0prrr/All-Mal-Dev.md

Last active November 3, 2024 13:28

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/0prrr/c0954a638c55ab4b39e8b02ef312e806.js"></script>
Save 0prrr/c0954a638c55ab4b39e8b02ef312e806 to your computer and use it in GitHub Desktop.

Download ZIP

Malware Dev Reading List

Raw

All-Mal-Dev.md

Recommended Read / Watch

Books

Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection
Windows Native API Programming
https://leanpub.com/windowsnativeapiprogramming

Tutorial Series

AV/EDR Evasion | Malware Development Part 1 - 4
https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5
Malware development part 1 - N
https://0xpat.github.io/Malware_development_part_1/

X-Bypassing

Bypassing Image Load Kernel Callbacks
https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/
Shhmon — Silencing Sysmon via Driver Unload (Sysmon Evasion, MiniFilter Driver Loading/Unloading, Sysmon Events)
https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking/
Silencing Cylance: A Case Study in Modern EDRs (Various in-Memory techaniques to bypass Cylance, IMAGE_DEBUG_DIRECTORY powershell pdb info, office macro)
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/
The dying knight in the shiny armour (Bypass Windows Defender with redirecting NT symbolic link and driver sideloading)
https://aptw.tf/2021/08/21/killing-defender.html
Bypass EDR’s memory protection, introduction to hooking
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
Adventures in Dynamic Evasion
https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa
Bypassing Cortex XDR
https://mrd0x.com/cortex-xdr-analysis-and-bypass/
Lets Create An EDR… And Bypass It! Part 1
https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/
Lets Create An EDR… And Bypass It! Part 2
https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/
Bypassing VirtualBox Process Hardening on Windows
https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html
AVOIDING GET-INJECTEDTHREAD FOR INTERNAL THREAD CREATION (_beginthread, _beginthreadex)
https://www.trustedsec.com/blog/avoiding-get-injectedthread-for-internal-thread-creation/
Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
In-Memory Disassembly for EDR/AV Unhooking
https://signal-labs.com/analysis-of-edr-hooks-bypasses-amp-our-rust-sample/
Bypass AMSI in local process hooking NtCreateSection
https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/
Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/
Evading WinDefender ATP credential-theft: kernel version
https://b4rtik.github.io/posts/evading-windefender-atp-credential-theft-kernel-version/
Bypassing Windows Defender Runtime Scanning
https://labs.withsecure.com/publications/bypassing-windows-defender-runtime-scanning
Abusing SharedUserData For Defense Evasion and Exploitation
https://www.legacyy.xyz/defenseevasion/windows/2022/07/04/abusing-shareduserdata-for-defense-evasion-and-exploitation.html
Detecting and Evading Sandboxing through Time based evasion
https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion/
Evasion techniques
https://evasions.checkpoint.com/
What you need to know about Process Ghosting, a new executable image tampering attack
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack
Repo for Various Sandbox Bypassing Techniques
https://github.com/Arvanaghi/CheckPlease/tree/master/C
https://github.com/LordNoteworthy/al-khaser
https://github.com/a0rtega/pafish
https://github.com/CheckPointSW/InviZzzible
https://github.com/hfiref0x/VBoxHardenedLoader
Protecting Your Malware with blockdlls and ACG
https://blog.xpnsec.com/protecting-your-malware/
Abusing Delay Load DLLs for Remote Code Injection
https://samples.vx-underground.org/root/Papers/Windows/Process%20Injection/2017-09-19%20-%20Abusing%20Delay%20Load%20DLLs%20for%20Remote%20Code%20Injection.pdf
BYPASSING MICROSOFT DEFENDER FOR ENDPOINT IN RED TEAMING ASSESSMENTS
https://www.securify.nl/en/blog/bypassing-microsoft-defender-for-endpoint-in-red-teaming-assessments/

