Documentation Index
The navigation spine for everything in docs/. Three ways in, depending on
what you came for.
[!TIP] If you don't know where to start, pick a role first; the role page walks you through a curated reading order.
By role
| Role | What you get |
|---|---|
| 🟥 Operator (red team) | Production chains, OPSEC, payload delivery, common scenarios |
| 🔬 Researcher (R&D) | Architecture, Caller pattern, paper references, Windows-version deltas |
| 🟦 Detection engineer (blue team) | Per-technique artifacts, telemetry, D3FEND counters, hunt examples |
By technique area
Each area page lists every technique in the area with a one-liner; click through for the full template (Primer / How It Works / API / Examples / OPSEC / MITRE / Limitations / See also).
| Area | Pages | What's covered |
|---|---|---|
| c2 | 6 | reverse shell + reconnect, transport (TLS/JA3), Meterpreter staging, multicat, named pipe |
| cleanup | 7 | self-delete, secure wipe, timestomp, ADS, BSOD, service hide |
| collection | 5 | keylog, clipboard, screenshot, ADS, LSASS dump |
| credentials | 4 | LSASS dump, sekurlsa parser, SAM offline, Golden Ticket |
| crypto | 1 | payload encryption (AES-GCM, ChaCha20) and signature-breaking transforms (XTEA, S-Box, Matrix, ArithShift, XOR) |
| encode | 1 | Base64 (std + URL), UTF-16LE, ROT13, PowerShell -EncodedCommand |
| hash | 2 | cryptographic hashes (MD5/SHA-*), ROR13 API hashing, fuzzy hashes (ssdeep, TLSH) |
| evasion | 19 | AMSI/ETW patches, ntdll unhook, sleep mask, ACG, BlockDLLs, callstack spoof, kernel callback removal, anti-VM/sandbox/timing |
| injection | 12 | CreateThread, EarlyBird APC, ThreadHijack, SectionMap, KernelCallback, Phantom DLL, ThreadPool, NtQueueApcThreadEx, EtwpCreateEtwThread, … |
| pe | 7 | strip & sanitize, BOF loader, morph, PE-to-shellcode, certificate theft, masquerade |
| persistence | 6 | Run/RunOnce, startup folder LNK, scheduled task, service, account creation |
| runtime | 2 | BOF / COFF loader, in-process .NET CLR hosting |
| syscalls | 3 | direct & indirect syscalls, API hashing (ROR13, FNV1a, …), SSN resolvers (Hell's / Halo's / Tartarus / Hash Gate) |
| tokens | 3 | token theft, impersonation, privilege escalation |
By MITRE ATT&CK ID
By package
Grouped by area, expandable. Click any package name to jump to its
pkg.go.dev godoc; expand an area to scan every package's detection
level and one-line summary in one place.
Each area is collapsed by default — click to expand. Detection level is the canonical 5-level scale (very-quiet → very-noisy); umbrella / variable packages show as —.
