The Malware Mega Thread.
#41
(06-14-2020, 06:46 AM)Insider Wrote: The Collection
Archive of Malware Leaks from around the internet
  • Botnets
  • Ebooks
  • Exploit Kits
  • Source Code's And others.
Git: https://github.com/Tlgyt/The-Collection

Nice one, i think i'll go over the materials provided there and curate some of it that aligns with what we want to focus on and showcase at our Github Organization. After i have selected the appropriate content i will mirror it at one of our own repos.
Reply
#42
source code of some malware, rat and crypters: https://mega.nz/folder/gYd1yaLI#z9RoV7G7...r/YJMAmazR
Reply
#43
Some random link resources for malware, windows system internals, windows exploitation, linux exploitation, windows post-exploitation and more..

mini-tor
20kb tor implementation in c++ using Microsoft crypto API. Could be used by malware to onboard reverse shells to .onion hosted c2 servers and such)
https://github.com/wbenny/mini-tor

Windows binaries Index: https://m417z.com/Introducing-Winbindex-...ies-Index/

Runtime crypter: https://github.com/NateBrune/Simple-XTEA-Crypter (Old but could be used to create something better)

Hiding Windows API Imports With a Custom Loader: https://blog.christophetd.fr/hiding-wind...er-loader/

In-Memory shellcode decoding to evade AVs/EDRs: https://shells.systems/in-memory-shellco...evade-avs/

Microsoft low-lewel programming resources: https://bytepointer.com/resources/index.htm

Analysis of Emotet Malware: PowerShell Unobfuscation: https://medium.com/picus-security/an-ana...46b50dcf2b

FalconZero
Slaeryan Wrote:a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected
https://slaeryan.github.io/posts/falcon-zero-alpha.html
https://github.com/slaeryan/FALCONSTRIKE

VERGILIUS Project
vergiliusproject Wrote:This project provides a collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches.
https://www.vergiliusproject.com/

Windows System Calls: https://github.com/j00ru/windows-syscalls

Nirsoft code samples: https://www.nirsoft.net/code_samples.html

Nirsoft "Windows Vista Kernel Structures": https://www.nirsoft.net/kernel_struct/vista/index.html

GIMPLE obfuscator for C, C++, Go, etc..: https://github.com/meme/hellscape

Linux x86 run-time process manipulation: http://hick.org/code/skape/papers/needle.txt

Injecting a Running Process (Linux): https://www.real0day.com/hacking-tutoria...cess-linux

defcon-25-workshop
"Windows Post-Exploitation / Malware Forward Engineering"
https://github.com/zerosum0x0/defcon-25-workshop

NINA: No Injection, No Allocation x64 Process Injection Technique.
https://undev.ninja/nina-x64-process-injection/
https://github.com/NtRaiseHardError/NINA
Reply
#44
(07-29-2020, 07:32 PM)Insider Wrote: Some random link resources for malware, windows system internals, windows exploitation, linux exploitation, windows post-exploitation and more..

mini-tor
20kb tor implementation in c++ using Microsoft crypto API. Could be used by malware to onboard reverse shells to .onion hosted c2 servers and such)
https://github.com/wbenny/mini-tor

Windows binaries Index: https://m417z.com/Introducing-Winbindex-...ies-Index/

Runtime crypter: https://github.com/NateBrune/Simple-XTEA-Crypter (Old but could be used to create something better)

Hiding Windows API Imports With a Custom Loader: https://blog.christophetd.fr/hiding-wind...er-loader/

In-Memory shellcode decoding to evade AVs/EDRs: https://shells.systems/in-memory-shellco...evade-avs/

Microsoft low-lewel programming resources: https://bytepointer.com/resources/index.htm

Analysis of Emotet Malware: PowerShell Unobfuscation: https://medium.com/picus-security/an-ana...46b50dcf2b

FalconZero
Slaeryan Wrote:a stealthy, targeted Windows Loader for delivering second-stage payloads(shellcode) to the host machine undetected
https://slaeryan.github.io/posts/falcon-zero-alpha.html
https://github.com/slaeryan/FALCONSTRIKE

VERGILIUS Project
vergiliusproject Wrote:This project provides a collection of Microsoft Windows kernel structures, unions and enumerations. Most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers. The target audience of this site is driver developers and kernel researches.
https://www.vergiliusproject.com/

Windows System Calls: https://github.com/j00ru/windows-syscalls

Nirsoft code samples: https://www.nirsoft.net/code_samples.html

Nirsoft "Windows Vista Kernel Structures": https://www.nirsoft.net/kernel_struct/vista/index.html

GIMPLE obfuscator for C, C++, Go, etc..: https://github.com/meme/hellscape

Linux x86 run-time process manipulation: http://hick.org/code/skape/papers/needle.txt

Injecting a Running Process (Linux): https://www.real0day.com/hacking-tutoria...cess-linux

defcon-25-workshop
"Windows Post-Exploitation / Malware Forward Engineering"
https://github.com/zerosum0x0/defcon-25-workshop

NINA: No Injection, No Allocation x64 Process Injection Technique.
https://undev.ninja/nina-x64-process-injection/
https://github.com/NtRaiseHardError/NINA

Awesome share, Virgilius Project is one that really caught my eye. I had a look and i think it would serve great as a reference sheet to help with kernel Exploit Development.