CLR

In Process Execute Assembly and Mail Slots
https://teamhydra.blog/2020/10/12/in-process-execute-assembly-and-mail-slots/
Don’t Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly
https://securityintelligence.com/x-force/net-execution-inlineexecute-assembly/
Mixed Assemblies - Crafting Flexible C++ Reflective Stagers for .NET Assemblies
https://thewover.github.io/Mixed-Assemblies/
Writing a Native C++ Application to Consume a .NET Assembly
https://www.codeproject.com/Articles/35010/Writing-a-Native-C-Application-to-Consume-a-NET-As
Double Thunking (C++) [-]
https://learn.microsoft.com/en-us/cpp/dotnet/double-thunking-cpp?view=msvc-170&viewFallbackFrom=vs-2019
ClrGuard
https://github.com/endgameinc/ClrGuard

CFG / CFI

Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets [-]
https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_05A-3_Biondo_paper.pdf
BYPASS CONTROL FLOW GUARD COMPREHENSIVELY [-]
https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf
Control Flow Guard Improvements in Windows 10 Anniversary Update [-]
https://web.archive.org/web/20161031134827/http://blog.trendmicro.com/trendlabs-security-intelligence/control-flow-guard-improvements-windows-10-anniversary-update/
CFG Showcase
https://github.com/trailofbits/cfg-showcase
Let’s talk about CFI: Microsoft Edition [-]
https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/
Let’s talk about CFI: clang edition [-]
https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/
Documenting the Undocumented - Adding CFG Exceptions [-]
https://www.fortinet.com/blog/threat-research/documenting-the-undocumented-adding-cfg-exceptions

Code/Process Injection Techniques

Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
Ten process injection techniques: A technical survey of common and trending process injection techniques
https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
Malicious Application Compatibility Shims
https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf
Plata o plomo code injections/execution tricks
https://www.hexacorn.com/blog/2019/05/26/plata-o-plomo-code-injections-execution-tricks/
Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection
https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
sRDI – Shellcode Reflective DLL Injection
https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/
An Improved Reflective DLL Injection Technique (Passing arguments to injected dlls, Shadow Space)
https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html
Windows DLL Injection Basics
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
A More Complete DLL Injection Solution Using CreateRemoteThread (Inject a DLL implemented with Microsoft standard)
https://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat
Injecting Code into Windows Protected Processes using COM - Part 1 (COM, PPL)
https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html
Reflective DLL Injection In C++
https://depthsecurity.com/blog/reflective-dll-injection-in-c
SeasideBishop: A C port of the UrbanBishop shellcode injector
https://www.solomonsklash.io/seaside-bishop.html
Process Injection Part 1: The Theory
https://secarma.com/process-injection-part-1-the-theory/
Process Injection Part 2: Modern Process Injection
https://secarma.com/process-injection-part-2-modern-process-injection/
NO ALLOC, NO PROBLEM: LEVERAGING PROGRAM ENTRY POINTS FOR PROCESS INJECTION
https://bohops.com/2023/06/09/no-alloc-no-problem-leveraging-program-entry-points-for-process-injection/
From Process Injection to Function Hijacking [-]
https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/
Code injection via return-oriented programming [-]
https://www.virusbulletin.com/virusbulletin/2012/10/code-injection-return-oriented-programming
Three Ways to Inject Your Code into Another Process [-]
https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces
Process Injection Techniques - Gotta Catch Them All [-]
https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Itzik-Kotler-Amit-Klein-Gotta-Catch-Them-All.pdf
What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection
https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf
Needles Without The Thread: Threadless Process Injection - Ceri Coburn
https://www.youtube.com/watch?v=z8GIjk0rfbI
Using SetWindowsHookEx for DLL injection on windows
https://resources.infosecinstitute.com/topic/using-setwindowshookex-for-dll-injection-on-windows/
Sharing is Caring: Abusing Shared Sections for Code Injection
https://billdemirkapi.me/sharing-is-caring-abusing-shared-sections-for-code-injection/
Abusing Exceptions for Code Execution, Part 1
https://billdemirkapi.me/exception-oriented-programming-abusing-exceptions-for-code-execution-part-1/
Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/
Talking to, and handling (edit) boxes
https://www.hexacorn.com/blog/2019/06/28/talking-to-and-handling-edit-boxes/
Process Doppelgänging meets Process Hollowing in Osiris dropper
https://www.malwarebytes.com/blog/news/2018/08/process-doppelganging-meets-process-hollowing_osiris
Process Herpaderping Technical Deep Dive
https://github.com/jxy-s/herpaderping/blob/main/res/DivingDeeper.md
DLL Notification Injection
https://shorsec.io/blog/dll-notification-injection/
https://modexp.wordpress.com/2020/08/06/windows-data-structures-and-callbacks-part-1/
https://github.com/rad9800/misc/blob/main/bypasses/UnregisterAllLdrRegisterDllNotification.c
https://github.com/zha0gongz1/CodeWork/blob/main/ReadTeam/1.BypassAV/DllNotificationInjectProcDemo/DllNotificationInjectProcDemo/DllNotificationInjectProcDemo.cpp
https://github.com/Idov31/Cronos/blob/master/src/Utils.c
https://github.com/ShorSec/DllNotificationInjection
https://doxygen.reactos.org/d1/d97/ldrtypes_8h_source.html#l00216
https://code.cat.casa/Intravision/reactos/src/commit/f1b2f4093d97345f4d4d0a4a2e1b4837cf4d2333/dll/ntdll/nt_0600/ldr/ldrnotify.c
Using Reflective DLL Injection to exploit IE Elevation Policies
https://www.rapid7.com/blog/post/2015/08/28/using-reflective-dll-injection-to-exploit-ie-elevation-policies/
https://www.blackhat.com/docs/asia-14/materials/Yason/WP-Asia-14-Yason-Diving-Into-IE10s-Enhanced-Protected-Mode-Sandbox.pdf

