Run Processes as PPL with ELAM
☆177Mar 17, 2022Updated 3 years ago
Alternatives and similar repositories for PPLRunner
Users that are interested in PPLRunner are comparing it to the libraries listed below
Sorting:
- PoC memory injection detection agent based on ETW, for offensive and defensive research purposes☆299Apr 10, 2021Updated 4 years ago
- Sysmon-Like research tool for ETW☆384Nov 15, 2022Updated 3 years ago
- Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider☆197Dec 6, 2022Updated 3 years ago
- Silence EDRs by removing kernel callbacks☆239Dec 7, 2020Updated 5 years ago
- KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.☆751Dec 15, 2025Updated 2 months ago
- File system minifilter driver for Windows to block symbolic link attacks.☆51Dec 16, 2020Updated 5 years ago
- ☆153Jul 31, 2022Updated 3 years ago
- View ETW Provider manifest☆574Nov 1, 2024Updated last year
- Tool to bypass LSA Protection (aka Protected Process Light)☆987Dec 4, 2022Updated 3 years ago
- Enumerate and disable common sources of telemetry used by AV/EDR.☆819Mar 11, 2021Updated 4 years ago
- ☆208Apr 5, 2022Updated 3 years ago
- Simple project that demonstrates how an ETW consumer can be created just by using NTDLL☆146Feb 23, 2019Updated 7 years ago
- Enumerating and removing kernel callbacks using signed vulnerable drivers☆588Jan 24, 2023Updated 3 years ago
- handle elevation using bedaisy.☆13Aug 17, 2020Updated 5 years ago
- A Practical example of ELAM (Early Launch Anti-Malware)☆36Nov 12, 2021Updated 4 years ago
- MemoryRanger protects kernel data and code by running drivers and hosting data in isolated kernel enclaves using VT-x and EPT features. M…☆232Jul 26, 2020Updated 5 years ago
- Enumerate various traits from Windows processes as an aid to threat hunting☆202Jan 13, 2022Updated 4 years ago
- A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC☆374May 24, 2022Updated 3 years ago
- Security product hook detection☆326Mar 30, 2021Updated 4 years ago
- ☆260May 9, 2024Updated last year
- A way to delete a locked file, or current running executable, on disk.☆616Nov 5, 2025Updated 3 months ago
- A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)☆553Apr 8, 2025Updated 10 months ago
- Some research on AltSystemCallHandlers functionality in Windows 10 20H1 18999☆240Nov 6, 2019Updated 6 years ago
- Dump the memory of a PPL with a userland exploit☆890Jul 24, 2022Updated 3 years ago
- A little tool to play with the Seclogon service☆327Jul 10, 2022Updated 3 years ago
- c++ implementation of windows heavens gate☆70Feb 12, 2021Updated 5 years ago
- Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging☆580Mar 8, 2024Updated last year
- ☆118Aug 7, 2022Updated 3 years ago
- ☆85Jan 12, 2022Updated 4 years ago
- Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Inj…☆42May 9, 2019Updated 6 years ago
- OffensivePH - use old Process Hacker driver to bypass several user-mode access controls☆334Oct 9, 2021Updated 4 years ago
- Kernel shellcode injector☆148Mar 23, 2021Updated 4 years ago
- ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detecti…☆319Mar 20, 2024Updated last year
- Finding Truth in the Shadows☆123Jan 26, 2023Updated 3 years ago
- AllMemPro☆46Jan 15, 2018Updated 8 years ago
- Three Tiny Examples of Directly Using Vista's NtCreateUserProcess☆89Nov 9, 2015Updated 10 years ago
- ☆39Oct 29, 2020Updated 5 years ago
- A PoC designed to bypass all usermode hooks in a WoW64 environment.☆150Sep 16, 2020Updated 5 years ago
- Files for http://blog.deniable.org/posts/windows-callbacks/☆77Feb 26, 2022Updated 4 years ago