Layer 0 — pure-Go primitives (`crypto`, `encode`, `hash`, `random`, `useragent`) — 5 packages
| Package | Detection | Summary |
|---|---|---|
crypto | very-quiet | provides cryptographic primitives for payload encryption / decryption and lightweight obfuscation |
encode | very-quiet | provides encoding / decoding utilities for payload transformation: Base64 (standard + URL-safe), UTF-16LE (Windows API strings), ROT13, and PowerShell -EncodedCommand format |
hash | very-quiet | provides cryptographic and fuzzy hash primitives for integrity verification, API hashing, and similarity detection |
random | very-quiet | provides cryptographically secure random generation helpers backed by crypto/rand (OS entropy) |
useragent | very-quiet | provides a curated database of real-world browser User-Agent strings for HTTP traffic blending |
Windows primitives — `win/*` — 10 packages
| Package | Detection | Summary |
|---|---|---|
win | — | is the parent umbrella for Windows-only primitives |
win/api | very-quiet | is the single source of truth for Windows DLL handles, procedure references, and structures shared across maldev |
win/com | — | holds Windows COM helpers shared across maldev |
win/domain | very-quiet | queries Windows domain-membership state — whether the host is workgroup-only, joined to an Active Directory domain, or in an unknown state |
win/impersonate | moderate | runs callbacks under an alternate Windows security context — by credential, by stolen token, or by piggy- backing on a target PID |
win/ntapi | quiet | exposes a small set of typed Go wrappers over ntdll!Nt* functions that maldev components use frequently — memory allocation, write/protect, thread creation, and system information query |
win/privilege | moderate | answers two operational questions: am I admin right now, and how do I run something else as a different principal? It wraps IsAdmin / IsAdminGroupMember for privilege detection and three execution primitives — ExecAs, CreateProcessWithLogon, ShellExecuteRunAs — for spawning processes under alternate credentials |
win/syscall | quiet | provides five strategies for invoking Windows NT syscalls — from a hookable kernel32 call to fully indirect SSN dispatch through an in-ntdll syscall;ret gadget (heap stub or Go-assembly stub) — under one uniform [Caller] interface |
win/token | moderate | wraps Windows access-token operations: open/duplicate process and thread tokens, steal a token from another PID, enable or remove individual privileges, query integrity level, and retrieve the active interactive session's primary token |
win/version | very-quiet | reports the running Windows OS version, build, and patch level — bypassing the manifest-compatibility shim that masks GetVersionEx results to the manifest-declared compatibility target |
Kernel BYOVD — `kernel/driver/*` — 2 packages
| Package | Detection | Summary |
|---|---|---|
kernel/driver | very-noisy | defines the kernel-memory primitive interfaces consumed by EDR-bypass packages that need arbitrary kernel reads or writes (kcallback, lsassdump PPL-bypass, callback-array tampering, …) |
kernel/driver/rtcore64 | very-noisy | wraps the MSI Afterburner RTCore64.sys signed driver (CVE-2019-16098) as a [kernel/driver.ReadWriter] primitive |
Evasion — `evasion/*` — 15 packages
| Package | Detection | Summary |
|---|---|---|
evasion | — | is the umbrella for active EDR / AV evasion |
evasion/acg | quiet | enables Arbitrary Code Guard for the current process so the kernel refuses any further VirtualAlloc(PAGE_EXECUTE) / VirtualProtect(PAGE_EXECUTE) requests |
evasion/amsi | noisy | disables the Antimalware Scan Interface in the current process via runtime memory patches on amsi.dll |
evasion/blockdlls | quiet | applies the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES mitigation so the loader refuses any DLL that isn't Microsoft-signed |
evasion/callstack | quiet | synthesises a return-address chain so a stack walker at a protected-API call site sees frames that originate from a benign thread-init sequence rather than from the attacker module |
