# Recommended Read / Watch: * https://www.vx-underground.org/archive.html * https://www.vx-underground.org/windows.html * https://doxygen.reactos.org/index.html * https://modexp.wordpress.com/ * https://klezvirus.github.io/ * https://zerosum0x0.blogspot.com/ * https://www.binarly.io/posts/index.html * https://0xdarkvortex.dev/blogs/ * https://cocomelonc.github.io/ * https://pre.empt.blog/ * https://www.x86matthew.com/ * https://github.com/rapid7/metasploit-payloads/tree/master/c/meterpreter * https://www.youtube.com/@OALABS # Books * Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection * Windows Native API Programming <br/>https://leanpub.com/windowsnativeapiprogramming # Tutorial Series * AV/EDR Evasion | Malware Development Part 1 - 4 <br/>https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5 * Malware development part 1 - N <br/>https://0xpat.github.io/Malware_development_part_1/ # X-Bypassing: * Bypassing Image Load Kernel Callbacks <br/>https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/ * Shhmon — Silencing Sysmon via Driver Unload (Sysmon Evasion, MiniFilter Driver Loading/Unloading, Sysmon Events) <br/>https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 * FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking <br/>https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking/ * Silencing Cylance: A Case Study in Modern EDRs (Various in-Memory techaniques to bypass Cylance, IMAGE_DEBUG_DIRECTORY powershell pdb info, office macro) <br/>https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/ * The dying knight in the shiny armour (Bypass Windows Defender with redirecting NT symbolic link and driver sideloading) <br/>https://aptw.tf/2021/08/21/killing-defender.html * Bypass EDR’s memory protection, introduction to hooking <br/>https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 * Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs <br/>https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis * Adventures in Dynamic Evasion <br/>https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa * Bypassing Cortex XDR <br/>https://mrd0x.com/cortex-xdr-analysis-and-bypass/ * Lets Create An EDR… And Bypass It! Part 1 <br/>https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/ * Lets Create An EDR… And Bypass It! Part 2 <br/>https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/ * Bypassing VirtualBox Process Hardening on Windows <br/>https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html * AVOIDING GET-INJECTEDTHREAD FOR INTERNAL THREAD CREATION (\_beginthread, \_beginthreadex) <br/>https://www.trustedsec.com/blog/avoiding-get-injectedthread-for-internal-thread-creation/ * Understanding and Evading Get-InjectedThread <br/>https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/ * In-Memory Disassembly for EDR/AV Unhooking <br/>https://signal-labs.com/analysis-of-edr-hooks-bypasses-amp-our-rust-sample/ * Bypass AMSI in local process hooking NtCreateSection <br/>https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/ * Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution <br/>https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/ * Evading WinDefender ATP credential-theft: kernel version <br/>https://b4rtik.github.io/posts/evading-windefender-atp-credential-theft-kernel-version/ * Bypassing Windows Defender Runtime Scanning <br/>https://labs.withsecure.com/publications/bypassing-windows-defender-runtime-scanning * Abusing SharedUserData For Defense Evasion and Exploitation <br/>https://www.legacyy.xyz/defenseevasion/windows/2022/07/04/abusing-shareduserdata-for-defense-evasion-and-exploitation.html * Detecting and Evading Sandboxing through Time based evasion <br/>https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion/ * Evasion techniques <br/>https://evasions.checkpoint.com/ * What you need to know about Process Ghosting, a new executable image tampering attack <br/>https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack * Repo for Various Sandbox Bypassing Techniques <br/>https://github.com/Arvanaghi/CheckPlease/tree/master/C <br/>https://github.com/LordNoteworthy/al-khaser <br/>https://github.com/a0rtega/pafish <br/>https://github.com/CheckPointSW/InviZzzible <br/>https://github.com/hfiref0x/VBoxHardenedLoader * Protecting Your Malware with blockdlls and ACG <br/>https://blog.xpnsec.com/protecting-your-malware/ * Abusing Delay Load DLLs for Remote Code Injection <br/>https://samples.vx-underground.org/root/Papers/Windows/Process%20Injection/2017-09-19%20-%20Abusing%20Delay%20Load%20DLLs%20for%20Remote%20Code%20Injection.pdf * BYPASSING MICROSOFT DEFENDER FOR ENDPOINT IN RED TEAMING ASSESSMENTS <br/>https://www.securify.nl/en/blog/bypassing-microsoft-defender-for-endpoint-in-red-teaming-assessments/ # CLR * Mixed Assemblies - Crafting Flexible C++ Reflective Stagers for .NET Assemblies <br/>https://thewover.github.io/Mixed-Assemblies/ * Writing a Native C++ Application to Consume a .NET Assembly <br/>https://www.codeproject.com/Articles/35010/Writing-a-Native-C-Application-to-Consume-a-NET-As * Double Thunking (C++) <br/>https://learn.microsoft.com/en-us/cpp/dotnet/double-thunking-cpp?view=msvc-170&viewFallbackFrom=vs-2019 # CFG / CFI * Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets [-] <br/>https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_05A-3_Biondo_paper.pdf * BYPASS CONTROL FLOW GUARD COMPREHENSIVELY [-] <br/>https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf * Control Flow Guard Improvements in Windows 10 Anniversary Update [-] <br/>https://web.archive.org/web/20161031134827/http://blog.trendmicro.com/trendlabs-security-intelligence/control-flow-guard-improvements-windows-10-anniversary-update/ * CFG Showcase <br/>https://github.com/trailofbits/cfg-showcase * Let’s talk about CFI: Microsoft Edition [-] <br/>https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ * Let’s talk about CFI: clang edition [-] <br/>https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/ * Documenting the Undocumented - Adding CFG Exceptions [-] <br/>https://www.fortinet.com/blog/threat-research/documenting-the-undocumented-adding-cfg-exceptions # Code/Process Injection Techniques: * Ten process injection techniques: A technical survey of common and trending process injection techniques <br/>https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process * Malicious Application Compatibility Shims <br/>https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf * Plata o plomo code injections/execution tricks <br/>https://www.hexacorn.com/blog/2019/05/26/plata-o-plomo-code-injections-execution-tricks/ * Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection <br/>https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html * sRDI – Shellcode Reflective DLL Injection <br/>https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/ * An Improved Reflective DLL Injection Technique (Passing arguments to injected dlls, Shadow Space) <br/>https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html * Windows DLL Injection Basics <br/>http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html * A More Complete DLL Injection Solution Using CreateRemoteThread (Inject a DLL implemented with Microsoft standard) <br/>https://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat * Injecting Code into Windows Protected Processes using COM - Part 1 (COM, PPL) <br/>https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html * Reflective DLL Injection In C++ <br/>https://depthsecurity.com/blog/reflective-dll-injection-in-c * SeasideBishop: A C port of the UrbanBishop shellcode injector <br/>https://www.solomonsklash.io/seaside-bishop.html * Process Injection Part 1: The Theory <br/>https://secarma.com/process-injection-part-1-the-theory/ * Process Injection Part 2: Modern Process Injection <br/>https://secarma.com/process-injection-part-2-modern-process-injection/ * NO ALLOC, NO PROBLEM: LEVERAGING PROGRAM ENTRY POINTS FOR PROCESS INJECTION <br/>https://bohops.com/2023/06/09/no-alloc-no-problem-leveraging-program-entry-points-for-process-injection/ * From Process Injection to Function Hijacking [-] <br/>https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/ * Code injection via return-oriented programming [-] <br/>https://www.virusbulletin.com/virusbulletin/2012/10/code-injection-return-oriented-programming * Three Ways to Inject Your Code