Awesome

Notes

Collection of resources and articles I need to look at. Mostly regarding malware/exploit development or analysis.

Malware Dev

• https://0xpat.github.io/
• https://github.com/m0n0ph1/Process-Hollowing
• https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs
• https://iwantmore.pizza/posts/PEzor.html
• https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker
• https://github.com/RedLectroid/APIunhooker
• https://blog.xpnsec.com/protecting-your-malware/
• https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
• https://www.ired.team/offensive-security/code-injection-process-injection
• https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
• https://github.com/vxunderground/VXUG-Papers/tree/main/Hells%20Gate
• https://greysec.net/
• https://github.com/vxunderground/VXUG-Papers/blob/main/Hells%20Gate/HellsGate.pdf
• https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA
• https://github.com/0xthirteen/StayKit
• https://www.youtube.com/watch?v=mZyMs2PP38w
• https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
• https://www.ired.team/offensive-security/code-injection-process-injection
• https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
• https://connormcgarr.github.io/thread-hijacking/
• https://github.com/connormcgarr/cThreadHijack
• https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/entry.c
• https://github.com/Microwave89/createuserprocess/
• https://movaxbx.ru/2018/10/31/interesting-technique-to-inject-malicious-code-into-svchost-exe/
• https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
• https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/
• https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
• https://modexp.wordpress.com/2020/04/08/red-teams-etw/
• https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider
• https://www.youtube.com/watch?v=Cch8dvp836w
• https://github.com/fozavci/WeaponisingCSharp-Fundamentals
• https://github.com/med0x2e/ExecuteAssembly
• https://github.com/outflanknl/TamperETW
• https://github.com/hasherezade/process_doppelganging/blob/master/main.cpp
• https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Sections%20Shellcode%20Process%20Injector/Program.cs
• https://www.thehive-kb.xyz/rem-essentials-windows-malware-evasion-part1
• https://gist.github.com/apsun/1adb6557a44ea8372e7cc27c3ad827ad
• https://github.com/am0nsec/wspe/blob/master/AMSI/amsi_module_patch.c#L220
• https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx
• https://github.com/hasherezade/libpeconv/tree/master/run_pe
• https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-i-phantom-dll-hollowing-2
• https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners
• https://github.com/forrest-orr/phantom-dll-hollower-poc/blob/master/PhantomDllHollower/PhantomDllHollower.cpp
• https://github.com/BreakingMalwareResearch/atom-bombing/blob/master/AtomBombing/main.cpp
• https://www.arashparsa.com/hook-heaps-and-live-free/
• https://www.first.org/resources/papers/telaviv2019/Ensilo-Omri-Misgav-Udi-Yavo-Analyzing-Malware-Evasion-Trend-Bypassing-User-Mode-Hooks.pdf
• https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
• https://medium.com/falconforce/bof2shellcode-a-tutorial-converting-a-stand-alone-bof-loader-into-shellcode-6369aa518548
• https://medium.com/@omribaso/this-is-how-i-bypassed-almost-every-edr-6e9792cf6c44
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Andrivet-C-plus-plus11-Metaprogramming-Applied-To-software-Obfuscation-wp.pdf
• https://rp.os3.nl/2020-2021/p68/report.pdf
• https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html

Exploit Dev

• https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
• https://github.com/ChoiSG/UuidShellcodeExec

Kernel Dev

• https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/
• https://synzack.github.io/Blinding-EDR-On-Windows/
• https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
• https://posts.bluraven.io/detecting-edr-bypass-malicious-drivers-kernel-callbacks-f5e6bf8f7481
• http://blog.deniable.org/posts/windows-callbacks/
• https://codemachine.com/articles/kernel_callback_functions.html
• https://gitlab.com/deniable/windows-ps-callbacks-experiments
• https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf
• https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7338165/
• https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
• https://aviadshamriz.medium.com/part-1-fs-minifilter-hooking-7e743b042a9d
• https://av.tib.eu/media/49774
• https://www.codeproject.com/Articles/13677/Hooking-the-kernel-directly
• https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/
• https://secret.club/2019/11/06/kernel-code-alignment.html
• http://www.rohitab.com/discuss/topic/41522-hiding-loaded-driver-with-dkom/
• https://reverseengineering.stackexchange.com/questions/22245/possible-to-get-address-of-driver-object-programmatically
• https://windows-internals.com/dkom-now-with-symbolic-links/
• https://windows-internals.com/symhooks-part-two/
• https://www.rohitab.com/discuss/topic/40696-list-loaded-drivers-with-ntquerysysteminformation/
• https://github.com/vmcall/owned_alignment
• https://github.com/namazso/hdd_serial_spoofer/blob/master/hwid.cpp
• https://github.com/repnz/autochk-rootkit/blob/master/AutochkRootkit/FileSystem.c
• https://github.com/zodiacon/DriverMon/blob/master/DriverMonitor/DriverMon.cpp
• CrikeyCon 2019 - Christopher Vella - Reversing & bypassing EDRs
• https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
• https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/
• https://github.com/lawiet47/STFUEDR/blob/main/StfuEdr/StfuEdr.cpp
• https://github.com/gentilkiwi/mimikatz/blob/master/mimidrv/mimidrv.c
• https://www.infosec.tirol/master-of-puppets-part-ii-how-to-tamper-the-edr/
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
• https://www.n4r1b.com/posts/2019/11/understanding-wdboot-windows-defender-elam/
• https://github.com/Shhoya/Examples/tree/master/0x00_AntiKernelDebugging/ObRegisterCallbacks
• https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
• https://shhoya.github.io/antikernel_bypassob2.html
• https://gist.github.com/OlivierLaflamme/2e0670718a904f21b03cb753df02cf67
• https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/

Malware Analysis

• https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/
• https://pnx9.github.io/thehive/Unpacking-Osiris.html

GitHub Tools

• https://github.com/JustasMasiulis/inline_syscall
• https://github.com/jthuraisamy/SysWhispers
• https://github.com/jthuraisamy/SysWhispers2
• https://github.com/outflanknl/InlineWhispers
• https://github.com/Sh0ckFR/InlineWhispers2
• https://github.com/everdox/InfinityHook
• https://github.com/hfiref0x/KDU
• https://github.com/Shhoya/kdmapper
• https://github.com/br-sn/CheekyBlinder
• https://github.com/SHA-MRIZ/FsMinfilterHooking
• https://github.com/repnz/windows-inspector
• https://github.com/D4stiny/spectre
• https://github.com/RedCursorSecurityConsulting/PPLKiller
• https://github.com/N4kedTurtle/LocalDllParse
• https://github.com/klezVirus/inceptor
• https://github.com/revsic/cpp-obfuscator

StackOverflow

• https://stackoverflow.com/questions/45134220/how-to-convert-a-pointer-of-type-void-to-void

Misc

• https://github.com/3lp4tr0n/BeaconHunter
• https://github.com/Flangvik/SharpCollection
• https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/
• https://www.trustedsec.com/blog/adexplorer-on-engagements/
• https://github.com/NotMedic/NetNTLMtoSilverTicket
• https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

VXUG papers

• Windows papers
• AV tech papers