The Malware Mega Thread.
#41
(06-14-2020, 06:46 AM)Insider Wrote: The Collection
Archive of Malware Leaks from around the internet
  • Botnets
  • Ebooks
  • Exploit Kits
  • Source Code's And others.
Git: https://github.com/Tlgyt/The-Collection

Nice one, i think i'll go over the materials provided there and curate some of it that aligns with what we want to focus on and showcase at our Github Organization. After i have selected the appropriate content i will mirror it at one of our own repos.
Reply
#42
Some random link resources for malware, windows system internals, windows exploitation, linux exploitation, windows post-exploitation and more..

mini-tor
20kb tor implementation in c++ using Microsoft crypto API. Could be used by malware to onboard reverse shells to .onion hosted c2 servers and such)
https://github.com/wbenny/mini-tor

Windows binaries Index: https://m417z.com/Introducing-Winbindex-...ies-Index/

Runtime crypter: https://github.com/NateBrune/Simple-XTEA-Crypter (Old but could be used to create something better)

Hiding Windows API Imports With a Custom Loader: https://blog.christophetd.fr/hiding-wind...er-loader/

In-Memory shellcode decoding to evade AVs/EDRs: https://shells.systems/in-memory-shellco...evade-avs/

Microsoft low-lewel programming resources: https://bytepointer.com/resources/index.htm

Analysis of Emotet Malware: PowerShell Unobfuscation: https://medium.com/picus-security/an-ana...46b50dcf2b

FalconZero
Slaeryan Wrote:a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected
https://slaeryan.github.io/posts/falcon-zero-alpha.html
https://github.com/slaeryan/FALCONSTRIKE

VERGILIUS Project
vergiliusproject Wrote:This project provides a collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches.
https://www.vergiliusproject.com/

Windows System Calls: https://github.com/j00ru/windows-syscalls

Nirsoft code samples: https://www.nirsoft.net/code_samples.html

Nirsoft "Windows Vista Kernel Structures": https://www.nirsoft.net/kernel_struct/vista/index.html

GIMPLE obfuscator for C, C++, Go, etc..: https://github.com/meme/hellscape

Linux x86 run-time process manipulation: http://hick.org/code/skape/papers/needle.txt

Injecting a Running Process (Linux): https://www.real0day.com/hacking-tutoria...cess-linux

defcon-25-workshop
"Windows Post-Exploitation / Malware Forward Engineering"
https://github.com/zerosum0x0/defcon-25-workshop

NINA: No Injection, No Allocation x64 Process Injection Technique.
https://undev.ninja/nina-x64-process-injection/
https://github.com/NtRaiseHardError/NINA
Reply
#43
(07-29-2020, 07:32 PM)Insider Wrote: Some random link resources for malware, windows system internals, windows exploitation, linux exploitation, windows post-exploitation and more..

mini-tor
20kb tor implementation in c++ using Microsoft crypto API. Could be used by malware to onboard reverse shells to .onion hosted c2 servers and such)
https://github.com/wbenny/mini-tor

Windows binaries Index: https://m417z.com/Introducing-Winbindex-...ies-Index/

Runtime crypter: https://github.com/NateBrune/Simple-XTEA-Crypter (Old but could be used to create something better)

Hiding Windows API Imports With a Custom Loader: https://blog.christophetd.fr/hiding-wind...er-loader/

In-Memory shellcode decoding to evade AVs/EDRs: https://shells.systems/in-memory-shellco...evade-avs/

Microsoft low-lewel programming resources: https://bytepointer.com/resources/index.htm

Analysis of Emotet Malware: PowerShell Unobfuscation: https://medium.com/picus-security/an-ana...46b50dcf2b

FalconZero
Slaeryan Wrote:a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected
https://slaeryan.github.io/posts/falcon-zero-alpha.html
https://github.com/slaeryan/FALCONSTRIKE

VERGILIUS Project
vergiliusproject Wrote:This project provides a collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches.
https://www.vergiliusproject.com/

Windows System Calls: https://github.com/j00ru/windows-syscalls

Nirsoft code samples: https://www.nirsoft.net/code_samples.html

Nirsoft "Windows Vista Kernel Structures": https://www.nirsoft.net/kernel_struct/vista/index.html

GIMPLE obfuscator for C, C++, Go, etc..: https://github.com/meme/hellscape

Linux x86 run-time process manipulation: http://hick.org/code/skape/papers/needle.txt

Injecting a Running Process (Linux): https://www.real0day.com/hacking-tutoria...cess-linux

defcon-25-workshop
"Windows Post-Exploitation / Malware Forward Engineering"
https://github.com/zerosum0x0/defcon-25-workshop

NINA: No Injection, No Allocation x64 Process Injection Technique.
https://undev.ninja/nina-x64-process-injection/
https://github.com/NtRaiseHardError/NINA

Awesome share, Virgilius Project is one that really caught my eye. I had a look and i think it would serve great as a reference sheet to help with kernel Exploit Development.

Also, i recently came across this website.

https://secret.club/

They have a ton of really good articles. I saved some as PDF and put them in a repo of our Github Organization. Some highlights include:

Windows Telemetry Service PrivEsc - From diagtrack, to information disclosure, RCE and PrivEsc.