Stack Spoofing

Thread Stack Spoofing [-]
https://guidedhacking.com/threads/in-memory-evasion-technique-thread-stack-spoofing.18500/
Hardware Callstack [-]
https://www.coresecurity.com/blog/hardware-call-stack
Stack Spoofing: A New Threat to Security Products [-]
https://akbu.medium.com/stack-spoofing-a-new-threat-to-security-products-1eb1ccf0e2ae
Behind the Mask: Spoofing Call Stacks Dynamically with Timers [-]
https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/
Spoofing Call Stacks To Confuse EDRs [-]
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs
ThreadStackSpoofer v0.2 releases: advanced in-memory evasion technique [-]
https://securityonline.info/thread-stack-spoofing-advanced-in-memory-evasion-technique/

PP / PPL / LSASS / LSA

The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
https://www.alex-ionescu.com/the-evolution-of-protected-processes-pass-the-hash-mitigations-in-windows-8-1/
The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
https://www.alex-ionescu.com/wip-draft-the-evolution-of-protected-processes-part-2-exploitjailbreak-mitigations-unkillable-processes-and-protected-services/
Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)
https://www.alex-ionescu.com/146/
LSASS dumping in 2021/2022 - from memory - without C2
https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/
Bypassing LSA Protection in Userland
https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/
Do You Really Know About LSA Protection (RunAsPPL)?
https://itm4n.github.io/lsass-runasppl/
Duping AV with handles
https://skelsec.medium.com/duping-av-with-handles-537ef985eb03
https://github.com/ufrisk/MemProcFS
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html
The End of PPLdump
https://itm4n.github.io/the-end-of-ppldump/
BYPASSING WINDOWS DEFENDER AND PPL PROTECTION WITH PPLBLADE TO DUMP LSASS WITHOUT DETECTION
https://tacticaladversary.io/adversary-tactics/bypass-defender-and-ppl-protection-to-dump-lsass/

