Malware Development.md

Malware/Rootkit Development Links & Notes

Useful Sites & paid courses

• vx-underground
• CodeMachine Trainings
• Mr.Un1k0d3r Class
• Sektor7 Courses

Useful source code

• Process Hacker (Sysinformer) - Interactions with a bunch of objects/components present in windows such as threads stack, handles, gpu and more
• ReactOS - An open source re-implementation of Windows

Undocumented Windows

• https://geoffchappell.com/studies/windows/
• http://redplait.blogspot.com/
• https://undocumented.ntinternals.net/

Awesome Blog Posts/Repo

• https://0xrick.github.io/win-internals/pe1/
• https://jackson_t.gitlab.io/edr-reversing-evading-01.html
• https://pre.empt.dev/posts/maelstrom-an-introduction/
• https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/
• https://github.com/Mr-Un1k0d3r/EDRs
• https://arashparsa.com/hook-heaps-and-live-free/
• https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet

Better Process Creation

• PPID spoofing : https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
• CSRSS registration : https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
• BlockDll policy : Assign PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute with UpdateProcThreadAttribute
• Arbitrary Code Guard (ACG/ProcessDynamicCodePolicy) : https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy
• Process Command Line spoofing : https://krabsonsecurity.com/2020/02/23/stealthier-approach-to-spoofing-process-command-line/

• Example : combination of PPID Spoofing & BlockDLLs in NtCreateUserProcess syscall : https://offensivedefence.co.uk/posts/ntcreateuserprocess/

Hooking/Useful Hooks

• Understanding and Bypassing AMSI: Bypass AMSI by hooking the AmsiScanBuffer call
• RDPThief: Intercept and read credentials from RDP with SspiPrepareForCredRead, CryptProtectMemory, CredIsMarshaledCredentialW hooks
• Windows API Hooking: Redirect MessageBoxA
• Import Address Table (IAT) Hooking: Redirect MessageBoxA
• Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials: Intercept and read credentials from msv1_0!SpAcceptCredentials
• Protecting the Heap: Encryption & Hooks: Hook RtlAllocateHeap, RtlReAllocateHeap and RtlFreeHeap to monitor heap allocations
• LdrLoadDll Hook: Prevent DLLs being loaded

Shellcoding

• Shellcode: Dual mode PIC for x86 (Reverse and Bind Shells for Windows)
• Shellcode: A Windows PIC using RSA-2048 key exchange, AES-256, SHA-3
• Shellcoding: Process Injection with Assembly
• shellcode Reflective Dll Injection (sRDI)

UDRL/RDLL

• ElusiveMice: ETW & AMSI patch, avoid RWX
• TitanLdr: DnsQuery_A IAT Hook to support DoH
• BokuLoader: Multiple evasion techniques
• KaynStrike: Thread Start Address spoofing, clean up itself
• AceLdr: Sleep Obfuscation, Heap Encryption, Return Address Spoofing

Command & Control (C2) Developement

Existing Command and Control (C2)

• Paid C2
  • Nighthawk C2
  • Bruteratel C2
  • Cobalt Strike
• Free C2
  • Havoc C2
  • Sliver C2
  • Posh C2

Tasks

• execute-assembly
  • inline-execute-assembly
  • inject-assembly
• Patch AMSI, ETW
  • Patchless : https://ethicalchaos.dev/2022/04/17/in-process-patchless-amsi-bypass/
• COFFloader - run un-modified BOF's so it can be used for testing without a CS agent running it.

Syscalls

• HellsGate
  • HalosGate
  • TartarusGate
• SysWhispers3
• FreshyCalls
• Custom stub

Sleep Obfuscation

• Gargoyle: A technique for hiding all of a program’s executable code in NX memory. At some programmer-defined interval, gargoyle will wake up–and with some ROP trickery–mark itself executable and do some work.
• SleepyCrypt: Position-Independent Code to encrypt a running process image when sleeping.
• ShellcodeFluctuation: cyclically encrypts and decrypts shellcode's contents to then make it fluctuate between RW (or NX) and RX memory protection.
• FOLIAGE: queues a series of UM APCs (NtQueueApcThread) with callbacks to NtContinue
• Ekko: queues a series of timers (CreateTimerQueueTimer) with callbacks to NtContinue.
• Cronos: leveraging waitable timers (SetWaitableTimer).
• DeathSleep: kills the current thread after saving its CPU state and stack and then restores them.

Thread Stack Spoofing

• ThreadStackSpoofer: First Thread Stack Spoof PoC, bypass thread-based memory examination rules and better hide shellcodes while in-process memory
• SilentMoonwalk: remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
• VulcanRaven: A call stack spoofer that operates the spoofing by synthetically creating a thread stack mirroring another real call stack.

Rootkits

Books

• The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

Blogs, Repo & Talks

• Nidhogg : all-in-one simple to use rootkit
• TelemetrySourcer : Useful projects for your rootkits (Hooks, ETWTI...)
• Windows-Rootkits : Some techniques used in malwares

Bootkits

Books

• Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.

Blogs, Repo & Talks

• https://medium.com/firmware-threat-hunting/bypass-intel-boot-guard-cc05edfca3a9
• https://github.com/REhints/BlackHat_2017/blob/master/Betraying%20the%20BIOS.pdf
• https://github.com/quarkslab/dreamboot
• https://github.com/nyx0/Rovnix
• https://github.com/ajkhoury/UEFI-Bootkit

Mac OSX Malwares

Books

• The Art of Mac Malware: Provide a comprehensive resource about threats targeting Apple's desktop OS. Dedicated to the community, it is a culmination of over a decade of macOS security research.

Blogs, Repo & Talks

• https://objective-see.org/blog/
• https://github.com/aidansteele/osx-abi-macho-file-format-reference
• https://www.sentinelone.com/blog/7-ways-threat-actors-deliver-macos-malware-in-the-enterprise/
• https://blog.xpnsec.com/building-a-mach-o-memory-loader-part-1/
• https://modexp.wordpress.com/2017/01/21/shellcode-osx/