Awesome
Notes
Collection of resources and articles I need to look at. Mostly regarding malware/exploit development or analysis.
Malware Dev
- https://0xpat.github.io/
- https://github.com/m0n0ph1/Process-Hollowing
- https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs
- https://iwantmore.pizza/posts/PEzor.html
- https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker
- https://github.com/RedLectroid/APIunhooker
- https://blog.xpnsec.com/protecting-your-malware/
- https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
- https://www.ired.team/offensive-security/code-injection-process-injection
- https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
- https://github.com/vxunderground/VXUG-Papers/tree/main/Hells%20Gate
- https://greysec.net/
- https://github.com/vxunderground/VXUG-Papers/blob/main/Hells%20Gate/HellsGate.pdf
- https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA
- https://github.com/0xthirteen/StayKit
- https://www.youtube.com/watch?v=mZyMs2PP38w
- https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
- https://www.ired.team/offensive-security/code-injection-process-injection
- https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
- https://connormcgarr.github.io/thread-hijacking/
- https://github.com/connormcgarr/cThreadHijack
- https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/entry.c
- https://github.com/Microwave89/createuserprocess/
- https://movaxbx.ru/2018/10/31/interesting-technique-to-inject-malicious-code-into-svchost-exe/
- https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
- https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/
- https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
- https://modexp.wordpress.com/2020/04/08/red-teams-etw/
- https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider
- https://www.youtube.com/watch?v=Cch8dvp836w
- https://github.com/fozavci/WeaponisingCSharp-Fundamentals
- https://github.com/med0x2e/ExecuteAssembly
- https://github.com/outflanknl/TamperETW
- https://github.com/hasherezade/process_doppelganging/blob/master/main.cpp
- https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Sections%20Shellcode%20Process%20Injector/Program.cs
- https://www.thehive-kb.xyz/rem-essentials-windows-malware-evasion-part1
- https://gist.github.com/apsun/1adb6557a44ea8372e7cc27c3ad827ad
- https://github.com/am0nsec/wspe/blob/master/AMSI/amsi_module_patch.c#L220
- https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx
- https://github.com/hasherezade/libpeconv/tree/master/run_pe
- https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-i-phantom-dll-hollowing-2
- https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners
- https://github.com/forrest-orr/phantom-dll-hollower-poc/blob/master/PhantomDllHollower/PhantomDllHollower.cpp
- https://github.com/BreakingMalwareResearch/atom-bombing/blob/master/AtomBombing/main.cpp
- https://www.arashparsa.com/hook-heaps-and-live-free/
- https://www.first.org/resources/papers/telaviv2019/Ensilo-Omri-Misgav-Udi-Yavo-Analyzing-Malware-Evasion-Trend-Bypassing-User-Mode-Hooks.pdf
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
- https://medium.com/falconforce/bof2shellcode-a-tutorial-converting-a-stand-alone-bof-loader-into-shellcode-6369aa518548
- https://medium.com/@omribaso/this-is-how-i-bypassed-almost-every-edr-6e9792cf6c44
- https://www.blackhat.com/docs/eu-14/materials/eu-14-Andrivet-C-plus-plus11-Metaprogramming-Applied-To-software-Obfuscation-wp.pdf
- https://rp.os3.nl/2020-2021/p68/report.pdf
- https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
Exploit Dev
- https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
- https://github.com/ChoiSG/UuidShellcodeExec
Kernel Dev
- https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/
- https://synzack.github.io/Blinding-EDR-On-Windows/
- https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
- https://posts.bluraven.io/detecting-edr-bypass-malicious-drivers-kernel-callbacks-f5e6bf8f7481
- http://blog.deniable.org/posts/windows-callbacks/
- https://codemachine.com/articles/kernel_callback_functions.html
- https://gitlab.com/deniable/windows-ps-callbacks-experiments
- https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf
- https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7338165/
- https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
- https://aviadshamriz.medium.com/part-1-fs-minifilter-hooking-7e743b042a9d
- https://av.tib.eu/media/49774
- https://www.codeproject.com/Articles/13677/Hooking-the-kernel-directly
- https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/
- https://secret.club/2019/11/06/kernel-code-alignment.html
- http://www.rohitab.com/discuss/topic/41522-hiding-loaded-driver-with-dkom/
- https://reverseengineering.stackexchange.com/questions/22245/possible-to-get-address-of-driver-object-programmatically
- https://windows-internals.com/dkom-now-with-symbolic-links/
- https://windows-internals.com/symhooks-part-two/
- https://www.rohitab.com/discuss/topic/40696-list-loaded-drivers-with-ntquerysysteminformation/
- https://github.com/vmcall/owned_alignment
- https://github.com/namazso/hdd_serial_spoofer/blob/master/hwid.cpp
- https://github.com/repnz/autochk-rootkit/blob/master/AutochkRootkit/FileSystem.c
- https://github.com/zodiacon/DriverMon/blob/master/DriverMonitor/DriverMon.cpp
- CrikeyCon 2019 - Christopher Vella - Reversing & bypassing EDRs
- https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
- https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/
- https://github.com/lawiet47/STFUEDR/blob/main/StfuEdr/StfuEdr.cpp
- https://github.com/gentilkiwi/mimikatz/blob/master/mimidrv/mimidrv.c
- https://www.infosec.tirol/master-of-puppets-part-ii-how-to-tamper-the-edr/
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
- https://www.n4r1b.com/posts/2019/11/understanding-wdboot-windows-defender-elam/
- https://github.com/Shhoya/Examples/tree/master/0x00_AntiKernelDebugging/ObRegisterCallbacks
- https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
- https://shhoya.github.io/antikernel_bypassob2.html
- https://gist.github.com/OlivierLaflamme/2e0670718a904f21b03cb753df02cf67
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
Malware Analysis
- https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/
- https://pnx9.github.io/thehive/Unpacking-Osiris.html
GitHub Tools
- https://github.com/JustasMasiulis/inline_syscall
- https://github.com/jthuraisamy/SysWhispers
- https://github.com/jthuraisamy/SysWhispers2
- https://github.com/outflanknl/InlineWhispers
- https://github.com/Sh0ckFR/InlineWhispers2
- https://github.com/everdox/InfinityHook
- https://github.com/hfiref0x/KDU
- https://github.com/Shhoya/kdmapper
- https://github.com/br-sn/CheekyBlinder
- https://github.com/SHA-MRIZ/FsMinfilterHooking
- https://github.com/repnz/windows-inspector
- https://github.com/D4stiny/spectre
- https://github.com/RedCursorSecurityConsulting/PPLKiller
- https://github.com/N4kedTurtle/LocalDllParse
- https://github.com/klezVirus/inceptor
- https://github.com/revsic/cpp-obfuscator
StackOverflow
Misc
- https://github.com/3lp4tr0n/BeaconHunter
- https://github.com/Flangvik/SharpCollection
- https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/
- https://www.trustedsec.com/blog/adexplorer-on-engagements/
- https://github.com/NotMedic/NetNTLMtoSilverTicket
- https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4