Direct Syscalls

Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams (Look into the Reference part at the end)
https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
Hell’s Gate
https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
Halo's Gate
https://blog.sektor7.net/#!res/2021/halosgate.md
Tartarus Gate
https://github.com/trickster0/TartarusGate
Direct Syscalls: A journey from high to low
https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low
SysWhispers is dead, long live SysWhispers! (Egg-Hunter, Problematic syscall from not within ntdll.dll - Nirvana to the rescue, syscall-detect.dll, syscall called within another syscall, Kernel Tracing)
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Tools that make syscalls from NTDLL.DLL
https://github.com/crummie5/FreshyCalls
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs

Indirect Syscalls

Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
https://0xdarkvortex.dev/hiding-in-plainsight/
Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/

Kernel

Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less! [-]
https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/

Kernel Callbacks

X86-64 Instruction Encoding
https://wiki.osdev.org/X86-64_Instruction_Encoding
Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
https://medium.com/@matterpreter/mimidrv-in-depth-4d273d19e148#:~:text=operation%20has%20completed.-,Mimidrv,-first%20searches%20for
Reversing Windows Internals (Part 1) - Digging Into Handles, Callbacks & ObjectTypes
https://rayanfam.com/topics/reversing-windows-internals-part1/
ObRegisterCallbacks and countermeasures
https://www.unknowncheats.me/forum/anti-cheat-bypass/148364-obregistercallbacks-and-countermeasures.html
Windows Anti-Debug techniques - OpenProcess filtering
https://blog.xpnsec.com/anti-debug-openprocess/
Understanding Telemetry: Kernel Callbacks
https://jsecurity101.medium.com/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3
Removing Process Creation Kernel Callbacks
https://medium.com/@VL1729_JustAT3ch/removing-process-creation-kernel-callbacks-c5636f5c849f
A Light on Windows 10's "OBJECT_HEADER->TypeIndex"
https://medium.com/@ashabdalhalim/a-light-on-windows-10s-object-header-typeindex-value-e8f907e7073a
Implementing SysCall Detection into Fennec
https://pre.empt.blog/2022/implementing-syscall-detection-into-fennec
Detecting Manual Syscalls from User Mode
https://winternl.com/detecting-manual-syscalls-from-user-mode/
https://github.com/jackullrich/syscall-detect
A catalog of NTDLL kernel mode to user mode callbacks, part 1: Overview
http://www.nynaeve.net/?p=200
Understanding Telemetry: Kernel Callbacks
https://posts.specterops.io/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3
https://www.youtube.com/watch?v=PPCaZRuzQDM
https://github.com/jsecurity101/TelemetrySource
https://github.com/jaredcatkinson/MalwareMorphology
https://www.youtube.com/watch?v=KTAeUjDBW3s
https://github.com/jsecurity101/TelemetrySource
Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver

ETW

Uncovering Windows Events
https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54
Tampering with Windows Event Tracing: Background, Offense, and Defense
https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7
Introduction to Threat Intelligence ETW
https://undev.ninja/introduction-to-threat-intelligence-etw/
ETW: Event Tracing for Windows 101
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101
Uncovering Windows Events
https://jsecurity101.medium.com/uncovering-windows-events-b4b9db7eac54
Hiding Your .NET – ETW
https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/
Design issues of modern EDRs: bypassing ETW-based solutions
https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html

Anti-Analysis & Anti-Debugging

Memory Obfuscation and Hiding
https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/#mone
https://github.com/JLospinoso/gargoyle
https://github.com/waldo-irc/YouMayPasser
https://github.com/SecIdiot/FOLIAGE
https://github.com/janoglezcampos/DeathSleep
https://github.com/Cracked5pider/Ekko
GuLoader’s Anti-Analysis Techniques (#1 — VM Detection 1 — Memory Scan)
https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario
https://www.lasca.ic.unicamp.br/paulo/papers/2017-SBSeg-marcus.botacin-anti.anti.analysis.evasive.malware.pdf
Anti-Analysis Techniques
https://www.oic-cert.org/en/download/Anti-Analysis%20techniques%20(OIC%20Talk).pdf
Bypassing Qakbot Anti-Analysis
https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/
PEB-Process-Environment-Block/NtGlobalFlag
https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag
Github Repose Related to Anti-analysis Topic
https://github.com/topics/anti-analysis
Obfuscation Resources:
https://github.com/HikariObfuscator/Hikari/
https://medium.com/@polarply/build-your-first-llvm-obfuscator-80d16583392b
http://www.babush.me/dumbo-llvm-based-dumb-obfuscator.html
https://github.com/emc2314/YANSOllvm
https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/