UEFI Development - Very useful to be acquainted with if you want to work with malware at the Firmware level. Bootkits come to mind in example.

From directory deletion to SYSTEM - File system logical vector LPE.

I've actually been in contact with one of the people that contributes to this website. Very talented guy, spoke extensively with him on such topics as general exploit dev, kernel exploits and a bit about malware. He shared some tooling with me, that will be helpful with regards to my new Exploit/Payload Framework that i currently have in active development.
Reply
#44
(08-05-2020, 12:14 PM)Vector Wrote: Awesome share, Virgilius Project is one that really caught my eye. I had a look and i think it would serve great as a reference sheet to help with kernel Exploit Development.

Also, i recently came across this website.

https://secret.club/

No problem! And yeah I've been trying to collect some good malwaredev blogs lately. So I can curate consistent but quality RSS feed for this Smile And keep up with it all.

I would really recommend checking vxug's paper and ezine sections though. They got some old school stuff but awesome to read and learn:
- https://vxug.fakedoma.in/archive.html
- https://vxug.fakedoma.in/zines.html
- https://vxug.fakedoma.in/papers.html


Also... here's some more resources for the thread which I'll dump! Big Grin

You might be able to defend against AV with bypass and evasion. But how do we protect it against EDR? Good article.
- Defending your malware: https://blog.dylan.codes/defending-your-malware

Cool article on how software and memory management work.
- Anatomy of a Program in Memory: https://manybutfinite.com/post/anatomy-o...in-memory/

- An In-Depth Look into the Win32 Portable Executable File Format - Part 1: http://www.delphibasics.info/home/delphi...rmat-part1
delphibasics Wrote:A good understanding of the Portable Executable (PE) file format leads to a good understanding of the operating system. If you know what's in your DLLs and EXEs, you'll be a more knowledgeable programmer. This article, the first of a two-part series, looks at the changes to the PE format that have occurred over the last few years, along with an overview of the format itself.
      After this update, the author discusses how the PE format fits into applications written for .NET, PE file sections, RVAs, the DataDirectory, and the importing of functions. An appendix includes lists of the relevant image header structures and their descriptions.

- Compiler Explorer: https://godbolt.org/z/43fdbe
Github Wrote:Compiler Explorer is an interactive compiler. The left-hand pane shows editable C, C++, Rust, Go, D, Haskell, Swift, Pascal (and some more!) code. The right, the assembly output of having compiled the code with a given compiler and settings. Multiple compilers are supported, and the UI layout is configurable (thanks to GoldenLayout). There is also an ispc compiler ? for a C variant with extensions for SPMD.
Github: https://github.com/compiler-explorer/compiler-explorer
Reply
#45
Virus-scanners:
- https://www.virustotal.com/
- https://virusscan.jotti.org/
- https://virscan.org/
- https://metadefender.opswat.com/?lang=en
- https://penetrum.com/upload
- https://nodistribute.com/
- https://antiscan.me/

Sandboxes/Misc:
- https://any.run/
- https://cuckoosandbox.org/
- https://www.joesandbox.com/
- https://www.unpac.me
- https://hybrid-analysis.com
Reply
#46
Pretty cool python project "PHANTOM EVASION 3.0"

Github Wrote:Phantom-Evasion is an antivirus evasion tool written in python (both compatible with python and python3) capable to generate (almost) fully undetectable executable even with the most common x86 msfvenom payload.

Might be able to learn a thing or two from the sourcecode.

Link: https://github.com/oddcod3/Phantom-Evasion
Reply
#47
Pretty useful to know the defence, to break it.

How to create your own antivirus: https://www.youtube.com/playlist?list=PL...pp=desktop
Reply
#48
Joint NSA & FBI authored paper on analysis of russian state-sponsored malware: https://media.defense.gov/2020/Aug/13/20...G_2020.PDF

Nato Cyberdefence "Malware Reverse Engineering Handbook": https://ccdcoe.org/uploads/2020/07/Malwa...ndbook.pdf

Malware source code, sample database: https://github.com/malwares

Anti-debugging techniques: https://anti-debug.checkpoint.com/

Evasion Techniques: https://evasions.checkpoint.com/

VMs (For your testing/analyzing): https://developer.microsoft.com/en-us/mi...tools/vms/
Reply
#49
Win32 API Programming Tutorial: http://winprog.org/tutorial/
Reply
#50
Loading a DLL from memory: https://www.joachim-bauch.de/tutorials/l...om-memory/

Process Injection Part 1: https://sevrosecurity.com/2020/04/08/pro...otethread/

Bypassing AV via in-memory PE execution: https://blog.dylan.codes/bypassing-av-via/

Creating a Rootkit to Learn C: https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/#

OS Dev: https://wiki.osdev.org/Main_Page
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Don't Connect Back - Beaconing Malware deviant 5 8,133 Yesterday, 10:04 PM
Last Post: jean_valjean
  How do malware builder interfaces work? cold 12 6,620 06-29-2021, 09:17 AM
Last Post: Vector
  Malware dev advice OSCNET 6 9,847 04-22-2021, 12:11 AM
Last Post: Vector
  How to persist malware in Windows without tripping runtime AV? God Himself 2 5,611 04-21-2021, 10:25 PM
Last Post: Vector