Handbook V - Maldev: Difference between revisions
From Wiki Aghanim
Jump to navigationJump to search
imported>Aghanim No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
[[File:2023-12-image-6.png|thumb]] | [[File:2023-12-image-6.png|thumb]] | ||
Work in Progress | Work in Progress | ||
== Courses == | == Courses == | ||
[https://institute.sektor7.net/ SEKTOR7 Institute] | [https://institute.sektor7.net/ SEKTOR7 Institute] | ||
[https://maldevacademy.com/ https://maldevacademy.com/] | [https://maldevacademy.com/ https://maldevacademy.com/] | ||
EvasionEDR By Matt Hand | EvasionEDR By Matt Hand | ||
== Sources == | == Sources == | ||
{| class="wikitable" | {| class="wikitable" | ||
| Line 90: | Line 83: | ||
| Evasion Techniques | | Evasion Techniques | ||
|} | |} | ||
== x86 & x64 Assembler and Disassembler == | == x86 & x64 Assembler and Disassembler == | ||
Wondering what your shellcode is doing? This website will disassemble it for you and show the instructions. | Wondering what your shellcode is doing? This website will disassemble it for you and show the instructions. | ||
[https://defuse.ca/online-x86-assembler.htm# Online x86 and x64 Intel Instruction Assembler] | [https://defuse.ca/online-x86-assembler.htm# Online x86 and x64 Intel Instruction Assembler] | ||
[[File:2023-12-image-7.png|thumb]] | [[File:2023-12-image-7.png|thumb]] | ||
== Callback function list == | == Callback function list == | ||
[https://github.com/aahmad097/AlternativeShellcodeExec aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks (github.com)] | [https://github.com/aahmad097/AlternativeShellcodeExec aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks (github.com)] | ||
> | > | ||
According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation. | According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation. | ||
=== Example: Using CertEnumSystemStore === | === Example: Using CertEnumSystemStore === | ||
[https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstore MSDN Documentation for CertEnumSystemStore] | [https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certenumsystemstore MSDN Documentation for CertEnumSystemStore] | ||
<syntaxhighlight lang="c"> | <syntaxhighlight lang="c"> | ||
| Line 124: | Line 107: | ||
#include | #include | ||
#include | #include | ||
// Shellcode payload | // Shellcode payload | ||
unsigned char shellcode[] = | unsigned char shellcode[] = | ||
"\x90\x90\x90\x90" // NOPs for padding | "\x90\x90\x90\x90" // NOPs for padding | ||
"\xcc"; // INT 3 (breakpoint for debugging) | "\xcc"; // INT 3 (breakpoint for debugging) | ||
BOOL WINAPI Payload(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) { | BOOL WINAPI Payload(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) { | ||
((void(*)())shellcode)(); | ((void(*)())shellcode)(); | ||
return TRUE; | return TRUE; | ||
} | } | ||
int main() { | int main() { | ||
if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, Payload)) { | if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, Payload)) { | ||
| Line 142: | Line 122: | ||
return 0; | return 0; | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Convert raw shellcode to raw binary format == | == Convert raw shellcode to raw binary format == | ||
Use CyberChef. Copy the shellcode to Cyberchef and choose "From Hex" as operations. Then save the output to .bin. This can be done the other way around also. From raw binary to shellcode. | Use CyberChef. Copy the shellcode to Cyberchef and choose "From Hex" as operations. Then save the output to .bin. This can be done the other way around also. From raw binary to shellcode. | ||
[[File:2023-12-image-8.png|thumb]] | [[File:2023-12-image-8.png|thumb]] | ||
[[File:2023-12-image-9.png|thumb]] | [[File:2023-12-image-9.png|thumb]] | ||
== EDR Telematry == | == EDR Telematry == | ||
[https://docs.google.com/spreadsheets/u/0/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/htmlview?pli=1 EDR Telemetry Tracking for Windows - Google Drive] | [https://docs.google.com/spreadsheets/u/0/d/1ZMFrD6F6tvPtf_8McC-kWrNBBec_6Si3NW6AoWf3Kbg/htmlview?pli=1 EDR Telemetry Tracking for Windows - Google Drive] | ||
[https://docs.google.com/spreadsheets/d/e/2PACX-1vTwYjAK5x_9e_xA8UP83iTErnTmg4_JrHbEYrWLRGDcICpqw5hRAoLNNF6SCwQkQTVRyVMNsur7zy6t/pubhtml?gid=1993314609&single=true&widget=true&headers=false Embedded Content] | [https://docs.google.com/spreadsheets/d/e/2PACX-1vTwYjAK5x_9e_xA8UP83iTErnTmg4_JrHbEYrWLRGDcICpqw5hRAoLNNF6SCwQkQTVRyVMNsur7zy6t/pubhtml?gid=1993314609&single=true&widget=true&headers=false Embedded Content] | ||
== EDR Telematry v2 == | == EDR Telematry v2 == | ||
