Malware Development
Work in Progress
Table Of Contents
Courses
EvasionEDR By Matt Hand
Sources
| URL | Description | Category |
|---|---|---|
| https://github.com/NUL0x4C/HellShell | HellShell GitHub repository | Penetration Testing |
| https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/#weapon | Exploit writing tutorial on Corelan.be | Exploit Development |
| https://www.corelan.be/ | Corelan.be website | Cybersecurity |
| https://github.com/Krypteria/AtlasLdr | AtlasLdr GitHub repository | Malware Analysis |
| https://labs.jumpsec.com/obfuscating-c2-during-a-red-team-engagement/ | Article on obfuscating C2 during Red Team engagement | Red Teaming |
| https://github.com/matterpreter/DefenderCheck | DefenderCheck GitHub repository | Security Tools |
| https://pinvoke.net/ | PInvoke.net – Platform Invoke for .NET | Programming |
| https://github.com/mkaring/ConfuserEx/releases/tag/v1.6.0 | ConfuserEx GitHub repository (v1.6.0 release) | Malware Analysis |
| https://virusscan.jotti.org/en-US/scan-file | Jotti’s Virus Scan – File scanning tool | Antivirus |
| https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low | Article on direct syscalls in Red Teaming | Red Teaming |
| https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ | Raspberry Robin anti-evasion exploit analysis | Exploit Analysis |
| https://vanmieghem.io/process-injection-evading-edr-in-2023/ | Article on process injection and EDR evasion | Cybersecurity |
| https://redsiege.com/blog/2023/04/evading-crowdstrike-falcon-using-entropy/ | Evading Crowdstrike Falcon using entropy | Evasion Techniques |
| https://evasions.checkpoint.com/ | Check Point Evasions – Evasion techniques | Evasion Techniques |
| https://vx-underground.org/ | VX Underground – Malware and Exploit Community | Malware Analysis |
| Home – Unprotect Project | Search Evasion Techniques | Evasion Techniques |
Callback function list
aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks (github.com)
According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation.
Example: Using CertEnumSystemStore
MSDN Documentation for CertEnumSystemStore
#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>
// Shellcode payload
unsigned char shellcode[] =
"\x90\x90\x90\x90" // NOPs for padding
"\xcc"; // INT 3 (breakpoint for debugging)
BOOL WINAPI Payload(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) {
((void(*)())shellcode)();
return TRUE;
}
int main() {
if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, Payload)) {
printf("[!] CertEnumSystemStore Failed With Error : %d \n", GetLastError());
return -1;
}
return 0;
}
EDR Telematry
EDR Telemetry Tracking for Windows – Google Drive
HijackLibs
This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.
Malapi.io
MalAPI.io maps Windows APIs to common techniques used by malware.
No-defender
NtDoc – The native NT API online documentation
NtDoc – The native NT API online documentation (m417z.com)
This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See
phnt.hfor more information.
Parasite-invoke
Hide your P/Invoke signatures through other people’s signed assemblies!
Reverse engineering of everything Microsoft
Geoff Chappell, Software Analyst
Kernel, Win32, Shell, Internet Explorer, Visual C++.
Vergilius project
This project provides a collection of Microsoft Windows kernel structures, unionsand enumerations.
Unprotect.it
This project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times.
Evasion techniques
Evasion techniques (checkpoint.com)
In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isn’t stated explicitly which operating system is described, Windows is meant by default.
Windows Icons
Windows Icon locations:
%systemroot%\system32\imageres.dll
%systemroot%\system32\shell32.dll
%systemroot%\system32\ddores.dll
%systemroot%\system32\pifmgr.dll
%systemroot%\explorer.exe
%systemroot%\system32\accessibilitycpl.dll
%systemroot%\system32\moricons.dll
%systemroot%\system32\mmcndmgr.dll
%systemroot%\system32\mmres.dll
%systemroot%\system32\netcenter.dll
%systemroot%\system32\netshell.dll
%systemroot%\system32\networkexplorer.dll
%systemroot%\system32\pnidui.dll
%systemroot%\system32\sensorscpl.dll
%systemroot%\system32\setupapi.dll
%systemroot%\system32\wmploc.dll
%systemroot%\system32\wpdshext.dll
%systemroot%\system32\compstui.dll
%systemroot%\system32\ieframe.dll
%systemroot%\system32\dmdskres.dll
%systemroot%\system32\dsuiext.dll
%systemroot%\system32\mstscax.dll
%systemroot%\system32\wiashext.dll
%systemroot%\system32\comres.dll
%systemroot%\system32\mstsc.exe
%systemroot%\system32\actioncentercpl.dll
%systemroot%\system32\aclui.dll
%systemroot%\system32\autoplay.dll
%systemroot%\system32\comctl32.dll
%systemroot%\system32\filemgmt.dll
%systemroot%\system32\ncpa.cpl
%systemroot%\system32\url.dll
%systemroot%\system32\xwizards.dllIconfinder:
