Malware

General

Read: uncategorized.

awesome-malware-analysisopen in new window
awesome-malware-developmentopen in new window
vxunderground - Malware Source Codeopen in new window
vxunderground - Linux Papersopen in new window
vxunderground - Windows Papersopen in new window
Malware Hellopen in new window
- Malware analysis blog
hasherezade | GitHubopen in new window
- Malware dev/analysis
GEFopen in new window
- GDB with more modern/advanced features
al-khaseropen in new window
- Public malware techniques used in the wild
warpopen in new window
- Create self-contained binary applications
DTraceopen in new window
- Dynamic tracing framework
imphashopen in new window
- Hash over the imported functions by PE file
CS6038/CS5138 Malware Analysis, UCopen in new window
CTI-fundamentalsopen in new window
Windows System Programming Experimentsopen in new window
- Lots of useful snippets
TamperingSyscallsopen in new window
- TODO: Explanation
ofrakopen in new window
- Unpack, modify, then repack binaries
evopen in new window
- IDS evasion via packet manipulation
FunctionStompingopen in new window
- TODO: Link to resource
malapi.ioopen in new window
- Search syscalls for usage in malware
Windows System Calls for Huntersopen in new window
pe-bearopen in new window
- Platform for reversing PE files
LockBit-Black-Builderopen in new window
- Leaked builder for LockBit 3.0
massayoopen in new window
- Rust library for removing AV/EDR hooks in a given system DLL
LimeLighteropen in new window
- Spoof code signing certs, sign binaries + DLLs
Living-Off-the-Blindspot - Operating into EDRs' blindspotopen in new window
- Final product: Pyramidopen in new window
Invoke-DLLCloneopen in new window
SharpDPAPIopen in new window
- C# port of some Mimikatz DPAPI functionality
A TECHNICAL ANALYSIS OF PEGASUS FOR ANDROID - PART 1open in new window
New SHC-compiled Linux malware installs cryptominers, DDoS botsopen in new window
- Usage of compiled shell scripts in the wild with shcopen in new window
Hackers hijack Linux devices using PRoot isolated filesystemsopen in new window
- Original: Discovered new BYOF technique to cryptomining with PRootopen in new window
- Malware that uses prootopen in new window, a userland chroot + bind mount, in order to transport/deploy its toolset
A technique for ELF file infectionopen in new window
- Part 2open in new window
- Part 3open in new window
shellteropen in new window
- Dynamic shellcode injector/PE infector
- 32-bit only! (free version only?)
Bypass Antivirus Dynamic Analysisopen in new window
- Limitations of the AV model and how to exploit them
angropen in new window
- Python library for binary analysis
Injection into a Process Using KnownDllsopen in new window
- TODO: Update this link: https://papers.vx-underground.org/papers/Windows/Process%20Injection/2019-08-12%20-%20Windows%20Process%20Injection%20via%20KnownDlls%20Cache%20Poisoning.pdf
- Also see: How loader Maps DLL in to Process Address Spaceopen in new window
sandbox-attacksurface-analysis-toolsopen in new window
- Set of tools to analyze Windows sandboxes for exposed attack surface
- TODO: Can't remember how or why this is useful... It's from James Forshaw, so maybe I found it in a Google Zero blogpost? Idk.
Windows Code Injection: Bypassing CIG Through KnownDLLsopen in new window
- James Forshaw's take on KnownDLLs
- Reference in VXUG paper?

Development

VX-APIopen in new window
- Helpers to aid in malware dev
OffensiveNimopen in new window
OffensiveAutoItopen in new window
OffensiveRustopen in new window
OffensiveCSharpopen in new window
OffensiveVBAopen in new window
Black Hat Rustopen in new window
- His blog is pretty handy too: kerkour.comopen in new window