[https://www.edr-telemetry.com/windows.html EDR Telemetry Project - Windows] | [https://www.edr-telemetry.com/windows.html EDR Telemetry Project - Windows] | ||
== Entropy reduction == | == Entropy reduction == | ||
Reducing entroy makes the data appear less random. A high entropy might indicate encryption and some EDRs might raise suspicion. Some of the techniques to reduce entroyp is: | Reducing entroy makes the data appear less random. A high entropy might indicate encryption and some EDRs might raise suspicion. Some of the techniques to reduce entroyp is: | ||
'''Encoding After Encryption''': Applying encoding like URL encoding reduces the range of characters used (e.g., using only alphanumeric characters and fewer symbols) while preserving the data's integrity. This limits the number of unique bytes, decreasing the perceived randomness. | '''Encoding After Encryption''': Applying encoding like URL encoding reduces the range of characters used (e.g., using only alphanumeric characters and fewer symbols) while preserving the data's integrity. This limits the number of unique bytes, decreasing the perceived randomness. | ||
'''Disguising the Encoded Payload''': After encoding, disguise the payload by embedding it into seemingly legitimate data, such as fake URLs, CSV files, or even certificates. This helps evade detection during analysis or reverse engineering. | '''Disguising the Encoded Payload''': After encoding, disguise the payload by embedding it into seemingly legitimate data, such as fake URLs, CSV files, or even certificates. This helps evade detection during analysis or reverse engineering. | ||
'''Loader Decoding and Execution''': The loader should read and decode the disguised data, reverting it to its original form before execution. | '''Loader Decoding and Execution''': The loader should read and decode the disguised data, reverting it to its original form before execution. | ||
== HijackLibs == | == HijackLibs == | ||
[https://hijacklibs.net/ HijackLibs] | [https://hijacklibs.net/ HijackLibs] | ||
> | > | ||
This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context. | This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context. | ||
== Joesandbox - Malware Analysis == | == Joesandbox - Malware Analysis == | ||
Can analyze malicous websites and files. Collections available. | Can analyze malicous websites and files. Collections available. | ||
[https://www.joesandbox.com/#windows Automated Malware Analysis - Joe Sandbox Cloud Basic] | [https://www.joesandbox.com/#windows Automated Malware Analysis - Joe Sandbox Cloud Basic] | ||
[https://www.joesecurity.org/ Deep Malware and Phishing Analysis - Joe Sandbox] | [https://www.joesecurity.org/ Deep Malware and Phishing Analysis - Joe Sandbox] | ||
== Malapi.io == | == Malapi.io == | ||
[https://malapi.io/ MalAPI.io] | [https://malapi.io/ MalAPI.io] | ||
MalAPI.io maps [https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list Windows APIs] to common techniques used by malware. | MalAPI.io maps [https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list Windows APIs] to common techniques used by malware. | ||
== No-defender == | == No-defender == | ||
[https://github.com/es3n1n/no-defender es3n1n/no-defender: A slightly more fun way to disable windows defender + firewall. (through the WSC api) (github.com)] | [https://github.com/es3n1n/no-defender es3n1n/no-defender: A slightly more fun way to disable windows defender + firewall. (through the WSC api) (github.com)] | ||
== NtDoc - The native NT API online documentation == | == NtDoc - The native NT API online documentation == | ||
[https://ntdoc.m417z.com/ NtDoc - The native NT API online documentation (m417z.com)] | [https://ntdoc.m417z.com/ NtDoc - The native NT API online documentation (m417z.com)] | ||
> | > | ||
This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See <code>phnt.h</code> for more information. | This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See <code>phnt.h</code> for more information. | ||
== Parasite-invoke == | == Parasite-invoke == | ||
[https://github.com/MzHmO/Parasite-Invoke MzHmO/Parasite-Invoke: Hide your P/Invoke signatures through other people's signed assemblies (github.com)] | [https://github.com/MzHmO/Parasite-Invoke MzHmO/Parasite-Invoke: Hide your P/Invoke signatures through other people's signed assemblies (github.com)] | ||
> | > | ||
Hide your P/Invoke signatures through other people's signed assemblies! | Hide your P/Invoke signatures through other people's signed assemblies! | ||
[[File:2024-06-image.png|thumb]] | [[File:2024-06-image.png|thumb]] | ||
== Reverse engineering of everything Microsoft == | == Reverse engineering of everything Microsoft == | ||