into Another Process [-] <br/>https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces * Process Injection Techniques - Gotta Catch Them All [-] <br/>https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Itzik-Kotler-Amit-Klein-Gotta-Catch-Them-All.pdf * What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection <br/>https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf * Needles Without The Thread: Threadless Process Injection - Ceri Coburn <br/>https://www.youtube.com/watch?v=z8GIjk0rfbI * Using SetWindowsHookEx for DLL injection on windows <br/>https://resources.infosecinstitute.com/topic/using-setwindowshookex-for-dll-injection-on-windows/ * Sharing is Caring: Abusing Shared Sections for Code Injection <br/>https://billdemirkapi.me/sharing-is-caring-abusing-shared-sections-for-code-injection/ * Abusing Exceptions for Code Execution, Part 1 <br/>https://billdemirkapi.me/exception-oriented-programming-abusing-exceptions-for-code-execution-part-1/ * Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations <br/>https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/ * Talking to, and handling (edit) boxes <br/>https://www.hexacorn.com/blog/2019/06/28/talking-to-and-handling-edit-boxes/ # Stack Spoofing * Thread Stack Spoofing [-] <br/>https://guidedhacking.com/threads/in-memory-evasion-technique-thread-stack-spoofing.18500/ * Hardware Callstack [-] <br/>https://www.coresecurity.com/blog/hardware-call-stack * Stack Spoofing: A New Threat to Security Products [-] <br/>https://akbu.medium.com/stack-spoofing-a-new-threat-to-security-products-1eb1ccf0e2ae * Behind the Mask: Spoofing Call Stacks Dynamically with Timers [-] <br/>https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/ * Spoofing Call Stacks To Confuse EDRs [-] <br/>https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs * ThreadStackSpoofer v0.2 releases: advanced in-memory evasion technique [-] <br/>https://securityonline.info/thread-stack-spoofing-advanced-in-memory-evasion-technique/ # PPL * The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1 <br/>https://www.alex-ionescu.com/the-evolution-of-protected-processes-pass-the-hash-mitigations-in-windows-8-1/ * The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services <br/>https://www.alex-ionescu.com/wip-draft-the-evolution-of-protected-processes-part-2-exploitjailbreak-mitigations-unkillable-processes-and-protected-services/ * Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers) <br/>https://www.alex-ionescu.com/146/ # Direct Syscalls: * Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams (Look into the Reference part at the end) <br/>https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ * Hell’s Gate <br/>https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf * Halo's Gate <br/>https://blog.sektor7.net/#!res/2021/halosgate.md * Tartarus Gate <br/>https://github.com/trickster0/TartarusGate * Direct Syscalls: A journey from high to low <br/>https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low * SysWhispers is dead, long live SysWhispers! (Egg-Hunter, Problematic syscall from not within ntdll.dll - Nirvana to the rescue, syscall-detect.dll, syscall called within another syscall, Kernel Tracing) <br/>https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ * Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR <br/>https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ * Tools that make syscalls from NTDLL.DLL <br/>https://github.com/crummie5/FreshyCalls * Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs <br/>https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs # Indirect Syscalls * Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks <br/>https://0xdarkvortex.dev/hiding-in-plainsight/ * Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing <br/>https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ # Kernel * Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less! [-] <br/>https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/ # Kernel Callbacks * Implementing SysCall Detection into Fennec <br/>https://pre.empt.blog/2022/implementing-syscall-detection-into-fennec * Detecting Manual Syscalls from User Mode <br/>https://winternl.com/detecting-manual-syscalls-from-user-mode/ <br/>https://github.com/jackullrich/syscall-detect * A catalog of NTDLL kernel mode to user mode callbacks, part 1: Overview <br/>http://www.nynaeve.net/?p=200 * Understanding Telemetry: Kernel Callbacks <br/>https://posts.specterops.io/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3 * https://www.youtube.com/watch?v=PPCaZRuzQDM * https://github.com/jsecurity101/TelemetrySource * https://github.com/jaredcatkinson/MalwareMorphology * https://www.youtube.com/watch?v=KTAeUjDBW3s * https://github.com/jsecurity101/TelemetrySource * Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver <br/>https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver # ETW * Uncovering Windows Events <br/>https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54 * Tampering with Windows Event Tracing: Background, Offense, and Defense <br/>https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 * Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging <br/>https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7 * Introduction to Threat Intelligence ETW <br/>https://undev.ninja/introduction-to-threat-intelligence-etw/ * ETW: Event Tracing for Windows 101 <br/>https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101 * Uncovering Windows Events <br/>https://jsecurity101.medium.com/uncovering-windows-events-b4b9db7eac54 * Hiding Your .NET – ETW <br/>https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/ * Design issues of modern EDRs: bypassing ETW-based solutions <br/>https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html # Anti-Analysis & Anti-Debugging * Memory Obfuscation and Hiding <br/>https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html <br/>https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/#mone <br/>https://github.com/JLospinoso/gargoyle <br/>https://github.com/waldo-irc/YouMayPasser <br/>https://github.com/SecIdiot/FOLIAGE <br/>https://github.com/janoglezcampos/DeathSleep <br/>https://github.com/Cracked5pider/Ekko * GuLoader’s Anti-Analysis Techniques (#1 — VM Detection 1 — Memory Scan) <br/>https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195 * Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario <br/>https://www.lasca.ic.unicamp.br/paulo/papers/2017-SBSeg-marcus.botacin-anti.anti.analysis.evasive.malware.pdf * Anti-Analysis Techniques <br/>https://www.oic-cert.org/en/download/Anti-Analysis%20techniques%20(OIC%20Talk).pdf * Bypassing Qakbot Anti-Analysis <br/>https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/ * PEB-Process-Environment-Block/NtGlobalFlag <br/>https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag * Github Repose Related to Anti-analysis Topic <br/>https://github.com/topics/anti-analysis * Obfuscation Resources: <br/>https://github.com/HikariObfuscator/Hikari/ <br/>https://medium.com/@polarply/build-your-first-llvm-obfuscator-80d16583392b <br/>http://www.babush.me/dumbo-llvm-based-dumb-obfuscator.html <br/>https://github.com/emc2314/YANSOllvm <br/>https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/ <br/>https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/ # Anti-Anti-debugging: * Windows x64 System Service Hooks and Advanced Debugging (Hook system services in a less invasive way - manual system call, anti-debugging, function table, EPROCESS, KPROCESS, InstrumentationCallback, NtSetInformationProcess, r10, Dr7) <br/>https://www.codeproject.com/Articles/543542/Windows-x64-system-service-hooks-and-advanced-debu # Entropy Reduction: * Threat Hunting with File Entropy <br/>https://practicalsecurityanalytics.com/file-entropy/ # PIPE, COM, WMI * Dancing with COM - Deep dive into understanding Component Object Model <br/>https://www.youtube.com/watch?v=8tjrFm2K30Q * The Component Object Model <br/>https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model * Intercepting and Instrumenting COM Applications [-] <br/>https://www.usenix.org/legacy/events/coots99/full_papers/hunt/hunt.pdf * Abusing COM & DCOM objects [-] <br/>https://iotsecuritynews.com/abusing-com-dcom-objects/ * COM in plain C [-] <br/>https://www.codeproject.com/Articles/13601/COM-in-plain-C * Playing around COM