%%{init: {'theme':'dark'}}%%
graph TD
A[Security Considerations] --> B[Responsible Use]
A --> C[Vulnerability Reporting]
A --> D[Enhancement Suggestions]
B --> B1[Educational Purposes]
B --> B2[Authorized Testing Only]
B --> B3[Legal Compliance]
C --> C1[Report to K2@ktwo.ca]
C --> C2[Provide Details]
C --> C3[Coordinated Disclosure]
D --> D1[Architecture Extensions]
D --> D2[Encoder Enhancements]
D --> D3[Performance Improvements]
style A fill:#e94560,stroke:#c72c48,color:#fff
style B fill:#d68910,stroke:#b87333,color:#fff
style C fill:#0f3460,stroke:#16a085,color:#fff
style D fill:#1a472a,stroke:#2d7a45,color:#fff
ADMmutate is currently maintained for educational and research purposes. The following versions receive security updates:
| Version | Supported | Status |
|---|---|---|
| 0.8.4 | ✅ | Current stable release |
| 0.8.3 | ✅ | Maintained |
| 0.8.2 | ❌ | Deprecated |
| < 0.8.2 | ❌ | No longer supported |
ADMmutate is designed for educational and authorized security research purposes only.
%%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#1a1a2e','primaryTextColor':'#fff'}}}%%
flowchart TD
A[Using ADMmutate] --> B{Purpose?}
B -->|Learning| C[✅ Acceptable]
B -->|Authorized Pentest| D[✅ Acceptable]
B -->|Security Research| E[✅ Acceptable]
B -->|Unauthorized Access| F[❌ Illegal]
B -->|Malicious Use| G[❌ Illegal]
C --> H[Educational environments]
D --> I[Written permission required]
E --> J[Responsible disclosure]
F --> K[Legal consequences]
G --> K
style C fill:#388e3c,stroke:#2e7d32,color:#fff
style D fill:#388e3c,stroke:#2e7d32,color:#fff
style E fill:#388e3c,stroke:#2e7d32,color:#fff
style F fill:#e94560,stroke:#c72c48,color:#fff
style G fill:#e94560,stroke:#c72c48,color:#fff
style K fill:#6b2c2c,stroke:#8b3a3a,color:#fff
✅ Approved Uses:
- Educational purposes in controlled environments
- Authorized penetration testing with written consent
- Security research and academic study
- Personal learning in isolated lab environments
- CTF competitions and authorized challenges
- Development of defensive security tools
❌ Prohibited Uses:
- Unauthorized access to computer systems
- Malware development or distribution
- Attacking systems without explicit permission
- Circumventing security measures without authorization
- Any illegal activities
Users must comply with all applicable laws and regulations, including:
- Computer Fraud and Abuse Act (CFAA) in the United States
- Computer Misuse Act in the United Kingdom
- Local cybersecurity and computer crime laws
- Terms of service of target systems
If you discover a security vulnerability in ADMmutate, please report it responsibly:
Contact: K2@ktwo.ca
What to Include:
%%{init: {'theme':'dark'}}%%
graph LR
A[Vulnerability Report] --> B[Description]
A --> C[Impact Assessment]
A --> D[Proof of Concept]
A --> E[Suggested Fix]
B --> B1[Clear explanation<br/>of the issue]
C --> C1[Severity level]
C --> C2[Affected versions]
D --> D1[Steps to reproduce]
D --> D2[Test case if possible]
E --> E1[Proposed solution<br/>or workaround]
style A fill:#e94560,stroke:#c72c48,color:#fff
style B fill:#0f3460,stroke:#16a085,color:#fff
style C fill:#0f3460,stroke:#16a085,color:#fff
style D fill:#0f3460,stroke:#16a085,color:#fff
style E fill:#388e3c,stroke:#2e7d32,color:#fff
Report Template:
Subject: [SECURITY] <Brief Description>
Description:
[Detailed explanation of the vulnerability]
Impact:
[What can an attacker do? What data/systems are at risk?]
Affected Versions:
[Which versions are affected?]
Steps to Reproduce:
1. [First step]
2. [Second step]
3. [...]