Anti-Anti-debugging

Windows x64 System Service Hooks and Advanced Debugging (Hook system services in a less invasive way - manual system call, anti-debugging, function table, EPROCESS, KPROCESS, InstrumentationCallback, NtSetInformationProcess, r10, Dr7)
https://www.codeproject.com/Articles/543542/Windows-x64-system-service-hooks-and-advanced-debu

Entropy Reduction:

Threat Hunting with File Entropy
https://practicalsecurityanalytics.com/file-entropy/

PIPE, COM, WMI

WMI Internals Part 1
https://jsecurity101.medium.com/wmi-internals-part-1-41bb97e7f5eb
WMI Internals Part 2
https://jsecurity101.medium.com/wmi-internals-part-2-522f3e97709a
Dancing with COM - Deep dive into understanding Component Object Model
https://www.youtube.com/watch?v=8tjrFm2K30Q
The Component Object Model
https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model
Intercepting and Instrumenting COM Applications [-]
https://www.usenix.org/legacy/events/coots99/full_papers/hunt/hunt.pdf
Abusing COM & DCOM objects [-]
https://iotsecuritynews.com/abusing-com-dcom-objects/
COM in plain C [-]
https://www.codeproject.com/Articles/13601/COM-in-plain-C
Playing around COM objects - PART 1
https://mohamed-fakroud.gitbook.io/red-teamings-dojo/windows-internals/playing-around-com-objects-part-1
Lateral Movement using DCOM Objects - How to do it the right way? [-]
https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects
Abusing COM objects [-]
https://0xpat.github.io/Abusing_COM_Objects/
New lateral movement techniques abuse DCOM technology [-]
https://www.cybereason.com/blog/dcom-lateral-movement-techniques
LATERAL MOVEMENT VIA DCOM: ROUND 2 [-]
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
ABUSING EXPORTED FUNCTIONS AND EXPOSED DCOM INTERFACES FOR PASS-THRU COMMAND EXECUTION AND LATERAL MOVEMENT [-]
https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/
https://github.com/ionescu007/hazmat5/blob/main/rundown.idl
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtApiDotNet/Ndr
Abusing COM & DCOM objects [-]
https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf
Process Injection via Component Object Model (COM) IRundown::DoCallback()
https://samples.vx-underground.org/root/Papers/Windows/Process%20Injection/2022-05-05%20-%20Process%20Injection%20via%20Component%20Object%20Model%20(COM)%20IRundown-DoCallback().pdf
Part I: The Fundamentals of Windows Named Pipes
https://versprite.com/vs-labs/microsoft-windows-pipes-intro/
Part II: Analysis of a Vulnerable Microsoft Windows Named Pipe Application
https://versprite.com/vs-labs/vulnerable-named-pipe-application/
Hosting the CLR the Right Way
https://www.mode19.net/posts/clrhostingright/
Call a C# Method from C/C++ (native process)
https://codingvision.net/calling-a-c-method-from-c-c-native-process
clr_via_native.c
https://gist.github.com/xpn/e95a62c6afcf06ede52568fcd8187cc2

Coding

Linked lists
https://www.learn-c.org/en/Linked_lists
Merge Sort Algorithm
https://github.com/Leyxargon/c-linked-list
Stack alignment when mixing assembly and C code
https://www.isabekov.pro/stack-alignment-when-mixing-asm-and-c-code/
Windows x64 Shellcode Development
https://www.bordergate.co.uk/windows-x64-shellcode-development/
A noinline inline function? What sorcery is this?
https://devblogs.microsoft.com/oldnewthing/20200521-00/?p=103777
Enumerating opened handles from a process
https://blez.wordpress.com/2012/09/17/enumerating-opened-handles-from-a-process/

Misc (Hooking, Debugging and Stuff)

Closing "Heaven’s Gate" Brief Overview of WoW64
https://www.alex-ionescu.com/closing-heavens-gate/
Last branch records and branch tracing
https://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing
Hooking Heaven’s Gate — a WOW64 hooking technique
https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73
Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching
http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/
WoW64 and So Can You - Bypassing EMET With a Single Instruction
https://duo.com/assets/pdf/wow-64-and-so-can-you.pdf
Code obFU(N)scation mixing 32 and 64 bit mode instructions
http://scrammed.blogspot.com/2014/10/code-obfunscation-mixing-32-and-64-bit.html
Red Team Tactics: Active Directory Recon using ADSI and Reflective DLLs
https://outflank.nl/blog/2019/10/20/red-team-tactics-active-directory-recon-using-adsi-and-reflective-dlls/
Experimenting with Protected Processes and Threat-Intelligence (ELAM, PPL, Kernel Driver Programming, Driver Singing, ETW Event Logs)
https://blog.tofile.dev/2020/12/16/elam.html
Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)
https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/
Hooking via InstrumentationCallback
https://secrary.com/Random/InstrumentationCallback/
'Hooking Nirvana" by Alex Ionescu at REcon 2015
https://www.youtube.com/watch?v=bqU0y4FzvT0
KUSER_SHARED_DATA
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm
Challenges of Debugging Optimized x64 Code
https://learn.microsoft.com/en-us/archive/blogs/ntdebugging/challenges-of-debugging-optimized-x64-code
The path to code execution in the era of EDR, Next-Gen AVs, and AMSI
https://klezvirus.github.io/RedTeaming/AV_Evasion/CodeExeNewDotNet/
Shadow Space
https://stackoverflow.com/questions/30190132/what-is-the-shadow-space-in-x64-assembly
Pin a Binary
https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-binary-instrumentation-tool-downloads.html
Vectored Exception Handling, Hooking Via Forced Exception
https://medium.com/@fsx30/vectored-exception-handling-hooking-via-forced-exception-f888754549c6
Writing Optimized Windows Shellcode in C
https://phasetw0.com/malware/writing-optimized-windows-shellcode-in-c/
The original version of the previous article (save it!!!)
https://web.archive.org/web/20210305190309/http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
Writing Shellcode with a C Compiler
https://nickharbour.wordpress.com/2010/07/01/writing-shellcode-with-a-c-compiler/
Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL
https://modexp.wordpress.com/2019/07/21/inmem-exec-script/
Windows 10 1809 kernel sensors
http://redplait.blogspot.com/2019/03/windows-10-1809-kernel-sensors.html
Hunting In Memory
https://www.elastic.co/security-labs/hunting-memory
APC Series: User APC Internals
https://repnz.github.io/posts/apc/kernel-user-apc-api/
The Definitive Guide on Win32 to NT Path Conversion
https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html
Get-InjectedThreadEx – Detecting Thread Creation Trampolines
https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines
Detecting Cobalt Strike with memory signatures
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
Defenders Think in Graphs Too! Part 1
https://posts.specterops.io/defenders-think-in-graphs-too-part-1-572524c71e91
Defenders Think in Graphs Too! Part 2
https://posts.specterops.io/defenders-think-in-graphs-too-part-2-b1fd751525d1
Detect (and possibly block) WriteProcessMemory calls
https://community.osr.com/discussion/280745/detect-and-possibly-block-writeprocessmemory-calls
Old Things New
https://devblogs.microsoft.com/oldnewthing/author/oldnewthing
EDR Observations
https://signal-labs.com/edr-observations/
Hooking the native API and controlling process creation on a system-wide basis [-]
https://www.codeproject.com/Articles/11985/Hooking-the-native-API-and-controlling-process-cre
Exported functions that are really forwarders
https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473
Rethinking the way DLL exports are resolved for 32-bit Windows
https://devblogs.microsoft.com/oldnewthing/20060720-20/?p=30453
Reverse Engineering 0x4 Fun
https://rce4fun.blogspot.com/2019/03/examining-user-mode-apc-injection.html
Why .shared sections are a security hole
https://devblogs.microsoft.com/oldnewthing/20040804-00/?p=38253
Tracing C function "fopen" [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
https://www.youtube.com/watch?v=1HZCg1gVPpw
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel ES
https://www.youtube.com/watch?v=8oaEAPC84gc
Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 1
http://blog.airesoft.co.uk/2009/02/grabbing-kernel-thread-contexts-the-process-explorer-way/
Understanding the Function Call Stack
https://posts.specterops.io/understanding-the-function-call-stack-f08b5341efa4
The API Set Schema
https://www.geoffchappell.com/studies/windows/win32/apisetschema/index.htm
Windows API sets
https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-apisets?redirectedfrom=MSDN
PART 1: How I Met Your Beacon – Overview
https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/
PART 2: How I Met Your Beacon – Cobalt Strike
https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/
Beyond good ol’ Run key, Part 87
https://www.hexacorn.com/blog/2018/09/04/beyond-good-ol-run-key-part-87/
Delegated NT DLL
https://modexp.wordpress.com/2024/02/13/delegated-nt-dll/
DelegatedNtdll
https://redplait.blogspot.com/2017/07/delegatedntdll.html

