A very flexible tool for testing Windows security solutions and the OS itself.
- [TODO] The main binary is just an interpreter with special API, the scripts contain the pentest logic
- [TOOD] Passing scripts via file or socket
- [TODO] Interactive mode for live scripting
- [TODO] Build as a DLL to be executed inside another process
- [TODO] Executing pentest scenario stages in different threads
- [TODO] ARM64 Support
- Inject an image/shellcode into an existing/new process
- (Shell)code thread injection (existing/new process)
- Thread injection (InstructionPointer/EntryPoint)
- APC thread injection (Finding "Alertable" threads/Early Bird with suspended main thread)
- Image injection (new process)
- Process hollowing
- Process doppelganging
- [TODO] Filesystem read/modification
- [TODO] Disk (sectors) read/modification
- [TODO] Registry read/modification
- Runtime anti-EDR tricks
- Loading and using a copy of ntdll.dll
- [TODO] Unhooking functions
- [TODO] AMSI bypass
- [TODO] Local Privilege Escalation
- [TODO] Exploitation of TOCTOU bugs
- API from ntdll.dll:
- generic functions (available in ntdll.lib)
- new functions, exported only in newer Windows versions (such as
NtMapViewOfSectionEx()) - [TODO] non-exported functions, called by offset from symbols (via DIA SDK)
- [TODO] RPC API: functions from RPC client libs (winspool.drv, ...)
- [TODO] RPC API: generated RPC stubs + direct call of
NdrClientCallX() - [TODO] Execute shellcode from executable memory (outside of module images)
- [TODO] Direct syscalls