Handbook V – Maldev
Work in Progress
Table Of Contents
- Courses
- Sources
- x86 & x64 Assembler and Disassembler
- Callback function list
- Convert raw shellcode to raw binary format
- EDR Telematry
- EDR Telematry v2
- Entropy reduction
- HijackLibs
- Malapi.io
- No-defender
- NtDoc – The native NT API online documentation
- Parasite-invoke
- Reverse engineering of everything Microsoft
- Vergilius project
- Unprotect.it
- Evasion techniques
- Windows Icons
Courses
EvasionEDR By Matt Hand
Sources
| URL | Description | Category |
|---|---|---|
| https://github.com/NUL0x4C/HellShell | HellShell GitHub repository | Penetration Testing |
| https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/#weapon | Exploit writing tutorial on Corelan.be | Exploit Development |
| https://www.corelan.be/ | Corelan.be website | Cybersecurity |
| https://github.com/Krypteria/AtlasLdr | AtlasLdr GitHub repository | Malware Analysis |
| https://labs.jumpsec.com/obfuscating-c2-during-a-red-team-engagement/ | Article on obfuscating C2 during Red Team engagement | Red Teaming |
| https://github.com/matterpreter/DefenderCheck | DefenderCheck GitHub repository | Security Tools |
| https://pinvoke.net/ | PInvoke.net – Platform Invoke for .NET | Programming |
| https://github.com/mkaring/ConfuserEx/releases/tag/v1.6.0 | ConfuserEx GitHub repository (v1.6.0 release) | Malware Analysis |
| https://virusscan.jotti.org/en-US/scan-file | Jotti’s Virus Scan – File scanning tool | Antivirus |
| https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low | Article on direct syscalls in Red Teaming | Red Teaming |
| https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ | Raspberry Robin anti-evasion exploit analysis | Exploit Analysis |
| https://vanmieghem.io/process-injection-evading-edr-in-2023/ | Article on process injection and EDR evasion | Cybersecurity |
| https://redsiege.com/blog/2023/04/evading-crowdstrike-falcon-using-entropy/ | Evading Crowdstrike Falcon using entropy | Evasion Techniques |
| https://evasions.checkpoint.com/ | Check Point Evasions – Evasion techniques | Evasion Techniques |
| https://vx-underground.org/ | VX Underground – Malware and Exploit Community | Malware Analysis |
| Home – Unprotect Project | Search Evasion Techniques | Evasion Techniques |
x86 & x64 Assembler and Disassembler
Wondering what your shellcode is doing? This website will disassemble it for you and show the instructions.
Online x86 and x64 Intel Instruction Assembler
Callback function list
aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks (github.com)
According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation.
Example: Using CertEnumSystemStore
MSDN Documentation for CertEnumSystemStore
#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>
// Shellcode payload
unsigned char shellcode[] =
"\x90\x90\x90\x90" // NOPs for padding
"\xcc"; // INT 3 (breakpoint for debugging)
BOOL WINAPI Payload(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) {
((void(*)())shellcode)();
return TRUE;
}
int main() {
if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, Payload)) {
printf("[!] CertEnumSystemStore Failed With Error : %d \n", GetLastError());
return -1;
}
return 0;
}
Convert raw shellcode to raw binary format
Use CyberChef. Copy the shellcode to Cyberchef and choose “From Hex” as operations. Then save the output to .bin. This can be done the other way around also. From raw binary to shellcode.
EDR Telematry
EDR Telemetry Tracking for Windows – Google Drive
EDR Telematry v2
EDR Telemetry Project – Windows
Entropy reduction
Reducing entroy makes the data appear less random. A high entropy might indicate encryption and some EDRs might raise suspicion. Some of the techniques to reduce entroyp is:
Encoding After Encryption: Applying encoding like URL encoding reduces the range of characters used (e.g., using only alphanumeric characters and fewer symbols) while preserving the data’s integrity. This limits the number of unique bytes, decreasing the perceived randomness.
Disguising the Encoded Payload: After encoding, disguise the payload by embedding it into seemingly legitimate data, such as fake URLs, CSV files, or even certificates. This helps evade detection during analysis or reverse engineering.
Loader Decoding and Execution: The loader should read and decode the disguised data, reverting it to its original form before execution.
HijackLibs
This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.
Malapi.io
MalAPI.io maps Windows APIs to common techniques used by malware.
No-defender
NtDoc – The native NT API online documentation
NtDoc – The native NT API online documentation (m417z.com)
This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See
phnt.hfor more information.
Parasite-invoke
Hide your P/Invoke signatures through other people’s signed assemblies!
Reverse engineering of everything Microsoft
Geoff Chappell, Software Analyst
Kernel, Win32, Shell, Internet Explorer, Visual C++.
Vergilius project
This project provides a collection of Microsoft Windows kernel structures, unionsand enumerations.
Unprotect.it
This project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times.
Evasion techniques
Evasion techniques (checkpoint.com)
In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isn’t stated explicitly which operating system is described, Windows is meant by default.
Windows Icons
Windows Icon locations:
%systemroot%\system32\imageres.dll
%systemroot%\system32\shell32.dll
%systemroot%\system32\ddores.dll
%systemroot%\system32\pifmgr.dll
%systemroot%\explorer.exe
%systemroot%\system32\accessibilitycpl.dll
%systemroot%\system32\moricons.dll
%systemroot%\system32\mmcndmgr.dll
%systemroot%\system32\mmres.dll
%systemroot%\system32\netcenter.dll
%systemroot%\system32\netshell.dll
%systemroot%\system32\networkexplorer.dll
%systemroot%\system32\pnidui.dll
%systemroot%\system32\sensorscpl.dll
%systemroot%\system32\setupapi.dll
%systemroot%\system32\wmploc.dll
%systemroot%\system32\wpdshext.dll
%systemroot%\system32\compstui.dll
%systemroot%\system32\ieframe.dll
%systemroot%\system32\dmdskres.dll
%systemroot%\system32\dsuiext.dll
%systemroot%\system32\mstscax.dll
%systemroot%\system32\wiashext.dll
%systemroot%\system32\comres.dll
%systemroot%\system32\mstsc.exe
%systemroot%\system32\actioncentercpl.dll
%systemroot%\system32\aclui.dll
%systemroot%\system32\autoplay.dll
%systemroot%\system32\comctl32.dll
%systemroot%\system32\filemgmt.dll
%systemroot%\system32\ncpa.cpl
%systemroot%\system32\url.dll
%systemroot%\system32\xwizards.dllIconfinder:
