- Process Hacker (Sysinformer) - Interactions with a bunch of objects/components present in windows such as threads stack, handles, gpu and more
- ReactOS - An open source re-implementation of Windows
- https://geoffchappell.com/studies/windows/
- http://redplait.blogspot.com/
- https://undocumented.ntinternals.net/
- https://0xrick.github.io/win-internals/pe1/
- https://jackson_t.gitlab.io/edr-reversing-evading-01.html
- https://pre.empt.dev/posts/maelstrom-an-introduction/
- https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/
- https://github.com/Mr-Un1k0d3r/EDRs
- https://arashparsa.com/hook-heaps-and-live-free/
- https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet
- PPID spoofing : https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing
- CSRSS registration : https://www.coresecurity.com/core-labs/articles/creating-processes-using-system-calls
- BlockDll policy : Assign
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON
attribute withUpdateProcThreadAttribute
- Arbitrary Code Guard (ACG/
ProcessDynamicCodePolicy
) : https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy - Process Command Line spoofing : https://krabsonsecurity.com/2020/02/23/stealthier-approach-to-spoofing-process-command-line/
- Example : combination of PPID Spoofing & BlockDLLs in
NtCreateUserProcess
syscall : https://offensivedefence.co.uk/posts/ntcreateuserprocess/
- Understanding and Bypassing AMSI: Bypass AMSI by hooking the
AmsiScanBuffer
call - RDPThief: Intercept and read credentials from RDP with
SspiPrepareForCredRead
,CryptProtectMemory
,CredIsMarshaledCredentialW
hooks - Windows API Hooking: Redirect
MessageBoxA
- Import Address Table (IAT) Hooking: Redirect
MessageBoxA
- Intercepting Logon Credentials by Hooking
msv1_0!SpAcceptCredentials
: Intercept and read credentials frommsv1_0!SpAcceptCredentials
- Protecting the Heap: Encryption & Hooks: Hook
RtlAllocateHeap
,RtlReAllocateHeap
andRtlFreeHeap
to monitor heap allocations LdrLoadDll
Hook: Prevent DLLs being loaded
- Shellcode: Dual mode PIC for x86 (Reverse and Bind Shells for Windows)
- Shellcode: A Windows PIC using RSA-2048 key exchange, AES-256, SHA-3
- Shellcoding: Process Injection with Assembly
- shellcode Reflective Dll Injection (sRDI)
- ElusiveMice: ETW & AMSI patch, avoid RWX
- TitanLdr:
DnsQuery_A
IAT Hook to support DoH - BokuLoader: Multiple evasion techniques
- KaynStrike: Thread Start Address spoofing, clean up itself
- AceLdr: Sleep Obfuscation, Heap Encryption, Return Address Spoofing
Existing Command and Control (C2)
- Paid C2
- Free C2
Tasks
- execute-assembly
- Patch AMSI, ETW
- COFFloader - run un-modified BOF's so it can be used for testing without a CS agent running it.
Syscalls
Sleep Obfuscation
- Gargoyle: A technique for hiding all of a program’s executable code in
NX
memory. At some programmer-defined interval, gargoyle will wake up–and with some ROP trickery–mark itself executable and do some work. - SleepyCrypt: Position-Independent Code to encrypt a running process image when sleeping.
- ShellcodeFluctuation: cyclically encrypts and decrypts shellcode's contents to then make it fluctuate between
RW
(orNX
) andRX
memory protection. - FOLIAGE: queues a series of UM APCs (
NtQueueApcThread
) with callbacks toNtContinue
- Ekko: queues a series of timers (
CreateTimerQueueTimer
) with callbacks toNtContinue
. - Cronos: leveraging waitable timers (
SetWaitableTimer
). - DeathSleep: kills the current thread after saving its CPU state and stack and then restores them.
Thread Stack Spoofing
- ThreadStackSpoofer: First Thread Stack Spoof PoC, bypass thread-based memory examination rules and better hide shellcodes while in-process memory
- SilentMoonwalk: remove the original caller from the call stack, using ROP to desynchronize unwinding from control flow.
- VulcanRaven: A call stack spoofer that operates the spoofing by synthetically creating a thread stack mirroring another real call stack.
Books
- The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
Blogs, Repo & Talks
- Nidhogg : all-in-one simple to use rootkit
- TelemetrySourcer : Useful projects for your rootkits (Hooks, ETWTI...)
- Windows-Rootkits : Some techniques used in malwares
Books
- Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.
Blogs, Repo & Talks
- https://medium.com/firmware-threat-hunting/bypass-intel-boot-guard-cc05edfca3a9
- https://github.com/REhints/BlackHat_2017/blob/master/Betraying%20the%20BIOS.pdf
- https://github.com/quarkslab/dreamboot
- https://github.com/nyx0/Rovnix
- https://github.com/ajkhoury/UEFI-Bootkit
Books
- The Art of Mac Malware: Provide a comprehensive resource about threats targeting Apple's desktop OS. Dedicated to the community, it is a culmination of over a decade of macOS security research.
Blogs, Repo & Talks
- https://objective-see.org/blog/
- https://github.com/aidansteele/osx-abi-macho-file-format-reference
- https://www.sentinelone.com/blog/7-ways-threat-actors-deliver-macos-malware-in-the-enterprise/
- https://blog.xpnsec.com/building-a-mach-o-memory-loader-part-1/
- https://modexp.wordpress.com/2017/01/21/shellcode-osx/