Fully decrypt App-Bound Encrypted (ABE) cookies, passwords & payment methods from Chromium-based browsers (Chrome, Brave, Edge) - all in user mode, no admin rights required.

Ever Wondered how an anti-cheat system is actually loaded into memory?

This is a tool that uses the old WerfaultSecure.exe program to dump the memory of processes protected by PPL (Protected Process Light), such as LSASS.EXE. The output is in Windows MINIDUMP format.

Overview: This tool demonstrates an advanced in-memory evasion technique that spoofs the thread call stack. It's designed to bypass thread-based memory examination rules, making it harder for analysts to detect injected shellcode within process memory.

Overview: This proof-of-concept implementation demonstrates how to spoof arbitrary call stacks during system calls, such as NtOpenProcess. It's a more advanced technique that builds upon the concepts introduced in ThreadStackSpoofer.

Overview: Draugr is a Cobalt Strike Beacon
Object File (BOF) template that facilitates the creation of synthetic stack frames, effectively spoofing the call stack during execution. It utilizes gadgets from KERNELBASE.DLL to achieve this

Overview: LoudSunRun is a technique that involves stack spoofing with synthetic frames. It calculates the total stack size of fake frames and adjusts stack arguments accordingly to obscure the true execution path.

Overview: BokuLoader is a proof-of-concept Cobalt Strike Reflective Loader that aims to recreate, integrate, and enhance Cobalt Strike's evasion features. It combines various evasion techniques, including call stack spoofing, to achieve stealthy execution.