Proof of Concept:
[Code or commands demonstrating the issue]
Suggested Fix:
[If you have ideas for fixing it]
Additional Notes:
[Any other relevant information]
%%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#16213e','primaryTextColor':'#fff','lineColor':'#e94560'}}}%%
gantt
title Vulnerability Response Timeline
dateFormat YYYY-MM-DD
section Response
Initial Response :a1, 2024-01-01, 3d
Investigation :a2, after a1, 7d
Fix Development :a3, after a2, 14d
Testing & Verification :a4, after a3, 7d
Public Disclosure :a5, after a4, 1d
- Initial Response: Within 3 business days
- Investigation: 7-14 days for analysis
- Fix Development: 14-30 days depending on severity
- Coordinated Disclosure: After fix is available
| Level | Criteria | Response Time |
|---|---|---|
| 🔴 Critical | Remote code execution, privilege escalation | 24-48 hours |
| 🟠 High | Information disclosure, DoS | 3-7 days |
| 🟡 Medium | Logic errors, minor security issues | 7-14 days |
| 🟢 Low | Best practice violations, hardening | Next release |
We welcome suggestions for improving ADMmutate's capabilities!
Current State: Fixed weights in code
Opportunity: Many users never customize instruction weightings
Suggestion:
- Add programmatic API for setting weights
- Configuration file support
- Runtime weight adjustment
// Proposed API
int set_junk_weight(int arch, int instruction_index, int weight);
int load_weight_config(const char *config_file);Current State: Manual offset calculation
Opportunity: Additional ESP/SP finding techniques
Suggestion:
- Add gadget-free SP discovery for code execution contexts
- FPU-based techniques
- Leverage common memory leaks
Research Areas:
- Modern ASLR bypass techniques
- Information leak exploitation
- Stack pivot gadgets
Current State: XOR-based encoding
Opportunity: Additional encoding algorithms
Suggestions:
- ADD/SUB encoding
- Rotation-based encoding
- Mixed cipher chains
- Architecture-specific encoding (e.g., AVX)
Testing Framework:
- Use
llvm-mcafor instruction timing analysis - Use
llvm-exegesisfor performance profiling - Build instruction databases for modern CPUs
Priority Targets:
- ARM/ARM64 (Thumb mode)
- AArch64
- RISC-V
- x86-64 specific optimizations
Suggestions:
- Anti-debugging techniques
- Anti-emulation checks
- Sandbox detection
- VM detection
Note: These should be optional and clearly documented for responsible use.
- Check existing issues for similar suggestions
- Open a GitHub Discussion to get feedback
- Create a detailed proposal with:
- Problem statement
- Proposed solution
- Use cases
- Implementation sketch (if applicable)
- Consider submitting a PR if you can implement it
%%{init: {'theme':'dark'}}%%
graph TD
A[Using ADMmutate] --> B[Isolated Environment]
A --> C[Documentation]
A --> D[Testing]
B --> B1[Use VMs or containers]
B --> B2[Separate network segment]
B --> B3[No production systems]
C --> C1[Read all documentation]
C --> C2[Understand implications]
C --> C3[Know the law]
D --> D1[Test thoroughly]
D --> D2[Verify payloads]
D --> D3[Controlled targets only]
style A fill:#e94560,stroke:#c72c48,color:#fff
style B fill:#0f3460,stroke:#16a085,color:#fff
style C fill:#0f3460,stroke:#16a085,color:#fff
style D fill:#388e3c,stroke:#2e7d32,color:#fff
Recommendations:
- Always use in isolated lab environments
- Never test on systems without authorization
- Keep exploitation tools and techniques private
- Practice responsible disclosure
- Maintain professional ethics
Code Security:
- Review all third-party contributions
- Test new features thoroughly
- Consider security implications
- Document security-relevant behavior
- Follow secure coding practices
Supply Chain:
- Verify dependencies
- Keep build tools updated
- Sign releases
- Provide checksums
We follow responsible disclosure practices:
- Private Notification: Report sent to K2@ktwo.ca
- Acknowledgment: We confirm receipt within 3 days
- Analysis: We investigate and develop a fix
- Fix Released: Security patch published
- Public Disclosure: 30-90 days after fix (coordinated)
- Credit: Reporter credited in release notes (if desired)
- Day 0: Vulnerability reported
- Day 1-3: Acknowledgment sent
- Day 3-30: Investigation and fix development
- Day 30-45: Testing and validation
- Day 45: Patch released
- Day 75-90: Public disclosure (if appropriate)
We recognize security researchers who responsibly disclose vulnerabilities:
No security vulnerabilities have been reported yet.
Remember: With great power comes great responsibility. Use ADMmutate ethically and legally.
For questions or concerns, contact: K2@ktwo.ca