How do I learn Malware coding?
#1
How do I learn Malware coding?

Any malwarecoders out there? Feel free to drop your 2 cents here. Just sharing some resources in this thread and thoughts on it from other GreySec users. To get you started.

Old post from 2016 which I almost thought deserved its own post. So I'm sharing it here.

M8lc0d3 Wrote:I recommend learning reverse engineering and reverse engineering others malware before writing your own. The process of learning reverse engineering and malware analysis will teach you more about malware than writing it would as a beginner at least.

To learn this I recommend
-Learning C programming language
-Learning x86 assembly language
-Reading Data Structures Programming Book
-Reading Modern Operating Systems by Tanenbaum
-Reading Structured Computer Organization By Tanenbaum
-Reading Practical Malware Analysis Book
-Reading Windows Internals Books
-Reading IDA Pro Book
-Reading Intel Manuals
-Learning PE file format
-Learning how to exploit memory corruption vulnerabilities (i.e. read corelan tutorials)
-Learning Windows Device Driver Programming

To find malware to reverse engineer I recommend not reverse engineering the crap you find posted on most forums and instead look for more professional pieces of malware which are written by more experienced groups of criminals. Others have posted threads with this kind of info and even downloads links to the books on other threads on this forum.

You can find binary samples of this type of malware on many sites where people reverse engineer malware.

Many security companies post detailed analysis of a lot of different types of malware and reading their analysis will teach you more about malware than *most* forums will.

Outside of that common sense and a spark of innovation are essential.

Book/Resources

Learn Ansi-C
https://mega.nz/folder/eEkwUIbC#QJuN18nD...e/3d8iDKKB

Learn X86 Assembly
https://mega.nz/folder/eEkwUIbC#QJuN18nD...e/bQ9yiaJZ
https://beginners.re/

Data Structures & Algorithms

See: https://greysec.net/showthread.php?tid=1418
NO-OP Wrote:I have to say these books below are amazing and you will learn SO much if you even just thumb through them.  The "DSA" is a great general overview of important algorithms and data structures, while the "Algorithm Design Manual" explains data structures and algorithms in the context of actual use including real life "war stories" based around them.

If you're newer to programming I would heavily suggest the DSA and the ADM for more seasoned individuals.

DSA: https://apps2.mdp.ac.id/perpustakaan/ebo...um/Dsa.pdf
Algorithm Design (ADM): https://link.springer.com/content/pdf/10...-070-4.pdf

Modern Operating Systems by Tanenbaum
http://materias.fi.uba.ar/7508/MOS4/Oper...th.Edi.pdf

Practical Malware Analysis
https://mega.nz/folder/eEkwUIbC#QJuN18nD...e/mIsCQCqT

Windows internals.
Part 1 (6th version, old): https://repo.zenk-security.com/Linux%20e...dition.pdf
Part 2 (6th version, old): https://doc.lagout.org/security/Windows%20Internals.pdf
You'll have to buy from microsoft if you want 7th version. Got it myself as a physical copy.

Ida Pro Book
2th edition: https://github.com/nixawk/pentest-wiki/r...n.2011.pdf

Intel manuals
https://software.intel.com/en-us/articles/intel-sdm
https://www.intel.com/content/www/us/en/...ssors.html
http://web.eecs.umich.edu/~farnam/482/Wi...tarch.html

Learn PE file format
https://www.youtube.com/watch?v=l6GjU8fm8sM
https://blog.kowalczyk.info/articles/pefileformat.html
https://resources.infosecinstitute.com/2...file/#gref

Exploit memory corruption vulnerabilities (i.e. read corelan tutorials)
Binary Exploit Tutorials: https://greysec.net/showthread.php?tid=560 by @dropzone
Exploit dev links: https://greysec.net/showthread.php?tid=6700 by @dropzone
Corelan tutorials: https://greysec.net/showthread.php?tid=6695
Bypassing protection: https://greysec.net/showthread.php?tid=6721

Windows Device Driver Programming
https://docs.microsoft.com/en-us/windows...ngstarted/
https://www.technology.org/2017/02/09/wi...-tutorial/
https://en.wikibooks.org/wiki/Windows_Pr...troduction
https://resources.infosecinstitute.com/w...iver/#gref


Also be sure to check out the Malware Mega thread by @Vector: https://greysec.net/showthread.php?tid=2451

Malware samples (Download at your own risk)

Vector Wrote:2. Samples, Open Source and Otherwise

There are a number of places where one can go and find some interesting samples to play around with. I'll start off with some resources that can be found on Github.

I have a repo forked on my Github that contains a list of Rootkits that can be downloaded from Github and a couple of other places. Check it out below.

https://github.com/NullArray/RootKits-List-Download


Furthermore i have compiled a small list of sites that offer malware samples as well.

http://www.kernelmode.info/forum/viewforum.php?f=16
https://virusshare.com/
https://www.scumware.org/index.scumware
http://malc0de.com/database/
http://labs.sucuri.net/?malware
https://zeustracker.abuse.ch/monitor.php...e=binaries

Alternatively i recently came across a project on Github that works by automatically searching a number of sites for malware samples. It's a bit outdated and i personally haven't used it but i thought it deserved a mention regardless so here's the tool.

What's more, i am currently in the possession of about 50 malicious files and programs. Among which Trojans, Keyloggers, Worms and more. If you'd like to see if my collection might have something interesting for you, check out this paste where i posted a rough list of what i currently have. Send me a PM if you'd like to receive one or more of my samples.

https://pastebin.com/dXetvYKk
Source - Malware Mega thread: https://greysec.net/showthread.php?tid=2451

Other malware samples (Download at your own risk)

theZoo: https://github.com/ytisf/theZoo

VxHeaven:
http://83.133.184.251/virensimulation.or...index.html
http://83.133.184.251/virensimulation.org/
http://download.adamas.ai/dlbase/Stuff/V...index.html
https://archive.org/details/vxheaven-dos...collection
https://archive.org/details/vxheaven-win...collection

Web Malware Collection: https://code.google.com/archive/p/web-ma.../downloads

Malware repository: https://malshare.com/
Malware repo 2: https://malware.lu/
Reply
#2
Updated thread with section for malware samples.
Reply
#3
A lot of people ask what the best language is for malware writing. It really just depends on your needs/requirements and what your goal and targets are. Any programming language can be used to make malware. I write shell scripts and python because those are two things that are very prominent in the Unix world. Scripts may be easier to reverse then binaries but they're also very portable, easy to obfuscate, and not generally assumed to be malicious as often as binaries are.
I don't really think you need to learn reversing malware before you write your own. While it does give you more insight into how reverse engineers and malware analysts do their job, you can write malware without knowing about reversing. What you should study is the programming language you're using, the OS you're targeting, and how other malware works. That's just my 2 cents.
Reply
#4
(04-28-2020, 06:20 PM)Dismal_0x8 Wrote: A lot of people ask what the best language is for malware writing. It really just depends on your needs/requirements and what your goal and targets are. Any programming language can be used to make malware. I write shell scripts and python because those are two things that are very prominent in the Unix world. Scripts may be easier to reverse then binaries but they're also very portable, easy to obfuscate, and not generally assumed to be malicious as often as binaries are.

True. I prefer Python myself since it's easy to get into and understand the flow. It's what I've always stuck with Smile

(04-28-2020, 06:20 PM)Dismal_0x8 Wrote: I don't really think you need to learn reversing malware before you write your own. While it does give you more insight into how reverse engineers and malware analysts do their job, you can write malware without knowing about reversing. What you should study is the programming language you're using, the OS you're targeting, and how other malware works. That's just my 2 cents.

Thanks for sharing your thoughts! I'm actually not really into writing malware myself, however I'm starting to get interested in this lately.