evasion/cet | noisy | inspects and relaxes Intel CET (Control-flow Enforcement Technology) shadow-stack enforcement for the current process, and exposes the ENDBR64 marker required by CET-gated indirect call sites |
evasion/etw | moderate | blinds Event Tracing for Windows in the current process by patching the ETW write helpers in ntdll.dll with xor rax,rax; ret |
evasion/hook | noisy | installs x64 inline hooks on exported Windows functions: patch the prologue with a JMP to a Go callback, automatically generate a trampoline for calling the original, and fix up RIP-relative instructions in the stolen prologue |
evasion/hook/bridge | moderate | is the bidirectional control channel between a hook handler installed inside a target process and the implant that placed it |
evasion/hook/shellcode | noisy | ships pre-fabricated x64 position-independent shellcode blobs used as handler bodies for [github.com/oioio-space/maldev/evasion/hook].RemoteInstall |
evasion/kcallback | very-noisy | enumerates and removes kernel-mode callback registrations that EDR products use to observe process/thread/image- load events from the kernel side |
evasion/preset | — | bundles evasion.Technique primitives into four validated risk levels for one-shot deployment |
evasion/sleepmask | quiet | encrypts the implant's payload memory while it sleeps so concurrent memory scanners cannot recover the original shellcode bytes or PE headers |
evasion/stealthopen | quiet | reads files via NTFS Object ID (the 128-bit GUID stored in the MFT) instead of by path, bypassing path-based EDR hooks on NtCreateFile / CreateFileW |
evasion/unhook | noisy | restores the original prologue bytes of ntdll.dll functions, removing inline hooks installed by EDR/AV products |
Injection — `inject` — 1 package
| Package | Detection | Summary |
|---|---|---|
inject | noisy | provides unified shellcode injection across Windows and Linux with a fluent builder, decorator middleware, and automatic fallback between methods |
PE manipulation — `pe/*` — 20 packages
| Package | Detection | Summary |
|---|---|---|
pe | — | is the umbrella for Portable Executable analysis, manipulation, and conversion utilities |
pe/cert | quiet | manipulates the PE Authenticode security directory — read, copy, strip, and write WIN_CERTIFICATE blobs without any Windows crypto API |
pe/dllproxy | very-quiet | emits a valid Windows DLL — as raw bytes, no external toolchain — that forwards every named export back to a legitimate target DLL |
pe/imports | very-quiet | enumerates a PE's import surface — both the classic IMAGE_IMPORT_DESCRIPTOR table AND the IMAGE_DELAY_IMPORT_DESCRIPTOR table — without invoking any Windows API |
pe/masquerade | quiet | clones a Windows PE's identity — manifest, icons, VERSIONINFO, optional Authenticode certificate — into a linkable .syso COFF object so a Go binary picks them up at compile time |
pe/masquerade/donors | very-quiet | lists the reference (donor) PE files the pe/masquerade preset generator and the cmd/cert-snapshot tool share |
pe/masquerade/preset | — | (no doc.go summary) |
pe/morph | moderate | mutates UPX-packed PE headers so automatic unpackers fail to recognise the input |
pe/packer | moderate | is maldev's custom PE/ELF packer |
pe/packer/internal/elfgate | — | implements the Z-scope pre-flight check for Go static-PIE ELF inputs: ET_DYN + .go.buildinfo present + no DT_NEEDED |
pe/packer/runtime | noisy | is the consumer side of [pe/packer]: takes a packed blob + key and reflectively loads the original PE into the current process's memory |
pe/packer/stubgen | noisy | drives the UPX-style transform pipeline for Phase 1e |
pe/packer/stubgen/amd64 | quiet | wraps github.com/twitchyliquid64/golang-asm into a focused builder API for the polymorphic stage-1 decoder Phase 1e (v0.61.x) emits |
pe/packer/stubgen/poly | quiet | implements the SGN-style metamorphic engine the Phase 1e (v0.61.x) packer uses to generate polymorphic stage-1 decoders |
pe/packer/stubgen/stage1 | moderate | emits the polymorphic stub the UPX-style packer places in a new section of the modified host binary |
pe/packer/stubgen/stage1/asmtrace | — | on non-Windows platforms is a stub |
pe/packer/transform | noisy | implements UPX-style in-place modification of input PE/ELF binaries |
pe/parse | very-quiet | provides PE file parsing and modification utilities |
pe/srdi | moderate | converts PE / .NET / script payloads into position-independent shellcode via the Donut framework (github.com/Binject/go-donut) |
pe/strip | quiet | sanitises Go-built PE binaries by removing toolchain artefacts that fingerprint the producer |
Runtime loaders — `runtime/*` — 3 packages
| Package | Detection | Summary |
|---|---|---|
runtime/bof | moderate | loads and executes Beacon Object Files (BOFs) — compiled COFF object files (.o) — entirely in process memory |
runtime/clr | moderate | hosts the .NET Common Language Runtime in process via the ICLRMetaHost / ICorRuntimeHost COM interfaces and executes managed assemblies from memory without writing them to disk |
runtime/pe | moderate | runs full Portable Executable binaries (EXE / DLL) in-process by dispatching them through an embedded Fortra No-Consolation BOF on top of [runtime/bof] |
Recon — `recon/*` — 9 packages
| Package | Detection | Summary |
|---|---|---|
recon/antidebug | quiet | detects whether a debugger is currently attached to the implant — Windows via IsDebuggerPresent (PEB BeingDebugged), Linux via /proc/self/status TracerPid |
recon/antivm | quiet | detects virtual machines and hypervisors via configurable check dimensions: registry keys, files, MAC prefixes, processes, CPUID/BIOS, and DMI info |
recon/dllhijack | moderate | discovers DLL-search-order hijack opportunities on Windows — places where an application loads a DLL from a user-writable directory BEFORE reaching the legitimate copy (typically in System32) |
recon/drive | quiet | enumerates Windows logical drives and watches for newly connected removable / network volumes |
recon/folder | very-quiet | resolves Windows special folder paths via two Shell32 entry points: [Get] (legacy SHGetSpecialFolderPathW, CSIDL-keyed) and [GetKnown] (modern SHGetKnownFolderPath, KNOWNFOLDERID-keyed) |
recon/hwbp | moderate | detects and clears hardware breakpoints set by EDR products on NT function prologues — surviving the classic ntdll-on-disk-unhook pass |
recon/network | very-quiet | provides cross-platform IP address retrieval and local-address detection |
recon/sandbox | quiet | is the multi-factor sandbox / VM / analysis-environment detector — a configurable orchestrator that aggregates checks across recon/antidebug, recon/antivm, and its own primitives into a single "is this a sandbox?" assessment |
recon/timing | quiet | provides time-based evasion that defeats sandboxes which fast-forward Sleep() calls — sandboxes commonly hook Sleep / WaitForSingleObject to skip the delay and analyse what the implant does next |
Process — `process/*` + `process/tamper/*` — 7 packages
| Package | Detection | Summary |
|---|---|---|
process | — | is the umbrella for cross-platform process enumeration / management, plus the Windows-specific process-tamper sub-tree |
process/enum | quiet | provides cross-platform process enumeration — list every running process or find one by name / predicate |
process/session | moderate | enumerates Windows sessions and creates processes / impersonates threads inside other users' sessions |
process/tamper/fakecmd | quiet | overwrites the current process's PEB CommandLine UNICODE_STRING so process-listing tools (Process Explorer, wmic, Get-Process, Task Manager) display a fake command-line instead of the real one |
process/tamper/herpaderping | moderate | implements Process Herpaderping and the related Process Ghosting variant — kernel image-section cache exploitation that lets the running process execute one PE while the file on disk reads as another (or doesn't exist) |
process/tamper/hideprocess | moderate | patches a target process's user-mode process-enumeration surface so it returns empty / failed results — blinding monitoring tools without killing them |
process/tamper/phant0m | noisy | suppresses Windows Event Log recording by terminating the EventLog service threads inside the hosting svchost.exe — the service stays "Running" in the SCM listing but no new entries are written |
