I spend most of my time digging into Windows kernel internals, writing hypervisors from scratch, and breaking apart security mechanisms to understand how they actually work under the hood. Mainly C/C++ with some Python and C# when it makes sense.

Everything here is built for learning and authorized security research. Don't use any of this on systems you don't own.

C/C++, x86-64 Assembly, C#, Python | Windows kernel, VMX/SVM, NT internals, PE format, WinAPI

HVRT - Bare-metal hypervisor runtime, Intel VT-x + AMD-V, EPT/NPT shadow paging, VMCS management

Umbra - Type-1 hypervisor from scratch, full VM-exit interception, VMCALL interface, nested page table control

VMDetect - Detects VirtualBox, VMware, Hyper-V, QEMU through CPUID, registry, MAC, firmware and timing artifacts

EnvCheck - 45+ sandbox and VM detection checks across 11 categories, fingerprints the whole execution environment

KernelBridge - 40+ NT API hooks with trampoline-based inline patching, full syscall interface between usermode and kernel

WdFilter2 - Kernel filter driver that does DKOM, IRP hooking, callback manipulation and PatchGuard-aware operations

DriverProtect - Self-protecting kernel driver with CRC32 integrity checks, watchdog thread, callback hardening

SyscallForge - Maps SSNs across Win10/11 builds, generates direct and indirect syscall stubs, detects usermode hooks

GhostLink - Hijacks IPC between processes in real time, 24 inline API hooks across named pipes, ALPC, COM, shared memory, sockets, clipboard and window messages

PhantomGate - Polymorphic loader with APC injection, module stomping, XOR/AES-256 encryption layers

Shellcode-Loader-Gen - Generates shellcode loaders with multiple injection techniques and encryption options

CryptoUtil - AES-256-CBC encrypted PE loader with process hollowing and relocation fixups

HTTPClient - Custom HTTPS client with HMAC auth, SPKI certificate pinning, domain fronting, jitter and retry logic

DNS_Tunnel - Full DNS tunneling stack, Base32-encoded payloads, chunked TXT responses, HMAC-authenticated commands

DNSTunnel - Lightweight DNS exfiltration channel with encoding and authentication

NetExfil - Moves data out over ICMP, DNS, HTTPS or raw TCP with per-protocol encryption

NetworkStealth - Traffic obfuscation layer with DoH resolving, JA3 randomization, Tor routing, packet padding

ICSProbe - Scans industrial networks, speaks Modbus TCP, S7comm, OPC-UA and DNP3 natively

CipherStream - End-to-end encrypted channel using AES-256-GCM, ChaCha20-Poly1305, ECDH key exchange with forward secrecy

DPAPIVault - Stores credentials through Windows DPAPI with an extra AES-256 + HMAC-SHA256 layer

StringCryptor - Compile-time string encryption, XOR with random keys, decrypts on the stack at runtime

ServiceCompat - Disables ETW tracing, patches AMSI, unhooks ntdll, kills EDR callbacks

PatchGuard - AMSI, ETW and WLDP bypass generator, outputs C, PowerShell and C# payloads

AntiRE - Anti-debug, anti-VM, timing checks, hardware breakpoint detection, all in one header

HookScan - Scans every process for inline hooks in ntdll by diffing against the clean copy on disk

ForensicWipe - Destroys forensic evidence, wipes $MFT entries, clears browser data, kills ETL logs, scrubs memory artifacts

FileGuard - Locks files against deletion with ACL hardening, oplocks, ADS backups and VSS snapshots

InstallGuard - Persistence through registry, scheduled tasks, COM hijacking, DLL proxying, WMI subscriptions

Bootlace - Boot-level persistence, MBR/VBR patching, EFI variable manipulation, BCD modification

DataHarvest - Pulls credentials, cookies and browser data from Chrome, Edge and Firefox on Windows

PESanitize - Strips rich headers, debug directories, timestamps and build paths from PE files

Bin2Header - Converts any binary to a C header array with optional XOR encoding

PayloadPacker - Wraps payloads into HTA, ISO, LNK, VBA macro, OneNote and HTML smuggling formats

HWIDCollector - Grabs 10 hardware identifiers and hashes them into a single SHA-256 machine fingerprint

CoolKit - UEFI firmware rootkit framework, SPI flash R/W, DXE injection, Secure Boot bypass, TPM evasion, Intel + AMD support (dm on discord)

BadUSB-Toolkit - HID keystroke injection for ATmega32U4 boards, types a download cradle and goes silent in 6 seconds

Discord: eren_._z