What you're saying about: Learn the OS and programming language. Very true, I agree. It's a good idea to learn the system internals of the OS to exploit its flaws. So you can do privilege escalations and such things.

> how other malware works.
Probably helps to learn a bit of malware analysis to do this. But I think just reading through the source codes of other malware will probably be helpful too.
Reply
#5
Insider Wrote:Probably helps to learn a bit of malware analysis to do this. But I think just reading through the source codes of other malware will probably be helpful too.
Well you would think so. Malware analysis involves trying to understand a malware sample in the shoes of someone the author didn't want understanding it. Which just makes it more difficult. Plenty of open source and leaked-source malware teaches you the fundamentals and more of how malware works. Metasploit, Powershell Empire, Koadic, pupy are all good examples. Their techniques are well documented so you don't have to dig through source code to understand them. You can learn how they deliver payloads, communicate with their servers, stay hidden from security tools, and interact with the system without reading a single line of source code. But if people want to learn malware analysis then I'm not saying not to.
Reply
#6
Awesome resources As i was starting my journey!! This post helped lol because i was dilemma what should i learn
To be honest i am learning
- Assembly
- DSA
- c/c++
After reading this post i realized i had to learn more!! Thank you!!!
Reply
#7
(07-08-2020, 01:39 PM)sinistergeek Wrote: Awesome resources As i was starting my journey!! This post helped lol because i was dilemma what should i learn
To be honest i am learning
- Assembly
- DSA
- c/c++
After reading this post i realized i had to learn more!! Thank you!!!

Glad it helped! This is one paths to malware development. Although there's no right or wrong here.
You can start off making malware right away actually without any of this. I've been playing around myself with python, making droppers, stagers, keyloggers etc. But it is my belief that knowing these things I covered in the thread will give you a much deeper understanding of the fundementals; and therefore be able to write more complex pieces of software.

You'll also be able to use this knowledge to jump into exploit development and reverse engineering: C & ASM is fundementals there too.
Reply
#8
(04-28-2020, 06:20 PM)DeepLogic Wrote: A lot of people ask what the best language is for malware writing. It really just depends on your needs/requirements and what your goal and targets are. Any programming language can be used to make malware. I write shell scripts and python because those are two things that are very prominent in the Unix world. Scripts may be easier to reverse then binaries but they're also very portable, easy to obfuscate, and not generally assumed to be malicious as often as binaries are.
I don't really think you need to learn reversing malware before you write your own. While it does give you more insight into how reverse engineers and malware analysts do their job, you can write malware without knowing about reversing. What you should study is the programming language you're using, the OS you're targeting, and how other malware works. That's just my 2 cents.

The point of learning to reverse engineer when it comes to learning MalDev in a more general sense is to get you acquainted with Assembly and it's dialects, the buffer, the stack, registries, data structures, ROPGadgets and ROPChaining, and how things are different on different architectures. I know this is an over-simplification. But necessarily so for the sake of brevity.

Now full disclosure, i am in no way as competent at reversing as i should be. But if you really want to get into Malware Development and Exploit Development, you gotta learn a lot of the low level stuff. The better you understand it, the more effective you will become at creating malwares capable of remaining undetected, using exploits for privilege escalation,  and a lot more. Plus you won't be reliant on multiple abstraction layers and third party libraries as you would be with Python for instance.

Of course i agree that malware can be written in any language, but your capabilities as a malware dev will expand exponentially once you learn the low level stuff and really what amounts to CompSci fundamentals.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Fileless Malware DeepLogic 13 5,404 09-16-2020, 11:04 PM
Last Post: Vector
  The Malware Mega Thread. Vector 50 44,216 09-16-2020, 08:15 PM
Last Post: Insider
  Uninformed Project (Malware, RE, Low-level) Insider 0 841 08-15-2020, 02:55 PM
Last Post: Insider
  Malware Source-code Share Insider 5 2,836 06-14-2020, 06:40 AM
Last Post: Insider