Also, i recently came across this website.

https://secret.club/

They have a ton of really good articles. I saved some as PDF and put them in a repo of our Github Organization. Some highlights include:

Windows Telemetry Service PrivEsc - From diagtrack, to information disclosure, RCE and PrivEsc.

UEFI Development - Very useful to be acquainted with if you want to work with malware at the Firmware level. Bootkits come to mind in example.

From directory deletion to SYSTEM - File system logical vector LPE.

I've actually been in contact with one of the people that contributes to this website. Very talented guy, spoke extensively with him on such topics as general exploit dev, kernel exploits and a bit about malware. He shared some tooling with me, that will be helpful with regards to my new Exploit/Payload Framework that i currently have in active development.
Reply
#45
(08-05-2020, 12:14 PM)Vector Wrote: Awesome share, Virgilius Project is one that really caught my eye. I had a look and i think it would serve great as a reference sheet to help with kernel Exploit Development.

Also, i recently came across this website.

https://secret.club/

No problem! And yeah I've been trying to collect some good malwaredev blogs lately. So I can curate consistent but quality RSS feed for this Smile And keep up with it all.

I would really recommend checking vxug's paper and ezine sections though. They got some old school stuff but awesome to read and learn:
- https://vxug.fakedoma.in/archive.html
- https://vxug.fakedoma.in/zines.html
- https://vxug.fakedoma.in/papers.html


Also... here's some more resources for the thread which I'll dump! Big Grin

You might be able to defend against AV with bypass and evasion. But how do we protect it against EDR? Good article.
- Defending your malware: https://blog.dylan.codes/defending-your-malware

Cool article on how software and memory management work.
- Anatomy of a Program in Memory: https://manybutfinite.com/post/anatomy-o...in-memory/

- An In-Depth Look into the Win32 Portable Executable File Format - Part 1: http://www.delphibasics.info/home/delphi...rmat-part1
delphibasics Wrote:A good understanding of the Portable Executable (PE) file format leads to a good understanding of the operating system. If you know what's in your DLLs and EXEs, you'll be a more knowledgeable programmer. This article, the first of a two-part series, looks at the changes to the PE format that have occurred over the last few years, along with an overview of the format itself.
      After this update, the author discusses how the PE format fits into applications written for .NET, PE file sections, RVAs, the DataDirectory, and the importing of functions. An appendix includes lists of the relevant image header structures and their descriptions.

- Compiler Explorer: https://godbolt.org/z/43fdbe
Github Wrote:Compiler Explorer is an interactive compiler. The left-hand pane shows editable C, C++, Rust, Go, D, Haskell, Swift, Pascal (and some more!) code. The right, the assembly output of having compiled the code with a given compiler and settings. Multiple compilers are supported, and the UI layout is configurable (thanks to GoldenLayout). There is also an ispc compiler ? for a C variant with extensions for SPMD.
Github: https://github.com/compiler-explorer/compiler-explorer
Reply
#46
Virus-scanners:
- https://www.virustotal.com/
- https://virusscan.jotti.org/
- https://virscan.org/
- https://metadefender.opswat.com/?lang=en
- https://penetrum.com/upload
- https://nodistribute.com/
- https://antiscan.me/

Sandboxes/Misc:
- https://any.run/
- https://cuckoosandbox.org/
- https://www.joesandbox.com/
- https://www.unpac.me
Reply
#47
Pretty cool python project "PHANTOM EVASION 3.0"

Github Wrote:Phantom-Evasion is an antivirus evasion tool written in python (both compatible with python and python3) capable to generate (almost) fully undetectable executable even with the most common x86 msfvenom payload.

Might be able to learn a thing or two from the sourcecode.

Link: https://github.com/oddcod3/Phantom-Evasion
Reply
#48
Pretty useful to know the defence, to break it.

How to create your own antivirus: https://www.youtube.com/playlist?list=PL...pp=desktop
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How do I learn Malware coding? Insider 6 1,951 07-08-2020, 02:45 PM
Last Post: Insider
  Malware Source-code Share Insider 5 1,898 06-14-2020, 06:40 AM
Last Post: Insider
  Top Malware threads Insider 0 678 06-09-2020, 10:20 PM
Last Post: Insider
  Fileless Malware DeepLogic 12 3,207 06-01-2020, 08:07 PM
Last Post: DeepLogic