objects - PART 1 <br/>https://mohamed-fakroud.gitbook.io/red-teamings-dojo/windows-internals/playing-around-com-objects-part-1 * Lateral Movement using DCOM Objects - How to do it the right way? [-] <br/>https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects * Abusing COM objects [-] <br/>https://0xpat.github.io/Abusing_COM_Objects/ * New lateral movement techniques abuse DCOM technology [-] <br/>https://www.cybereason.com/blog/dcom-lateral-movement-techniques * LATERAL MOVEMENT VIA DCOM: ROUND 2 [-] <br/>https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ * ABUSING EXPORTED FUNCTIONS AND EXPOSED DCOM INTERFACES FOR PASS-THRU COMMAND EXECUTION AND LATERAL MOVEMENT [-] <br/>https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://github.com/ionescu007/hazmat5/blob/main/rundown.idl * https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtApiDotNet/Ndr * Abusing COM & DCOM objects [-] <br/>https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf * Process Injection via Component Object Model (COM) IRundown::DoCallback() <br/>https://samples.vx-underground.org/root/Papers/Windows/Process%20Injection/2022-05-05%20-%20Process%20Injection%20via%20Component%20Object%20Model%20(COM)%20IRundown-DoCallback().pdf * Part I: The Fundamentals of Windows Named Pipes <br/>https://versprite.com/vs-labs/microsoft-windows-pipes-intro/ * Part II: Analysis of a Vulnerable Microsoft Windows Named Pipe Application <br/>https://versprite.com/vs-labs/vulnerable-named-pipe-application/ * Hosting the CLR the Right Way <br/>https://www.mode19.net/posts/clrhostingright/ * Call a C# Method from C/C++ (native process) <br/>https://codingvision.net/calling-a-c-method-from-c-c-native-process * clr_via_native.c <br/>https://gist.github.com/xpn/e95a62c6afcf06ede52568fcd8187cc2 # Coding * Linked lists <br/>https://www.learn-c.org/en/Linked_lists * Merge Sort Algorithm <br/>https://github.com/Leyxargon/c-linked-list * Stack alignment when mixing assembly and C code <br/>https://www.isabekov.pro/stack-alignment-when-mixing-asm-and-c-code/ * Windows x64 Shellcode Development <br/>https://www.bordergate.co.uk/windows-x64-shellcode-development/ * A noinline inline function? What sorcery is this? <br/>https://devblogs.microsoft.com/oldnewthing/20200521-00/?p=103777 # Misc (Hooking, Debugging and Stuff): * Closing "Heaven’s Gate" Brief Overview of WoW64 <br/>https://www.alex-ionescu.com/closing-heavens-gate/ * Last branch records and branch tracing <br/>https://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing * Hooking Heaven’s Gate — a WOW64 hooking technique <br/>https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73 * Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching <br/>http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/ * WoW64 and So Can You - Bypassing EMET With a Single Instruction <br/>https://duo.com/assets/pdf/wow-64-and-so-can-you.pdf * Code obFU(N)scation mixing 32 and 64 bit mode instructions <br/>http://scrammed.blogspot.com/2014/10/code-obfunscation-mixing-32-and-64-bit.html * Red Team Tactics: Active Directory Recon using ADSI and Reflective DLLs <br/>https://outflank.nl/blog/2019/10/20/red-team-tactics-active-directory-recon-using-adsi-and-reflective-dlls/ * Experimenting with Protected Processes and Threat-Intelligence (ELAM, PPL, Kernel Driver Programming, Driver Singing, ETW Event Logs) <br/>https://blog.tofile.dev/2020/12/16/elam.html * Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers) <br/>https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/ * Hooking via InstrumentationCallback <br/>https://secrary.com/Random/InstrumentationCallback/ * 'Hooking Nirvana" by Alex Ionescu at REcon 2015 <br/>https://www.youtube.com/watch?v=bqU0y4FzvT0 * KUSER_SHARED_DATA <br/>https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm * Challenges of Debugging Optimized x64 Code <br/>https://learn.microsoft.com/en-us/archive/blogs/ntdebugging/challenges-of-debugging-optimized-x64-code * The path to code execution in the era of EDR, Next-Gen AVs, and AMSI <br/>https://klezvirus.github.io/RedTeaming/AV_Evasion/CodeExeNewDotNet/ * Shadow Space <br/>https://stackoverflow.com/questions/30190132/what-is-the-shadow-space-in-x64-assembly * Pin a Binary <br/>https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-binary-instrumentation-tool-downloads.html * Vectored Exception Handling, Hooking Via Forced Exception <br/>https://medium.com/@fsx30/vectored-exception-handling-hooking-via-forced-exception-f888754549c6 * Writing Optimized Windows Shellcode in C <br/>https://phasetw0.com/malware/writing-optimized-windows-shellcode-in-c/ * The original version of the previous article (save it!!!) <br/>https://web.archive.org/web/20210305190309/http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html * Writing Shellcode with a C Compiler <br/>https://nickharbour.wordpress.com/2010/07/01/writing-shellcode-with-a-c-compiler/ * Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL <br/>https://modexp.wordpress.com/2019/07/21/inmem-exec-script/ * Windows 10 1809 kernel sensors <br/>http://redplait.blogspot.com/2019/03/windows-10-1809-kernel-sensors.html * Hunting In Memory <br/>https://www.elastic.co/security-labs/hunting-memory * APC Series: User APC Internals <br/>https://repnz.github.io/posts/apc/kernel-user-apc-api/ * The Definitive Guide on Win32 to NT Path Conversion <br/>https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html * Get-InjectedThreadEx – Detecting Thread Creation Trampolines <br/>https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines * Detecting Cobalt Strike with memory signatures <br/>https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures * Defenders Think in Graphs Too! Part 1 <br/>https://posts.specterops.io/defenders-think-in-graphs-too-part-1-572524c71e91 * Defenders Think in Graphs Too! Part 2 <br/>https://posts.specterops.io/defenders-think-in-graphs-too-part-2-b1fd751525d1 * Detect (and possibly block) WriteProcessMemory calls <br/>https://community.osr.com/discussion/280745/detect-and-possibly-block-writeprocessmemory-calls * Old Things New <br/>https://devblogs.microsoft.com/oldnewthing/author/oldnewthing * EDR Observations <br/>https://signal-labs.com/edr-observations/ * Hooking the native API and controlling process creation on a system-wide basis [-] <br/>https://www.codeproject.com/Articles/11985/Hooking-the-native-API-and-controlling-process-cre * Exported functions that are really forwarders <br/>https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473 * Rethinking the way DLL exports are resolved for 32-bit Windows <br/>https://devblogs.microsoft.com/oldnewthing/20060720-20/?p=30453 * Reverse Engineering 0x4 Fun <br/>https://rce4fun.blogspot.com/2019/03/examining-user-mode-apc-injection.html * Why .shared sections are a security hole <br/>https://devblogs.microsoft.com/oldnewthing/20040804-00/?p=38253 * Tracing C function "fopen" [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi <br/>https://www.youtube.com/watch?v=1HZCg1gVPpw * Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel ES <br/>https://www.youtube.com/watch?v=8oaEAPC84gc * Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 1 <br/>http://blog.airesoft.co.uk/2009/02/grabbing-kernel-thread-contexts-the-process-explorer-way/ * Understanding the Function Call Stack <br/>https://posts.specterops.io/understanding-the-function-call-stack-f08b5341efa4 * The API Set Schema <br/>https://www.geoffchappell.com/studies/windows/win32/apisetschema/index.htm * Windows API sets <br/>https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-apisets?redirectedfrom=MSDN * PART 1: How I Met Your Beacon – Overview <br/>https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ * PART 2: How I Met Your Beacon – Cobalt Strike <br/>https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/ # ASM * Inline Assembly <br/>https://blog.malicious.group/inline-assembly/ * Writing your own RDI /sRDI loader using C and ASM <br/>https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/ * Instrinsics <br/>https://learn.microsoft.com/en-us/cpp/intrinsics/compiler-intrinsics?view=msvc-170&ref=blog.malicious.group # PE File Format: * Portable Executable File Format <br/>https://blog.kowalczyk.info/articles/pefileformat.html * https://github.com/corkami/pics/blob/master/binary/pe101/README.md * https://resources.infosecinstitute.com/topic/2-malware-researchers-handbook-demystifying-pe-file/ * http://www.sunshine2k.de/reversing/tuts/tut_rvait.htm * https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++ # Kernel Debugging * Debug Windows drivers step-by-step lab (echo kernel mode) <br/>https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode- * Get started with WinDbg (kernel-mode) <br/>https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode- * Activating the debugger as soon as the desired process launches its first thread <br/>https://vimalshekar.github.io/walkthroughs/Activating-Windbg-on-process-launch # Windows Internals * Genesis - The Birth Of A Windows Process Part 1 - 2 [-] <br/>https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 * Activation Contexts — A Love Story [-] <br/>https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd * Running programs using RtlCreateUserProcess only works occasionally <br/>https://stackoverflow.com/questions/69599435/running-programs-using-rtlcreateuserprocess-only-works-occasionally * Using the Activation Context API <br/>https://learn.microsoft.com/en-us/windows/win32/sbscs/using-the-activation-context-api * Processes, Threads, and Jobs in the Windows Operating System [-] <br/>https://www.microsoftpressstore.com/articles/article.aspx?p=2233328&seqNum=3 # Mal API * 17JAN2017 - Abusing native Windows functions for shellcode execution <br/>http://ropgadget.com/posts/abusing_win_functions.html # Tools: * https://malapi.io/ * https://filesec.io/ * https://lots-project.com/ * https://lolbas-project.github.io/ * https://github.com/aahmad097/AlternativeShellcodeExec * https://github.com/stephenfewer/ReflectiveDLLInjection * https://github.com/odzhan/shellcode/tree/master * https://github.com/j00ru/windows-syscalls * https://github.com/klezVirus/SysWhispers3 * https://github.com/monoxgas/sRDI * https://virustotal.github.io/yara/ * https://github.com/mandiant/capa * https://github.com/unicorn-engine/unicorn * https://github.com/x64dbg/ScyllaHide * https://github.com/ionescu007/winipt * https://github.com/intelpt/WindowsIntelPT * https://github.com/zerosum0x0/puppetstrings * https://github.com/OpenSecurityResearch/dllinjector (beginner-friendly) * https://github.com/rapid7/metasploit-framework/wiki/Using-ReflectiveDll-Injection * https://github.com/SafeBreach-Labs/pinjectra * https://github.com/matterpreter/SHAPESHIFTER * https://github.com/mdsecactivebreach/firewalker * https://github.com/trustedsec/inProc_Evade_Get-InjectedThread * https://github.com/tandasat/DdiMon * https://github.com/ionescu007/SimpleVisor * https://github.com/Mattiwatti/EfiGuard * https://github.com/tyranid/oleviewdotnet * https://github.com/S3cur3Th1sSh1t/Ruy-Lopez * https://code.google.com/archive/p/dll-shared-sections/downloads * https://github.com/wbenny/pdbex (exporting undocumented structures and data types from PDBs) * https://github.com/hfiref0x/WinObjEx64 * https://www.nirsoft.net/utils/dll_export_viewer.html * https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtObjectManager * https://github.com/jxy-s/herpaderping#comparison * https://github.com/Yaxser/Backstab # Microsoft Documentations: * https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide * https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-isguithread * https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-process_mitigation_policy * https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170 * https://learn.microsoft.com/en-us/archive/blogs/ntdebugging/challenges-of-debugging-optimized-x64-code * https://learn.microsoft.com/en-us/windows/win32/api/winnt/nc-winnt-pvectored_exception_handler * https://learn.microsoft.com/en-us/windows/win32/memory/creating-guard-pages * https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi * https://github.com/microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples/netds/adsi/activedir * https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/virtual-address-spaces * https://learn.microsoft.com/en-us/windows/win32/secauthz/impersonation-levels * https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks?redirectedfrom=MSDN * https://learn.microsoft.com/en-us/windows/win32/procthread/fibers