resources-malwaredev.md

Malwaredev Resources

General

• .NET Framework & Windows OS Versions - Migration Guide
• Common Tools & Techniques Used By Threat Actors & Malware
• AndrewSpecial - LSASS Dump
• Cylance Bypass Techniique
• Modifying Meterpreter for Evasion (sinn3r)
• Windows Defender Bypassing for Meterpreter (hacker.house)
• Falcon Zero Alpha (slaeryan)
• AMSI Bypass and Principles for Office VBA with GadgetToJScript
• Antivirus-Artifacts
• The difference between Powershell only & Process Specific AMSI Bypass (s3cur3th1ssh1t)
• Malware Mitigation when Direct System Calls are Used
• vx-underground
• Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
• The Undocumented Functions
• Documentation - ReactOS

Guides

• Defeating EDRs using Dynamic invocation by Jean-Francois Maes
• What I've Learned in Over a Decade of "Red Teaming" by Dom Chell
• Understanding and Evading Get InjectedThread
• Ten process injection techniques
• [GOLD] An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors
• [GOLD] Stealthy and in-depth behavioral malwareanalysis with Zandbak
• Anti-Cheat Bypassing Guide for Noobs
• Malware researcher’s handbook (demystifying PE file)
• Howto: (Almost) Everything In Active Directory via C#
• Process Injection - Part I

• CMEPW/BypassAV
  • desc: This map lists the essential techniques to bypass anti-virus and EDR

Reflection

• Executing Position Independent Shellcode from Object Files in Memory
• PE Reflection: The King is Dead, Long Live the King
• An Improved Reflective DLL Injection Technique

SysCall

• Windows X86-64 System Call Table
• C# Types and members - Microsoft
• Red Team Tactics: Utilizing Syscalls in C# - Prerequisite Knowledge
• Red Team Tactics: Utilizing Syscalls in C# - Writing The Code
• Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
• Offensive API Hooking
  • API Hooking for Offense
• Engineering AV Evasion
• Win32k System Call Filtering Deep Dive

• x42en/sysplant
  • desc: Your syscall factory

UnHooking

• Antivirus evasion by user mode unhooking on Windows 10 - Broumels & Ubink

ETW

• Hiding Your .NET ETW - MDsec
• Universally Evading Sysmon and ETW

Heap/Stack Encryption

• CognisysGroup/SweetDreams
  • desc: Implementation of Advanced Module Stomping and Heap/Stack Encryption

Tools

Development

• Visual Code
• Visual Studio
• Terminal Preview
• Cmder
• WSL+Ubuntu
• NTCore Explorer CFF Explorer
• PEView
• WinDbg Preview
• Process Hacker
• CodeBlocks+Mingw
• SysinternalSuite
• DnSpy
• HxD
• Python
• PE Studio
• PE-bear
• x64dbg
• ming
• apimonitor

Research

• EDRs (Mr-Un1k0d3r)
  • Various EDR hook lists
• tiny_tracedr
  • Tool for tracing API hooks
• SylantStrike
  • Simple EDR implementation to demonstrate bypass
• KasperskyHook
  • Hook system calls on Windows by using Kaspersky's hypervisor/kernel-hooker
• malapi.io
  • desc: MalAPI.io maps Windows APIs to common techniques used by malware.
  • tags: malwaredev
• Exploring DLL Loads, Links, and Execution - mez0
  • desc: windows shared library research
  • tags: malwaredev
• trickster0/OffensiveRust

Misc

• pe_to_shellcode
• Blackbone
  • Windows memory hacking library
• Vanara
• EasyHook
• nettitude/RunPE
• optiv/Ivy
• fr0gger/Awesome_Malware_Techniques
• BYTE* / The Undocumented Microsoft "Rich" Header
  • desc: BYTE* / The Undocumented Microsoft "Rich" Header

Encoding and Encryption

• HellShell

DLL Sideload

Start here, with "Does creating a thread from DllMain deadlock or doesn't it?" (Old New Thing)

• monoxgas/Koppeling
• magnusstubman/dll-exports
  • Collection of DLL function export forwards for DLL export function proxying
• wietze/windows-dll-hijacking
• xforcered/WFH
• EspressoCake/DLL-Hijack-Search-Order-BOF
• ideaslocas/aDLL
• knight0x07/ImpulsiveDLLHijack
• jfmaes/Invoke-DLLClone
• Accenture/Spartacus

Detection

• rasta-mouse/ThreatCheck
• RythmStick/AMSITrigger
• matterpreter/DefenderCheck
• https://antiscan.me/ - AV w/o redis
• forrest-orr/kevoreilly/Capev2
• forrest-orr/moneta
• fireeye/capa
• rajiv2790/FalconEye
• cyberark/DLLSpy
• wazuh/wazuh
• SwiftOnSecurity/sysmon-config
• NoOne-hub/bypass-BeaconEye
• Velociraptor
• detectionlab
• peasead/elastic-container - Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine
• Kleenscan - Kleenscan
• roadwy/DefenderYara - Extracted Yara rules from Windows Defender mpavbase and mpasbase

Evasion

• .NET Obfuscator
• ConfuserEx
• Ebowla
• winpayloads - nccgroup
• UltimateAppLockerByPassList
• Invoke-Obfuscation
• dnMerge
  • more: Merging C# Assemblies using dnMerge
• Costura
• CheckPlease
• SitRep
• keyring
• garble
• morbol
• tiny-AES-c
• PowerShell Bad words
• frkngksl/Huan

• h4wkst3r/InvisibilityCloak
  • desc: Proof-of-concept obfuscation toolkit for C# post-exploitation tools
• Accenture/Codecepticon
  • desc: .NET/PowerShell/VBA Offensive Security Obfuscator
• mkaring/ConfuserEx
  • desc: An open-source, free protector for .NET applications
• JustasMasiulis/lazy_importer
  • desc: library for importing functions from dlls in a hidden, reverse engineer unfriendly way
• fr0gger/Unprotect_Submission
  • desc: Repository to publish your evasion techniques and contribute to the project
• optiv/Mangle
  • desc: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
• adamyaxley/Obfuscate
  • desc: Guaranteed compile-time string literal obfuscation header-only library for C++14
• .NET Reactor - .NET Protection, .NET Obfuscator and Licensing
  • desc: .NET Reactor - .NET Protection, .NET Obfuscator and Licensing
• ConfuserEx 2 | ConfuserEx 2 is an open-source protector for .NET applications.
  • desc: ConfuserEx 2 | ConfuserEx 2 is an open-source protector for .NET applications.
• sadreck/Codecepticon - .NET/PowerShell/VBA Offensive Security Obfuscator

Automation

• Aetsu/OffensivePipeline
  • desc: OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
• mgeeky/ProtectMyTooling
  • desc: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured with artifacts watermarking, IOCs collection & PE Backdooring. You feed it with your implant, it does a lot of sneaky things and spits out obfuscated executable.
• SygniaLabs/ScallOps
  • desc: infra / payload automation

Techniques

• PEzor v2 — New Output Formats and Cobalt Strike Integration
• Alaris | A protective Loader
• DInvoke
• Donut
• EarlyBird
• Mapping SysCalls from Ntdll on Disk
• HellsGate
• Implementing Direct Syscalls Using Hell’s Gate
  • More: HellsGatePoC
• "Heresy's Gate": Kernel Zw*/NTDLL Scraping
• Heaven's Gate
• Syscalls with D/Invoke
• Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
• FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
• Dewera/Pluto
• 3xpl01tc0d3r/ProcessInjection

DLL Hijacking

• knight0x07/ImpulsiveDLLHijack
• ideaslocas/aDLL

Payloads

• unicorn
• msbuildQueueAPC
• gadget2jscriptQueueAPCInject.cs
• DInjectQueuerAPC.cs
• [GOLD] S3cur3Th1sSh1t Creds
• DLLsForHackers
• OSEP Snippets (chvancooten)
• defcon27_csharp_workshop
• WeaponisingCSharp-Fundamentals
• Sharp-Suite
• Aquamoury
• Callback_Shellcode_Injection
• sRDI
• Sharp-Suite
• Alaris
• PEzor
• phantom-dll-hollower-poc
• DarkLoadLibrary
• process_ghosting
• transacted_hollowing
• HellsGate
• DoppelGate
• SharpTransactedLoad
• universal
• ScareCrow
  • more: ScareCrow-CobaltStrike
• klezVirus/inceptor
• HellsGatePPID
• jfmaes/Invoke-DLLClone
• Ne0nd0g/go-shellcode
• boku7/CobaltStrikeReflectiveLoader
• S4R1N/AlternativeShellcodeExec
• Wra7h/FlavorTown
• SecIdiot/TitanLdr
• theevilbit/injection
• 0xDivyanshu/Injector
• secrary/InjectProc
• rasta-mouse/TikiTorch
• ByteJunkies-co-uk/Metsubushi
• tanc7/EXOCET-AV-Evasion
• Boku7/BokuLoader
• snovvcrash/DInjector

• capt-meelo/laZzzy

mac

• xpn/DyldDeNeuralyzer
  • desc: In memory Mac OS lib stager
• Platypus - Create Mac apps from command line scripts |
  • desc: Platypus - Create Mac apps from command line scripts
• infosecB/LOOBins
  • desc: Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in "living off the land" macOS binaries and how they can be used by threat actors for malicious purposes.

RE

• HEX.DANCE - HEX.DANCE