a BOF, with in-memory download options
☆158Mar 26, 2025Updated 11 months ago
Maldev-Academy / MaldevAcademyLdr.2
View on GitHub
RunPE implementation with multiple evasive techniques (2)
☆275Sep 25, 2025Updated 5 months ago