Credentials — `credentials/*` — 4 packages
| Package | Detection | Summary |
|---|---|---|
credentials/goldenticket | noisy | forges Kerberos Golden Tickets — long-lived TGTs minted with a stolen krbtgt account hash |
credentials/lsassdump | noisy | produces a MiniDump blob of lsass.exe's memory so downstream tooling (credentials/sekurlsa, mimikatz, pypykatz) can extract Windows credentials |
credentials/samdump | quiet | performs offline NT-hash extraction from a SAM hive (with the SYSTEM hive supplying the boot key) |
credentials/sekurlsa | quiet | extracts credential material from a Windows LSASS minidump — the consumer counterpart to credentials/lsassdump |
Collection — `collection/*` — 4 packages
| Package | Detection | Summary |
|---|---|---|
collection | — | groups local data-acquisition primitives for post-exploitation: keystrokes, clipboard contents, screen captures |
collection/clipboard | quiet | reads and watches the Windows clipboard text |
collection/keylog | noisy | captures keystrokes via a low-level keyboard hook (SetWindowsHookEx(WH_KEYBOARD_LL)) |
collection/screenshot | quiet | captures the screen via GDI BitBlt and returns PNG bytes |
Cleanup — `cleanup/*` — 8 packages
| Package | Detection | Summary |
|---|---|---|
cleanup | quiet | is the umbrella for on-host artefact removal / anti-forensics primitives that run after an operation completes |
cleanup/ads | quiet | provides CRUD operations for NTFS Alternate Data Streams |
cleanup/bsod | very-noisy | triggers a Blue Screen of Death via NtRaiseHardError as a last-resort cleanup primitive |
cleanup/memory | very-quiet | provides secure memory cleanup primitives for wiping sensitive data (shellcode, keys, credentials) from process memory |
cleanup/selfdelete | moderate | deletes the running executable from disk while the process continues to execute from its mapped image |
cleanup/service | noisy | hides Windows services from listing utilities by applying a restrictive DACL on the service object |
cleanup/timestomp | quiet | resets a file's NTFS $STANDARD_INFORMATION timestamps so a dropped artifact blends with surrounding files |
cleanup/wipe | quiet | overwrites file contents with cryptographically random data before deletion to defeat trivial forensic recovery |
Persistence — `persistence/*` — 7 packages
| Package | Detection | Summary |
|---|---|---|
persistence | — | is the umbrella for system persistence techniques — mechanisms that re-launch an implant across reboots and user logons |
persistence/account | noisy | provides Windows local user account management via NetAPI32 — create, delete, set password, manage group membership, enumerate |
persistence/lnk | quiet | creates Windows shortcut (.lnk) files via COM/OLE automation — fluent builder API, fully Windows-only |
persistence/registry | moderate | implements Windows registry Run / RunOnce key persistence — the canonical "auto-launch on logon" hook |
persistence/scheduler | moderate | creates, deletes, lists, and runs Windows scheduled tasks via the COM ITaskService API — no schtasks.exe child process |
persistence/service | noisy | implements Windows service persistence via the Service Control Manager — the highest-trust persistence mechanism available, running as SYSTEM at boot |
persistence/startup | moderate | implements StartUp-folder persistence via LNK shortcut files — Windows Shell launches every shortcut in the folder at user logon |
Privilege escalation — `privesc/*` — 2 packages
| Package | Detection | Summary |
|---|---|---|
privesc/cve202430088 | noisy | implements CVE-2024-30088 — a Windows kernel TOCTOU race in AuthzBasepCopyoutInternalSecurityAttributes that yields local privilege escalation to NT AUTHORITY\SYSTEM by overwriting the calling thread's primary token with lsass.exe's SYSTEM token |
privesc/uac | noisy | implements four classic UAC-bypass primitives that hijack auto-elevating Windows binaries to spawn an elevated process without a consent prompt |
C2 — `c2/*` — 9 packages
| Package | Detection | Summary |
|---|---|---|
c2 | — | provides command and control building blocks: reverse shells, Meterpreter staging, pluggable transports (TCP / TLS / uTLS / named pipe), mTLS certificate helpers, and session multiplexing |
c2/cert | quiet | provides self-signed X.509 certificate generation and fingerprint computation for C2 TLS infrastructure |
c2/meterpreter | noisy | implements Metasploit Framework staging — pulls a second-stage Meterpreter payload from a multi/handler and executes it in the current process or a target picked via the optional Config.Injector |
c2/multicat | quiet | provides a multi-session reverse-shell listener for operator use |
c2/pivot/socks5 | moderate | wraps the armon/go-socks5 server in a thin maldev primitive — a beacon-side SOCKS5 listener the operator pivots through to reach the beacon's network |
c2/shell | noisy | provides a reverse shell with automatic reconnection, PTY support, and optional Windows evasion integration |
c2/transport | moderate | provides pluggable network transport implementations for C2 communication: plain TCP, TLS with optional certificate pinning, and uTLS for JA3/JA4 fingerprint randomisation |
c2/transport/namedpipe | quiet | provides a Windows named-pipe transport implementing the [github.com/oioio-space/maldev/c2/transport] Transport and Listener interfaces |
c2/transport/websocket | moderate | implements a WebSocket [transport.Transport] (dial side) and [transport.Listener] (accept side) for C2 channels that ride HTTP/1.1 + WS upgrade |
UI utilities — 1 package
| Package | Detection | Summary |
|---|---|---|
ui | very-quiet | exposes minimal Windows UI primitives — MessageBoxW via Show and the system alert sound via Beep |
examples — 40 packages
| Package | Detection | Summary |
|---|---|---|
examples/c2-reverse-shell | — | c2-reverse-shell — panorama 15 of the doc-truth audit |
examples/cleanup-artifacts | — | cleanup-artifacts — panorama 10 of the doc-truth audit |
examples/collection-screen-keylog | — | collection-screen-keylog — panorama 13 of the doc-truth audit |
examples/credentials-dump | — | credentials-dump — panorama 9 of the doc-truth audit |
examples/inject-evasive | — | inject-evasive — panorama 2 of the doc-truth audit |
examples/kernel-byovd | — | kernel-byovd — panorama 16 of the doc-truth audit |
examples/license-manager/01-issue-basic | — | 01-issue-basic — runnable companion to examples/license-manager/README.md |
examples/license-manager/02-issue-with-bindings | — | 02-issue-with-bindings — runnable companion to README.md |
examples/license-manager/03-revoke-and-crl | — | 03-revoke-and-crl — runnable companion to README.md |
examples/license-manager/04-reissue | — | 04-reissue — runnable companion to README.md |
examples/license-manager/05-hard-delete-roundtrip | — | 05-hard-delete-roundtrip — runnable companion to README.md |
examples/license-manager/06-totp-secret | — | 06-totp-secret — runnable companion to README.md |
examples/license-manager/09-import-and-verify | — | 09-import-and-verify — runnable companion to README.md |
examples/license-manager/tutorials/01-issue-and-verify | — | (no doc.go summary) |
examples/license-manager/tutorials/01-issue-and-verify/client | — | Tutorial 01 — verifier client |
examples/license-manager/tutorials/02-bindings-and-verify | — | (no doc.go summary) |
examples/license-manager/tutorials/02-bindings-and-verify/client | — | Tutorial 02 — verifier client that collects three evidence pieces at startup: a machine id (from hostid.Composite()), a password (typed by the user, read from --password flag for the E2E demo), and a 6-digit TOTP code (read from --totp) |
examples/license-manager/tutorials/03-revocation-server | — | (no doc.go summary) |
examples/license-manager/tutorials/03-revocation-server/client | — | Tutorial 03 — verifier client that fetches the CRL from a running revocation server before deciding whether to accept the licence |
examples/license-manager/tutorials/04-totp-authenticator | — | (no doc.go summary) |
examples/license-manager/tutorials/04-totp-authenticator/client | — | Tutorial 04 — verifier that requires a 6-digit TOTP code |
examples/license-manager/tutorials/05-sealed-payload | — | (no doc.go summary) |
examples/license-manager/tutorials/05-sealed-payload/client | — | Tutorial 05 — verifier that decrypts a sealed payload after the licence check passes |
examples/packer-shellcode | — | packer-shellcode — runnable companion to Mode 6 of docs/techniques/pe/packer.md |
examples/packer-tour | — | packer-tour — runnable companion to docs/examples/upx-style-packer.md |
examples/pe-modify | — | pe-modify — panorama 11 of the doc-truth audit |
examples/persistence-system | — | persistence-system — panorama 6 of the doc-truth audit |
examples/persistence-user | — | persistence-user — panorama 5 of the doc-truth audit |
examples/preset-stacks | — | preset-stacks — panorama 18 of the doc-truth audit |
examples/privesc-dll-hijack | — | privesc-e2e is the orchestrator for the maldev DLL-hijack privilege-escalation E2E proof |
examples/privesc-dll-hijack/fakelib | — | fakelib — a real Windows DLL with three named C exports |
examples/privesc-dll-hijack/probe | — | Probe for the privesc-e2e chain |
examples/privesc-uac | — | privesc-uac — panorama 8 of the doc-truth audit |
examples/process-tamper | — | process-tamper — panorama 12 of the doc-truth audit |
examples/recon-host | — | recon-host — panorama 3 of the doc-truth audit |
examples/recon-stealth-ppid | — | recon-stealth-ppid — example assembled from the user-facing markdown docs only |
examples/runtime-loaders | — | runtime-loaders — panorama 14 of the doc-truth audit |
examples/syscall-matrix | — | syscall-matrix — panorama 17 of the doc-truth audit |
examples/tokens-impersonate | — | tokens-impersonate — panorama 7 of the doc-truth audit |
examples/unhook-ntdll | — | unhook-ntdll — panorama 4 of the doc-truth audit |
license — 12 packages
| Package | Detection | Summary |
|---|---|---|
license | — | provides a defensive framing primitive for maldev research binaries: signed, structured license tokens that constrain who may run a given binary, on which machines, with which secrets, until when, and against which revocation/heartbeat policy |
license/canonical | — | encodes Go values to a deterministic JSON form suitable for signing: object keys are recursively sorted, no insignificant whitespace is emitted, HTML characters are not escaped, and time.Time values are rendered in RFC3339Nano UTC |
license/heartbeat | — | (no doc.go summary) |
license/hostid | — | produces a 32-byte machine fingerprint by mixing OS-provided identifiers (registry MachineGuid on Windows, /etc/machine-id on Linux, IOPlatformUUID on darwin) through sha256 |
license/identity | — | holds a 32-byte build-time identity registered by the consumer binary (typically via //go:embed identity.bin and a call to Set) |
license/identity/cmd/gen-identity | — | gen-identity writes 32 random bytes to ./identity.bin if absent |
license/internal/fileutil | — | provides shared filesystem helpers for the license package and its sub-packages |
license/ntp | — | performs a minimal unauthenticated SNTPv4 query suitable as a soft cross-check of the local clock |
license/revoke | — | (no doc.go summary) |
license/seal | — | encrypts opaque payloads to a recipient identified by an X25519 public key |
license/server | — | (no doc.go summary) |
license/totp | — | implements RFC 6238 time-based one-time passwords (TOTP) with helpers for QR-code provisioning (PNG and ASCII) |
Cross-cutting guides
| Guide | What it explains |
|---|---|
| getting-started.md | Concepts, terminology, your first implant |
| architecture.md | Layered design, dependency flow, Mermaid diagrams |
| opsec-build.md | Build pipeline: garble, pe/strip, masquerade |
| mitre.md | Full MITRE ATT&CK + D3FEND mapping |
| testing.md | Per-test-type details: injection matrix, Meterpreter sessions, BSOD |
| vm-test-setup.md | Bootstrap a fresh host (VMs, SSH keys, INIT snapshot) |
| coverage-workflow.md | Reproducible cross-platform coverage collection |
Conventions
| Doc | Audience |
|---|---|
| conventions/documentation.md | Anyone editing docs (this is the source of truth for templates, GFM features, voice, migration order) |