[https://www.geoffchappell.com/index.htm Geoff Chappell, Software Analyst] | [https://www.geoffchappell.com/index.htm Geoff Chappell, Software Analyst] | ||
Kernel, Win32, Shell, Internet Explorer, Visual C++. | Kernel, Win32, Shell, Internet Explorer, Visual C++. | ||
== Vergilius project == | == Vergilius project == | ||
[https://www.vergiliusproject.com/about Vergilius Project | About] | [https://www.vergiliusproject.com/about Vergilius Project | About] | ||
> | > | ||
This project provides a collection of Microsoft Windows kernel structures, unionsand enumerations. | This project provides a collection of Microsoft Windows kernel structures, unionsand enumerations. | ||
== Unprotect.it == | == Unprotect.it == | ||
[https://unprotect.it/ Home - Unprotect Project] | [https://unprotect.it/ Home - Unprotect Project] | ||
> | > | ||
This project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. | This project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times. | ||
[[File:2024-06-image-1.png|thumb]] | [[File:2024-06-image-1.png|thumb]] | ||
== [https://evasions.checkpoint.com/ Evasion techniques] == | == [https://evasions.checkpoint.com/ Evasion techniques] == | ||
[https://evasions.checkpoint.com/ Evasion techniques (checkpoint.com)] | [https://evasions.checkpoint.com/ Evasion techniques (checkpoint.com)] | ||
> | > | ||
In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isn’t stated explicitly which operating system is described, Windows is meant by default. | In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isn’t stated explicitly which operating system is described, Windows is meant by default. | ||
[[File:2024-06-image-2.png|thumb]] | [[File:2024-06-image-2.png|thumb]] | ||
== Windows Icons == | == Windows Icons == | ||
Windows Icon locations: | Windows Icon locations: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Line 334: | Line 263: | ||
%systemroot%\system32\xwizards.dll | %systemroot%\system32\xwizards.dll | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Iconfinder: | Iconfinder: | ||
[https://www.iconfinder.com/search Icons - Iconfinder] | [https://www.iconfinder.com/search Icons - Iconfinder] | ||
[[Category:Handbooks]] | [[Category:Handbooks]] | ||
[[Category:Malware Development]] | [[Category:Malware Development]] | ||
Latest revision as of 22:11, 17 February 2026
Work in Progress
Courses
EvasionEDR By Matt Hand
Sources
| URL | Description | Category |
|---|---|---|
| https://github.com/NUL0x4C/HellShell | HellShell GitHub repository | Penetration Testing |
| https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/#weapon | Exploit writing tutorial on Corelan.be | Exploit Development |
| https://www.corelan.be/ | Corelan.be website | Cybersecurity |
| https://github.com/Krypteria/AtlasLdr | AtlasLdr GitHub repository | Malware Analysis |
| https://labs.jumpsec.com/obfuscating-c2-during-a-red-team-engagement/ | Article on obfuscating C2 during Red Team engagement | Red Teaming |
| https://github.com/matterpreter/DefenderCheck | DefenderCheck GitHub repository | Security Tools |
| https://pinvoke.net/ | PInvoke.net - Platform Invoke for .NET | Programming |
| https://github.com/mkaring/ConfuserEx/releases/tag/v1.6.0 | ConfuserEx GitHub repository (v1.6.0 release) | Malware Analysis |
| https://virusscan.jotti.org/en-US/scan-file | Jotti's Virus Scan - File scanning tool | Antivirus |
| https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low | Article on direct syscalls in Red Teaming | Red Teaming |
| https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ | Raspberry Robin anti-evasion exploit analysis | Exploit Analysis |
| https://vanmieghem.io/process-injection-evading-edr-in-2023/ | Article on process injection and EDR evasion | Cybersecurity |
| https://redsiege.com/blog/2023/04/evading-crowdstrike-falcon-using-entropy/ | Evading Crowdstrike Falcon using entropy | Evasion Techniques |
| https://evasions.checkpoint.com/ | Check Point Evasions - Evasion techniques | Evasion Techniques |
| https://vx-underground.org/ | VX Underground - Malware and Exploit Community | Malware Analysis |
| Home - Unprotect Project | Search Evasion Techniques | Evasion Techniques |
x86 & x64 Assembler and Disassembler
Wondering what your shellcode is doing? This website will disassemble it for you and show the instructions.
Online x86 and x64 Intel Instruction Assembler
Callback function list
aahmad097/AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks (github.com)
> According to Microsoft, a callback function is code within a managed application that helps an unmanaged DLL function complete a task. Calls to a callback function pass indirectly from a managed application, through a DLL function, and back to the managed implementation.
