NULL @NUL0x4C Twitter profile

Last Seen Profiles

@FxKarchive

@brianstelter

@sohnikurixx

@LazerBrody

@FT_07_

@phoeniixverse

@bachmanntrains

@PhillyDSA

@valuriap

@my_nameisyoon

@DrewCreighton

@1fr33dom

@amelsyakura

@LkJh01928

@REVI

@desire_2024

@adele_chivers

@valdizoldo

@serltice

@xn0sthfvyqkvz

@saragwarner

@quinones_luis

@cukienaknikmati

@deruniii___

@negi_Campus

@DWilliamsGlobal

@asist_esc

@WizWorldNFT

@FranklinD1Track

@hastizopherni

@TheaAHolcomb

@TPMP

@devilminee

@ciaran_tcg

@SeanTaIksSports

@deryakilic874

NULL

@NUL0x4C

2 years

decided to release this, a highly capable pe packer, with a lot of nice features

GitHub - NUL0x4C/AtomPePacker: A Highly capable Pe Packer

A Highly capable Pe Packer. Contribute to NUL0x4C/AtomPePacker development by creating an account on GitHub.

github.com

6

146

416

NULL

@NUL0x4C

8 months

Publishing a PoC for an interesting code injection technique

GitHub - Maldev-Academy/Christmas

Contribute to Maldev-Academy/Christmas development by creating an account on GitHub.

github.com

8

119

402

NULL

@NUL0x4C

2 years

had some time, so i made this; does process injection, ppid spoofing stuff, and a few other neat things ;p

GitHub - NUL0x4C/TerraLdr: A Payload Loader Designed With Advanced Evasion Features

A Payload Loader Designed With Advanced Evasion Features - NUL0x4C/TerraLdr

github.com

12

106

311

NULL

@NUL0x4C

1 year

This course will take someone with minimal C knowledge to being capable of building something like this:

GitHub - NUL0x4C/AtomLdr: A DLL loader with advanced evasive features

A DLL loader with advanced evasive features. Contribute to NUL0x4C/AtomLdr development by creating an account on GitHub.

github.com

mr.d0x

@mrd0x

1 year

For the past couple of months @NUL0x4C and I have been working on a module-based malware dev training course that covers various techniques in-depth. Its emphasis is on simplifying complex concepts & evasion. Every module contains highly commented custom code. Stay tuned!

37

163

761

5

81

299

NULL

@NUL0x4C

2 years

after some time playing with conti & babuk code, i noticed that both are deleting shadow copies via command line, so i had to come up with something better:

GitHub - NUL0x4C/DeleteShadowCopies: Deleting Shadow Copies In Pure C++

Deleting Shadow Copies In Pure C++ . Contribute to NUL0x4C/DeleteShadowCopies development by creating an account on GitHub.

github.com

5

62

292

NULL

@NUL0x4C

1 year

Another tool for the upcoming Maldev Academy course! This tool is part of the entropy reduction module.

GitHub - Maldev-Academy/EntropyReducer: Reduce Entropy And Obfuscate Youre Payload With Serialized...

Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists - Maldev-Academy/EntropyReducer

github.com

7

61

215

NULL

@NUL0x4C

2 years

its been a long time since I last uploaded something, but earlier this day I had some time to drop this:

GitHub - NUL0x4C/APCLdr: Payload Loader With Evasion Features

Payload Loader With Evasion Features. Contribute to NUL0x4C/APCLdr development by creating an account on GitHub.

github.com

4

91

215

NULL

@NUL0x4C

2 years

Cobalt strike my ass, any other c2's that will run on linux? (Im looking for another "my default" c2) #opensource

40

41

210

NULL

@NUL0x4C

2 years

i guess the name is self explanatory

GitHub - NUL0x4C/KnownDllUnhook: Replace the .txt section of the current loaded modules from...

Replace the .txt section of the current loaded modules from \KnownDlls\ to bypass edrs - NUL0x4C/KnownDllUnhook

github.com

0

56

188

NULL

@NUL0x4C

3 years

Published a new Repo Today, first one on gitlab ;) combining more than more tech to bypass av products: u can check it here: #bypassav #shellcode #payload

ORCA / 3in1 · GitLab

Project Than is meant to Bypass Windows Defender, Using ThreadStackSpoofer, TDP && KCTHijack

gitlab.com

3

76

182

NULL

@NUL0x4C

2 years

released a poc on etw session hijacking, blocking network events monitoring on procmon

GitHub - NUL0x4C/EtwSessionHijacking: A Poc on blocking Procmon from monitoring network events

A Poc on blocking Procmon from monitoring network events - NUL0x4C/EtwSessionHijacking

github.com

2

65

167

NULL

@NUL0x4C

2 years

Built a new tool, based on older poc i made, #hellshell can generate ipv4/ ipv6 / mac addresses arrays to replace your shellcode, in a automated way, with the code needed to decode, take a look here: #hellshell #ipfuscation #macfuscation

ORCA / HellShell · GitLab

Generating Ipv4 / Ipv6 / Mac Arrays As The Shellcode

gitlab.com

4

56

165

NULL

@NUL0x4C

3 years

Building New poc, inject your shellcode into ntdll address space, without VirtualAllocEx , and then hijacking the thread without GetThreadContext or Suspend/ResumeThread, bypass some memory scanners here: #shellcode #inject #bypassav

ORCA / SnapLoader · GitLab

Injecting shellcode into 'ntdll.dll' address space in target process, and hijacking its thread without calling GetThreadContext, evading memory scanners, and more ...

gitlab.com

3

57

158

NULL

@NUL0x4C

10 months

I was able to successfully implement a custom Herpaderping implementation for @MalDevAcademy . Shout out to @jxy__s for helping out with some issues!

4

19

149

NULL

@NUL0x4C

2 years

Ever wanted to run your payload without being boring ? here you go ...

GitHub - NUL0x4C/NoRunPI: Run Your Payload Without Running Your Payload

Run Your Payload Without Running Your Payload. Contribute to NUL0x4C/NoRunPI development by creating an account on GitHub.

github.com

5

49

137

NULL

@NUL0x4C

2 years

released #hive 's IPfuscation Tech, in which the shellcode is converted to an array of ip addresses to evade detection, u can try it out here: #shellcode #IPfuscation

4

59

132

NULL

@NUL0x4C

2 years

Saw this repo today, found it may be useful to share :)

1

42

118

NULL

@NUL0x4C

3 years

Released a small repo using Tiny-AES-C to do AES CBC shellcode encryption, fixing the padding problem, here : #shellcode #encryption

3

36

98

NULL

@NUL0x4C

2 years

after some struggling, it was done, a 217 bytes custom dynamic shellcode, that can download and run your payload from a webpage :

ORCA / D.RDynamicShellcode · GitLab

Download & Run Dynamic x64 Shellcode

gitlab.com

2

26

99

NULL

@NUL0x4C

3 years

i was playing with some elevation techs today, and i found this, u may already know it, but for those who don't, if u have an elevated process, killing explorer.exe and running it as "explorer.exe /NOUACCHECK" will run anything under it as admin process

1

23

95

NULL

@NUL0x4C

2 years

finally, publishing #SShell , a encrypted cmd reverse shell, with key exchange algorithm, that uses both xor and rc4 with a key that changes every 2 minutes, still little buggy sometimes, u can take a look here:

ORCA / SShell · GitLab

A end to end encrypted reverse shell with a custom key exchange algorithm

gitlab.com

3

35

95

NULL

@NUL0x4C

2 years

Published a new repo today, load your dll from #memory , based on mmLoader library.

ORCA / DynamicDllLoader · GitLab

Run your Dll From Memory

gitlab.com

0

27

92

NULL

@NUL0x4C

2 years

at last, i finally got some time to release more code :) i'll start with this:

GitHub - NUL0x4C/Syscallslib: a library that automates some clean syscalls to make it easier to...

a library that automates some clean syscalls to make it easier to implement - GitHub - NUL0x4C/Syscallslib: a library that automates some clean syscalls to make it easier to implement

github.com

2

30

91

NULL

@NUL0x4C

2 years

after hiding the payload in the thread description, i decided to search for new places for the same purpose, so im releasing a new poc, that hide your payload in nvidia's gpu memory.

ORCA / GP · GitLab

gpu poisoning; hide the payload inside the gpu memory

gitlab.com

3

36

87

NULL

@NUL0x4C

2 years

released a stable library that handles forwarded functions and does compile time hashing, replacing GetModuleHandle and GetProcAddress :

0

36

81

NULL

@NUL0x4C

2 years

since a lot of the homies are using entropy to detect encrypted / compressed payloads, i had to do something about it :

ORCA / EntropyFix · GitLab

A tool with no ascii art that reduces the entropy of your payload

gitlab.com

2

15

82

NULL

@NUL0x4C

2 years

i released i tiny poc on getting the syscalls from ntdll of a new suspended process :

ORCA / SuspendedNtdllUnhook · GitLab

Get your syscalls from a newly suspended created process

gitlab.com

2

14

80

NULL

@NUL0x4C

3 years

released another poc on KernelCallbackTable hijacking to run your shellcode, inspired by this paper here: the repo can be found here: #bypassav #shellcode #poc

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

How one of North Korea’s most sophisticated APTs tries to avoid detection by using legitiate tools during its attacks.

www.threatdown.com

3

37

77

NULL

@NUL0x4C

2 years

ideas ... 👀👀

ESET Research

@ESETresearch

4 years

The attackers use improved ListPlanting technique for code injection. Instead of calling WriteProcessMemory, #InvisiMole sends LVM_SETITEMPOSITION and LVM_GETITEMPOSITION messages to the target SysListView32, with shellcode bytes provided as the new coordinates. 7/9

1

29

92

2

10

64

NULL

@NUL0x4C

3 years

just saw this today and wanted to share, maybe someone will make a bof out of it or smth , cz i think it is cool ;p

GitHub - hyp3rlinx/DarkFinger-C2: Windows TCPIP Finger Command / C2 Channel and Bypassing Security...

Windows TCPIP Finger Command / C2 Channel and Bypassing Security Software - hyp3rlinx/DarkFinger-C2

github.com

0

25

66

NULL

@NUL0x4C

2 years

Etw session hijacking, on Process Monitor v 3.86, preventing network events from being monitored :

bandicam 2022-08-21 03-16-04-134.mp4

Etw Session Hijacking

vimeo.com

3

14

64

NULL

@NUL0x4C

2 years

released a new repo, brute forcing the key of aes encryption, (cz im tired of ppl exposing the decryption keys lol) #AES #shellcode #encryption

ORCA / AESBruteForcing · GitLab

Brute Forcing AES Key Using Arrays Of 'djb2' Hashes

gitlab.com

2

19

57

NULL

@NUL0x4C

2 years

WaitForSingleObject(CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)memcpy(Old = VirtualAlloc(NULL, sizeof(rawData), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE), rawData, sizeof(rawData)), VirtualProtect(Old, sizeof(rawData), PAGE_EXECUTE_READWRITE, &Old), NULL, NULL), INFINITE);

4

10

58

NULL

@NUL0x4C

2 years

well, i saw somth that would make developers check there visual studio files twice before building ... idk if u know that, but u can backdoor vs project !!!, project properties -> Build Events -> Post-Build Event -> Command Line -> ??? #windows #visualstudio #powershell

2

15

56

NULL

@NUL0x4C

2 years

ever wanted to replace FindResource, LoadResource, LockResource, SizeofResource... well, now you can :

GitHub - NUL0x4C/ManualRsrcDataFetching: Get your data from the resource section manually, with no...

Get your data from the resource section manually, with no need for windows apis - GitHub - NUL0x4C/ManualRsrcDataFetching: Get your data from the resource section manually, with no need for window...

github.com

0

30

57

NULL

@NUL0x4C

2 years

Wanted to play with some assembly code, ended up making a small keylogger :|

8

1

47

NULL

@NUL0x4C

2 years

putting the final touch on a new memory evasion technique :)

1

47

NULL

@NUL0x4C

2 years

it's been a while since the last time I played with some c code, so I had to publish something:

ORCA / KctHijackLib · GitLab

A Small Library For a Cleaner Execution

gitlab.com

3

15

40

NULL

@NUL0x4C

1 year

check it out everyone

MalDev Academy

@MalDevAcademy

1 year

MaldevAcademy[.]com is now live!

16

48

206

5

4

38

NULL

@NUL0x4C

2 years

released 'Toaster' repo, using #WinToast library to run the shellcode in a funny way, the idea was @__mez0__ 's idea, and i had some fun, figured i share it :

ORCA / ToasterLoader · GitLab

Just A Fun Way To Run Your Shellcode

gitlab.com

☠️ Brandon

@__mez0__

2 years

I was looking at how to use Windows Toasts for a project I'm working on, turns out its quite a funny way to have "malicious" code execute:

2

20

106

2

13

38

NULL

@NUL0x4C

2 years

after some ppl criticized the naming, please take a look at the code and tell me what to name it :

GitHub - NUL0x4C/Ultra: A Small Poc On An Encryption/Decryption Algorithm Used As A File Locker

A Small Poc On An Encryption/Decryption Algorithm Used As A File Locker - NUL0x4C/Ultra

github.com

2

6

38

NULL

@NUL0x4C

2 years

since "bringing your version of ntdll over the internet" is a thing now, try downloading it from instead of manually setting up a server

2

5

38

NULL

@NUL0x4C

2 years

the definition of thinking outside of the box:

DEF CON 30 - Michael Bargury - No-Code Malware - Windows 11 at Your...

Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and...

www.youtube.com

4

8

36

NULL

@NUL0x4C

2 years

for ppl who asked for the asm keylogger to write to a file, it does now

update · main · ORCA / asmLogger · GitLab

poc on assembly keylogger, that really handles special characters

gitlab.com

0

8

32

NULL

@NUL0x4C

1 year

In the @MalDevAcademy update coming tomorrow, we're showcasing a tool that utilizes hardware breakpoints to collect RDP credentials, evading MDE

1

4

28

NULL

@NUL0x4C

2 years

do u guys want a pe packer ?

0

29

NULL

@NUL0x4C

2 years

ig the best thing to do if you wanna dive into mal dev, is learning how to google stuff, there is a lot of things out there, you just need to google it right ...

1

5

26

NULL

@NUL0x4C

2 years

do u guys want a shellcode loader ?

NULL

@NUL0x4C

2 years

do u guys want a pe packer ?

0

29

0

25

NULL

@NUL0x4C

2 years

still mad at me babe ?

Florian Roth

@cyb3rops

2 years

@chompie1337 publishing code that deletes the volume shadow copies isn't offensive research

4

0

6

1

24

NULL

@NUL0x4C

2 years

why suspending such threads is not an option to block ETWs

3

21

NULL

@NUL0x4C

2 years

Fuck debugging

2

0

22

NULL

@NUL0x4C

2 years

it's been a while since i last uploaded something, but "we" are preparing something cool for 2023, stay tuned ;p

1

2

21

NULL

@NUL0x4C

2 years

@cyb3rops bruh

2

0

14

NULL

@NUL0x4C

2 years

bro, com in c is something else

3

0

16

NULL

@NUL0x4C

1 year

I’ve received several messages regarding the upcoming course. Due to unexpected personal reasons, it’s being delayed for a few more weeks. Sorry for that.

3

0

15

NULL

@NUL0x4C

2 years

some cryptographic algorithms are pure art

3

1

15

NULL

@NUL0x4C

2 years

RtlSetProcessIsCritical(TRUE, FALSE, FALSE)

3

4

14

NULL

@NUL0x4C

2 years

damn you shadow copies

GalB1t

@Gal_B1t

2 years

With (not so )great power comes great (ir)responsibility 🕷️🤦‍♂️ [Context: sharing a useful tactic for ransomware operators]

3

0

3

1

0

13

NULL

@NUL0x4C

2 years

used to hate java, now i hate it more

0

14

NULL

@NUL0x4C

10 months

@ShitSecure @vxunderground @MalDevAcademy "PsSetCreateProcessNotifyRoutineEx" callbacks are not exactly triggered at process creation but rather at main thread creation. Thats why we see process herpaderping (for example) modifying the payload file with a legit image before thread creation. Any scan created by this

2

0

12

NULL

@NUL0x4C

1 year

@0gtweet i had to try it ...

1

2

13

NULL

@NUL0x4C

2 years

At least till @C5pider releases havoc c2 ;p

2

0

12

NULL

@NUL0x4C

2 years

Is there a book like "windows internals" but for linux, I'm trying to jump into linux-based malware dev :)

1

11

NULL

@NUL0x4C

3 years

this is my gitlab account, ill post my other github repos when i have time :

ORCA · GitLab

[email protected]

gitlab.com

0

2

10

NULL

@NUL0x4C

3 years

@cyb3rops that's me lol :

1

2

9

NULL

@NUL0x4C

3 years

@NinjaParanoid What if we decoded each 1 byte in the shellcode at a time, and the same byte was injected to a running process as "size" argument is equal to 1; but in a loop till the shellcode end :D I used this tech here:

2

9

NULL

@NUL0x4C

2 years

does anyone knows a tool that convert asm to a shellcode, im using x64 masm syntax

4

0

9

NULL

@NUL0x4C

2 years

pew pew

ORCA / asmLogger · GitLab

poc on assembly keylogger, that really handles special characters

gitlab.com

NULL

@NUL0x4C

2 years

Wanted to play with some assembly code, ended up making a small keylogger :|

8

1

47

1

9

NULL

@NUL0x4C

2 years

@Gal_B1t im here for the lulz

1

0

8

NULL

@NUL0x4C

2 years

just changed my wallpaper to blue using this, best syscall ever !

1

0

9

NULL

@NUL0x4C

2 years

@C5pider real gangster

0

8

NULL

@NUL0x4C

2 years

based on :

0

1

9

NULL

@NUL0x4C

2 years

@C5pider @ilove2pwn_ @rad9800 @modexpblog @peterwintrsmith @passthehashbrwn @waldoirc @Und3rf10w @MrUn1k0d3r @chvancooten i didn't thought i would make it to such a list, however I'll take this chance to suggest these books: - windows system programming - windows internals - network programming with c - the art of 64-bit assembly language (prob their is more, but these are what i remembered now)

0

3

8

NULL

@NUL0x4C

2 years

another 4 hrs sleeping night

1

0

8

NULL

@NUL0x4C

3 years

Nim it is ppl ...

Matt | HuskyHacks

@HuskyHacksMK

3 years

writing malware for the upcoming course. Something incredible I've noticed: malware samples written in Nim do not show their static imports in their IAT, even when I call the win32 API directly:

5

33

161

0

8

NULL

@NUL0x4C

2 years

For people interested in re, i would suggest reading "Reversing: secrets of reverse engineering"

1

0

8

NULL

@NUL0x4C

2 years

i was cleaning up some old code and i found this, idk why but yeah ...