ASM

Inline Assembly
https://blog.malicious.group/inline-assembly/
Writing your own RDI /sRDI loader using C and ASM
https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/
Instrinsics
https://learn.microsoft.com/en-us/cpp/intrinsics/compiler-intrinsics?view=msvc-170&ref=blog.malicious.group
Learning Assembly (TASM)
http://www.petesqbsite.com/sections/tutorials/tuts/doorknob/asm_tutorial1.html
Converting x86 assembly from masm to nasm
https://left404.com/2011/01/04/converting-x86-assembly-from-masm-to-nasm-3/#:~:text=Masm%2C%20the%20Microsoft%20assembler%2C%20is,Intel%20syntax%20that%20masm%20does.
Example Code - https://left404.com/2011/01/05/masm-to-nasm-assembly-conversion-example/

PE File Format:

Kernel Debugging

Debug Windows drivers step-by-step lab (echo kernel mode)
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode-
Get started with WinDbg (kernel-mode)
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode-
Activating the debugger as soon as the desired process launches its first thread
https://vimalshekar.github.io/walkthroughs/Activating-Windbg-on-process-launch

Windows Internals

Genesis - The Birth Of A Windows Process Part 1 - 2 [-]
https://fourcore.io/blogs/how-a-windows-process-is-created-part-1
Activation Contexts — A Love Story [-]
https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd
Running programs using RtlCreateUserProcess only works occasionally
https://stackoverflow.com/questions/69599435/running-programs-using-rtlcreateuserprocess-only-works-occasionally
Using the Activation Context API
https://learn.microsoft.com/en-us/windows/win32/sbscs/using-the-activation-context-api
Processes, Threads, and Jobs in the Windows Operating System [-]
https://www.microsoftpressstore.com/articles/article.aspx?p=2233328&seqNum=3

Token / Impersonation Stuff

What’s in a Token (Part 2): Impersonation
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-8217-s-in-a-token-part-2-impersonation/ba-p/395015
Understanding and Abusing Process Tokens — Part II
https://securitytimes.medium.com/understanding-and-abusing-access-tokens-part-ii-b9069f432962

Heap

What a Heap of ... (Part One)
https://techcommunity.microsoft.com/t5/ask-the-performance-team/what-a-heap-of-part-one/ba-p/372424#:~:text=Heap%20is%20an%20area%20of,heap%20is%201MB%20in%20size.

Mal API

17JAN2017 - Abusing native Windows functions for shellcode execution
http://ropgadget.com/posts/abusing_win_functions.html

Tools:

Microsoft Documentations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment