Each area page lists every technique in the area with a one-liner; click
through for the full template (Primer / How It Works / API / Examples /
OPSEC / MITRE / Limitations / See also).
Grouped by area, expandable. Click any package name to jump to its
pkg.go.dev godoc; expand an area to scan every package's detection
level and one-line summary in one place.
Each area is collapsed by default — click to expand. Detection level is the canonical 5-level scale (very-quiet → very-noisy); umbrella / variable packages show as —.
exposes a small set of typed Go wrappers over ntdll!Nt* functions that maldev components use frequently — memory allocation, write/protect, thread creation, and system information query
answers two operational questions: am I admin right now, and how do I run something else as a different principal? It wraps IsAdmin / IsAdminGroupMember for privilege detection and three execution primitives — ExecAs, CreateProcessWithLogon, ShellExecuteRunAs — for spawning processes under alternate credentials
provides five strategies for invoking Windows NT syscalls — from a hookable kernel32 call to fully indirect SSN dispatch through an in-ntdll syscall;ret gadget (heap stub or Go-assembly stub) — under one uniform [Caller] interface
wraps Windows access-token operations: open/duplicate process and thread tokens, steal a token from another PID, enable or remove individual privileges, query integrity level, and retrieve the active interactive session's primary token
reports the running Windows OS version, build, and patch level — bypassing the manifest-compatibility shim that masks GetVersionEx results to the manifest-declared compatibility target
defines the kernel-memory primitive interfaces consumed by EDR-bypass packages that need arbitrary kernel reads or writes (kcallback, lsassdump PPL-bypass, callback-array tampering, …)
enables Arbitrary Code Guard for the current process so the kernel refuses any further VirtualAlloc(PAGE_EXECUTE) / VirtualProtect(PAGE_EXECUTE) requests
synthesises a return-address chain so a stack walker at a protected-API call site sees frames that originate from a benign thread-init sequence rather than from the attacker module
inspects and relaxes Intel CET (Control-flow Enforcement Technology) shadow-stack enforcement for the current process, and exposes the ENDBR64 marker required by CET-gated indirect call sites
installs x64 inline hooks on exported Windows functions: patch the prologue with a JMP to a Go callback, automatically generate a trampoline for calling the original, and fix up RIP-relative instructions in the stolen prologue
clones a Windows PE's identity — manifest, icons, VERSIONINFO, optional Authenticode certificate — into a linkable .syso COFF object so a Go binary picks them up at compile time
hosts the .NET Common Language Runtime in process via the ICLRMetaHost / ICorRuntimeHost COM interfaces and executes managed assemblies from memory without writing them to disk
detects whether a debugger is currently attached to the implant — Windows via IsDebuggerPresent (PEB BeingDebugged), Linux via /proc/self/status TracerPid
discovers DLL-search-order hijack opportunities on Windows — places where an application loads a DLL from a user-writable directory BEFORE reaching the legitimate copy (typically in System32)
resolves Windows special folder paths via two Shell32 entry points: [Get] (legacy SHGetSpecialFolderPathW, CSIDL-keyed) and [GetKnown] (modern SHGetKnownFolderPath, KNOWNFOLDERID-keyed)
is the multi-factor sandbox / VM / analysis-environment detector — a configurable orchestrator that aggregates checks across recon/antidebug, recon/antivm, and its own primitives into a single "is this a sandbox?" assessment
provides time-based evasion that defeats sandboxes which fast-forward Sleep() calls — sandboxes commonly hook Sleep / WaitForSingleObject to skip the delay and analyse what the implant does next
Process — `process/*` + `process/tamper/*` — 7 packages
overwrites the current process's PEB CommandLine UNICODE_STRING so process-listing tools (Process Explorer, wmic, Get-Process, Task Manager) display a fake command-line instead of the real one
implements Process Herpaderping and the related Process Ghosting variant — kernel image-section cache exploitation that lets the running process execute one PE while the file on disk reads as another (or doesn't exist)
patches NtQuerySystemInformation in a target process so it returns STATUS_NOT_IMPLEMENTED, blinding that process's ability to enumerate running processes
suppresses Windows Event Log recording by terminating the EventLog service threads inside the hosting svchost.exe — the service stays "Running" in the SCM listing but no new entries are written
implements CVE-2024-30088 — a Windows kernel TOCTOU race in AuthzBasepCopyoutInternalSecurityAttributes that yields local privilege escalation to NT AUTHORITY\SYSTEM by overwriting the calling thread's primary token with lsass.exe's SYSTEM token
implements Metasploit Framework staging — pulls a second-stage Meterpreter payload from a multi/handler and executes it in the current process or a target picked via the optional Config.Injector
provides pluggable network transport implementations for C2 communication: plain TCP, TLS with optional certificate pinning, and uTLS for JA3/JA4 fingerprint randomisation