Example: Using CertEnumSystemStore
MSDN Documentation for CertEnumSystemStore
#include
#include
#include
// Shellcode payload
unsigned char shellcode[] =
"\x90\x90\x90\x90" // NOPs for padding
"\xcc"; // INT 3 (breakpoint for debugging)
BOOL WINAPI Payload(const void *pvSystemStore, DWORD dwFlags, PCERT_SYSTEM_STORE_INFO pStoreInfo, void *pvReserved, void *pvArg) {
((void(*)())shellcode)();
return TRUE;
}
int main() {
if (!CertEnumSystemStore(CERT_SYSTEM_STORE_CURRENT_USER, NULL, NULL, Payload)) {
printf("[!] CertEnumSystemStore Failed With Error : %d \n", GetLastError());
return -1;
}
return 0;
}
Convert raw shellcode to raw binary format
Use CyberChef. Copy the shellcode to Cyberchef and choose "From Hex" as operations. Then save the output to .bin. This can be done the other way around also. From raw binary to shellcode.
EDR Telematry
EDR Telemetry Tracking for Windows - Google Drive
EDR Telematry v2
EDR Telemetry Project - Windows
Entropy reduction
Reducing entroy makes the data appear less random. A high entropy might indicate encryption and some EDRs might raise suspicion. Some of the techniques to reduce entroyp is:
Encoding After Encryption: Applying encoding like URL encoding reduces the range of characters used (e.g., using only alphanumeric characters and fewer symbols) while preserving the data's integrity. This limits the number of unique bytes, decreasing the perceived randomness.
Disguising the Encoded Payload: After encoding, disguise the payload by embedding it into seemingly legitimate data, such as fake URLs, CSV files, or even certificates. This helps evade detection during analysis or reverse engineering.
Loader Decoding and Execution: The loader should read and decode the disguised data, reverting it to its original form before execution.
HijackLibs
> This project provides an curated list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables is kept and can be searched via this website. Additionally, further metadata such as resources provide more context.
Joesandbox - Malware Analysis
Can analyze malicous websites and files. Collections available.
Automated Malware Analysis - Joe Sandbox Cloud Basic
Deep Malware and Phishing Analysis - Joe Sandbox
Malapi.io
MalAPI.io maps Windows APIs to common techniques used by malware.
No-defender
NtDoc - The native NT API online documentation
NtDoc - The native NT API online documentation (m417z.com)
>
This collection of Native API header files has been maintained since 2009 for the Process Hacker project, and is the most up-to-date set of Native API definitions that I know of. I have gathered these definitions from official Microsoft header files and symbol files, as well as a lot of reverse engineering and guessing. See phnt.h for more information.
Parasite-invoke
> Hide your P/Invoke signatures through other people's signed assemblies!
Reverse engineering of everything Microsoft
Geoff Chappell, Software Analyst
Kernel, Win32, Shell, Internet Explorer, Visual C++.
Vergilius project
> This project provides a collection of Microsoft Windows kernel structures, unionsand enumerations.
Unprotect.it
> This project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times.
Evasion techniques (checkpoint.com)
> In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isn’t stated explicitly which operating system is described, Windows is meant by default.
Windows Icons
Windows Icon locations:
%systemroot%\system32\imageres.dll
%systemroot%\system32\shell32.dll
%systemroot%\system32\ddores.dll
%systemroot%\system32\pifmgr.dll
%systemroot%\explorer.exe
%systemroot%\system32\accessibilitycpl.dll
%systemroot%\system32\moricons.dll
%systemroot%\system32\mmcndmgr.dll
%systemroot%\system32\mmres.dll
%systemroot%\system32\netcenter.dll
%systemroot%\system32\netshell.dll
%systemroot%\system32\networkexplorer.dll
%systemroot%\system32\pnidui.dll
%systemroot%\system32\sensorscpl.dll
%systemroot%\system32\setupapi.dll
%systemroot%\system32\wmploc.dll
%systemroot%\system32\wpdshext.dll
%systemroot%\system32\compstui.dll
%systemroot%\system32\ieframe.dll
%systemroot%\system32\dmdskres.dll
%systemroot%\system32\dsuiext.dll
%systemroot%\system32\mstscax.dll
%systemroot%\system32\wiashext.dll
%systemroot%\system32\comres.dll
%systemroot%\system32\mstsc.exe
%systemroot%\system32\actioncentercpl.dll
%systemroot%\system32\aclui.dll
%systemroot%\system32\autoplay.dll
%systemroot%\system32\comctl32.dll
%systemroot%\system32\filemgmt.dll
%systemroot%\system32\ncpa.cpl
%systemroot%\system32\url.dll
%systemroot%\system32\xwizards.dll
Iconfinder:
