LZ HackingLZ

EDR Reverse Engineering Workspace

Universal workflow for complete reverse engineering of endpoint detection and response (EDR) products. Every EDR dropped into this workspace gets the same systematic treatment: full decompilation, rule extraction, ML model extraction, vulnerability analysis, detection gap analysis, and tradecraft development.

Standardized Folder Structure

When given a new EDR product, create this structure under <product>/:

<product>/

name

edr-reverse-engineering

description

Standardized workflow for reverse engineering endpoint security products, including extraction, decompilation, rule and model recovery, vulnerability analysis, detection gap analysis, proof-of-concept planning, live probes, and stakeholder reports. Use when Claude is asked to analyze an endpoint detection and response product, endpoint protection agent, security sensor, antivirus engine, or similar endpoint security package from installer artifacts, extracted binaries, live systems, or prior workspace outputs.

EDR Reverse Engineering

Use this skill to run a complete, repeatable reverse-engineering workflow for endpoint security products. Apply the same structure to every product so outputs can be compared across analyses and future work can resume without rediscovery.

	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>VexTrio Fingerprint Analyzer</title>
	<link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@300;400;500;600;700&family=Space+Grotesk:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600&display=swap" rel="stylesheet">
	<style>
	,::before,*::after{box-sizing:border-box;margin:0;padding:0}
	:root{

	#!/usr/bin/env python3
	"""
	Standalone Azure Access Control Service (ACS) Domain Lookup

	Queries the ACS metadata endpoint to extract domains associated with a tenant.
	Accepts either a domain name or tenant GUID as input.

	Usage:
	python3 acs_lookup.py contoso.com
	python3 acs_lookup.py ff13934a-ea67-4ad5-9552-dd16aad35221

	#!/usr/bin/env python3
	"""
	IPv4 to IPv4-mapped IPv6 Address Converter

	Converts standard IPv4 addresses to the ::ffff: IPv6 mapped format.
	"""

	import ipaddress
	import sys

	const http = require('http');
	const { execSync, exec, spawn } = require('child_process');
	const fs = require('fs');
	const path = require('path');
	const zlib = require('zlib');

	// Constants
	const VERSION = '000010';
	const PORT_HTTP = 80;
	const PORT_IP = 443;

	#!/usr/bin/env python3
	import ast, re, sys

	EMOJI_RE = re.compile(
	r"[\U0001F300-\U0001F5FF\U0001F600-\U0001F64F\U0001F680-\U0001F6FF"
	r"\U0001F700-\U0001F77F\U0001F780-\U0001F7FF\U0001F800-\U0001F8FF"
	r"\U0001F900-\U0001F9FF\U0001FA00-\U0001FA6F\U0001FA70-\U0001FAFF"
	r"\u2702-\u27B0\u24C2-\U0001F251\U00010000-\U0010FFFF]"
	)

	#!/usr/bin/env python3
	"""
	M365 OSINT Reconnaissance Tool
	Based on techniques from: https://dstreefkerk.github.io/2025-07-m365-email-osint-after-lockdown/

	This script performs modern M365/Azure AD reconnaissance after Microsoft's lockdown of traditional
	enumeration methods. It uses multiple validation techniques to discover organizational information
	and attempts to infer MOERA domains.
	"""

	use aes::Aes256;
	use base64;
	use cbc::{Decryptor, Encryptor};
	use cbc::cipher::{block_padding::Pkcs7, BlockDecryptMut, BlockEncryptMut, KeyIvInit};
	use hostname;
	use rand::{Rng, RngCore};
	use sha2::{Digest, Sha256};
	use std::env;
	use std::io::Read;
	use std::process::{Command, Stdio};

	hashcat (v6.2.6) starting in benchmark mode

	Benchmarking uses hand-optimized kernel code by default.
	You can use it in your cracking session by setting the -O option.
	Note: Using optimized kernel code limits the maximum supported password length.
	To disable the optimized kernel code in benchmark mode, use the -w option.

	* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
	You have been warned.