Amaterasu terminates, or inhibits, protected processes such as application control and AV/EDR solutions by leveraging the Sysinternals Process Explorer driver to kill a process's handles from kernel mode.
ExploitLeakedHandle is a utility that identifies handles in unprivileged processes that may have been inherited from a privileged parent process and attempts to leverage them for local privilege escalation.
PIF is a tool that facilitates injecting & executing arbitrary code in remote processes through various process injection techniques.
PowerShell script to append data to executables without invalidating their digital signature.
Minimal driver that calls PsSetCreateProcessNotifyRoutineEx and writes basic process information to the kernel debugger. For educational purposes.
PowerShell script to retrieve the system call numbers for Nt/Zw functions exported in NTDLL.
PowerShell script to find NTDLL functions that may be hooked by AV or EDR by comparing what exists on disk with the loaded ntdll module.