1

3

7

NULL

@NUL0x4C

2 years

tested with #Havoc too :0

0

1

8

NULL

@NUL0x4C

2 years

@vxunderground what i meant it something like this

NULL

@NUL0x4C

2 years

@Idov31 the code i wanted to release isn't actually a *ransomware*, its just the encryption / decryption algorithm, what i meant to publish is a program that takes a file name from the command line, encrypt it ..., and the same goes for the decrypter :)

4

0

3

4

0

6

NULL

@NUL0x4C

2 years

@C5pider thanks for the backup ♡♡

0

1

7

NULL

@NUL0x4C

2 years

@domchell @cyb3rops don't worry I'll remove the shadow copies part out

1

0

7

NULL

@NUL0x4C

2 years

1

0

7

NULL

@NUL0x4C

3 years

@cyb3rops Now java will be the next programming language to code ransomwares, luckily they are teaching us java in collage, I never knew what I can do with it till now :)

0

1

7

NULL

@NUL0x4C

3 years

@CaptMeelo Thanks for The share :), Just a note for ppl using the tiny-AES lib to encrypt ur shellcode, check if it is multiple of 16, and append with nops (0x90) if not, and then add more 16 bytes of nops at the end, bcz i was stuck with it some while back , till i read the readme ;)

1

0

7

NULL

@NUL0x4C

2 years

college is waste of money, i've wasted 3 years paying for ppl and got no real experience / knowledge in return, and today i got email i gotta pay more, so im just mad af now :) (this may not work for all colleges, but this is my personal experience, specially in such a country)

2

1

6

NULL

@NUL0x4C

2 years

@zux0x3a Yup, pascal and rust in my opinion will be the next c for malware, but still, i guess u can score better with some weird open source "programming languages", its crazy to see how just changing compilers does that :)

2

0

6

NULL

@NUL0x4C

10 months

@ShitSecure @vxunderground @MalDevAcademy Such techniques are used to evade kernel callbacks that are triggered on process creation. For example, "PsSetCreateProcessNotifyRoutineEx".

1

0

6

NULL

@NUL0x4C

1 year

@_Kudaes_ u broke the unwritten rule: new PoCs should always be in C 😭. Good job tho, loving it 😍

1

0

6

NULL

@NUL0x4C

2 years

this is me rebuilding :

1

0

6

NULL

@NUL0x4C

3 years

TDP is moved to gitlab;

ORCA / T.D.P · GitLab

Thread Description Poising; Using Thread Description To Hide Shellcodes

gitlab.com

0

3

5

NULL

@NUL0x4C

3 years

let me know if it still work ppl :)

0

5

NULL

@NUL0x4C

2 years

i used to buy a tons of books and put more time in reading stuff, rather than googling it, im not saying you should ignore books, but check your browser first, you may find what you want faster and from more than one point of view :)

1

0

5

NULL

@NUL0x4C

3 years

EVA: fully undetected shellcode injector NOW ON MY GITHUB: #malware #undetected #fud #CobaltStrike #hacking #redteam #shellcode

1

2

5

NULL

@NUL0x4C

6 months

@burning_pm @l1inear He showed me the configuration and it is configured correctly to block LSASS dumps. We tested other techniques and they were getting blocked. He's also not obliged to show you the entire configuration, if you don't like what he said then take your skepticism elsewhere because at

2

0

5

NULL

@NUL0x4C

2 years

idk if thats really *better*, but its different and small ;)

1

2

5

NULL

@NUL0x4C

2 years

its done :

NULL

@NUL0x4C

2 years

for ppl that don't know, my old github account got suspended a while back, that's why i moved to gitlab, but gitlab isn't that favored so ...

4

0

1

5

NULL

@NUL0x4C

2 years

New me ;)

1

5

NULL

@NUL0x4C

2 years

who's good in golang and wanna contribute to something interesting ?

4

1

5

NULL

@NUL0x4C

2 years

the code was a hello world printf, its funny seeing it flagged

0

5

NULL

@NUL0x4C

2 years

@C5pider @Gal_B1t the funny part is that i really put that the code is based on this repo in my readme, still there is a lot of *good people* acting up, like bruh, even if this shit is new, you can write your yara rule thingy instead of commenting on a tweet.

0

5