- https://www.vx-underground.org/archive.html
- https://www.vx-underground.org/windows.html
- https://doxygen.reactos.org/index.html
- https://modexp.wordpress.com/
- https://klezvirus.github.io/
- https://zerosum0x0.blogspot.com/
- https://www.binarly.io/posts/index.html
- https://0xdarkvortex.dev/blogs/
- https://cocomelonc.github.io/
- https://pre.empt.blog/
- https://www.x86matthew.com/
- https://github.com/rapid7/metasploit-payloads/tree/master/c/meterpreter
- https://www.youtube.com/@OALABS
-
Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection: Obfuscation, Watermarking, and Tamperproofing for Software Protection
-
Windows Native API Programming
https://leanpub.com/windowsnativeapiprogramming
-
AV/EDR Evasion | Malware Development Part 1 - 4
https://medium.com/@0xHossam/av-edr-evasion-malware-development-933e50f47af5 -
Malware development part 1 - N
https://0xpat.github.io/Malware_development_part_1/
-
Bypassing Image Load Kernel Callbacks
https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/ -
Shhmon — Silencing Sysmon via Driver Unload (Sysmon Evasion, MiniFilter Driver Loading/Unloading, Sysmon Events)
https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 -
FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
https://www.mdsec.co.uk/2020/08/firewalker-a-new-approach-to-generically-bypass-user-space-edr-hooking/ -
Silencing Cylance: A Case Study in Modern EDRs (Various in-Memory techaniques to bypass Cylance, IMAGE_DEBUG_DIRECTORY powershell pdb info, office macro)
https://www.mdsec.co.uk/2019/03/silencing-cylance-a-case-study-in-modern-edrs/ -
The dying knight in the shiny armour (Bypass Windows Defender with redirecting NT symbolic link and driver sideloading)
https://aptw.tf/2021/08/21/killing-defender.html -
Bypass EDR’s memory protection, introduction to hooking
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 -
Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis -
Adventures in Dynamic Evasion
https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa -
Bypassing Cortex XDR
https://mrd0x.com/cortex-xdr-analysis-and-bypass/ -
Lets Create An EDR… And Bypass It! Part 1
https://ethicalchaos.dev/2020/05/27/lets-create-an-edr-and-bypass-it-part-1/ -
Lets Create An EDR… And Bypass It! Part 2
https://ethicalchaos.dev/2020/06/14/lets-create-an-edr-and-bypass-it-part-2/ -
Bypassing VirtualBox Process Hardening on Windows
https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html -
AVOIDING GET-INJECTEDTHREAD FOR INTERNAL THREAD CREATION (_beginthread, _beginthreadex)
https://www.trustedsec.com/blog/avoiding-get-injectedthread-for-internal-thread-creation/ -
Understanding and Evading Get-InjectedThread
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/ -
In-Memory Disassembly for EDR/AV Unhooking
https://signal-labs.com/analysis-of-edr-hooks-bypasses-amp-our-rust-sample/ -
Bypass AMSI in local process hooking NtCreateSection
https://waawaa.github.io/es/amsi_bypass-hooking-NtCreateSection/ -
Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution
https://securityintelligence.com/posts/how-to-hide-beacon-during-bof-execution/ -
Evading WinDefender ATP credential-theft: kernel version
https://b4rtik.github.io/posts/evading-windefender-atp-credential-theft-kernel-version/ -
Bypassing Windows Defender Runtime Scanning
https://labs.withsecure.com/publications/bypassing-windows-defender-runtime-scanning -
Abusing SharedUserData For Defense Evasion and Exploitation
https://www.legacyy.xyz/defenseevasion/windows/2022/07/04/abusing-shareduserdata-for-defense-evasion-and-exploitation.html -
Detecting and Evading Sandboxing through Time based evasion
https://shubakki.github.io/posts/2022/12/detecting-and-evading-sandboxing-through-time-based-evasion/ -
Evasion techniques
https://evasions.checkpoint.com/ -
What you need to know about Process Ghosting, a new executable image tampering attack
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack -
Repo for Various Sandbox Bypassing Techniques
https://github.com/Arvanaghi/CheckPlease/tree/master/C
https://github.com/LordNoteworthy/al-khaser
https://github.com/a0rtega/pafish
https://github.com/CheckPointSW/InviZzzible
https://github.com/hfiref0x/VBoxHardenedLoader -
Protecting Your Malware with blockdlls and ACG
https://blog.xpnsec.com/protecting-your-malware/ -
Abusing Delay Load DLLs for Remote Code Injection
https://samples.vx-underground.org/root/Papers/Windows/Process%20Injection/2017-09-19%20-%20Abusing%20Delay%20Load%20DLLs%20for%20Remote%20Code%20Injection.pdf -
BYPASSING MICROSOFT DEFENDER FOR ENDPOINT IN RED TEAMING ASSESSMENTS
https://www.securify.nl/en/blog/bypassing-microsoft-defender-for-endpoint-in-red-teaming-assessments/
- Mixed Assemblies - Crafting Flexible C++ Reflective Stagers for .NET Assemblies
https://thewover.github.io/Mixed-Assemblies/ - Writing a Native C++ Application to Consume a .NET Assembly
https://www.codeproject.com/Articles/35010/Writing-a-Native-C-Application-to-Consume-a-NET-As - Double Thunking (C++)
https://learn.microsoft.com/en-us/cpp/dotnet/double-thunking-cpp?view=msvc-170&viewFallbackFrom=vs-2019 - Don’t Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly
https://securityintelligence.com/x-force/net-execution-inlineexecute-assembly/
-
Back To The Epilogue: Evading Control Flow Guard via Unaligned Targets [-]
https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_05A-3_Biondo_paper.pdf -
BYPASS CONTROL FLOW GUARD COMPREHENSIVELY [-]
https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf -
Control Flow Guard Improvements in Windows 10 Anniversary Update [-]
https://web.archive.org/web/20161031134827/http://blog.trendmicro.com/trendlabs-security-intelligence/control-flow-guard-improvements-windows-10-anniversary-update/ -
CFG Showcase
https://github.com/trailofbits/cfg-showcase -
Let’s talk about CFI: Microsoft Edition [-]
https://blog.trailofbits.com/2016/12/27/lets-talk-about-cfi-microsoft-edition/ -
Let’s talk about CFI: clang edition [-]
https://blog.trailofbits.com/2016/10/17/lets-talk-about-cfi-clang-edition/ -
Documenting the Undocumented - Adding CFG Exceptions [-]
https://www.fortinet.com/blog/threat-research/documenting-the-undocumented-adding-cfg-exceptions
-
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing -
Ten process injection techniques: A technical survey of common and trending process injection techniques
https://www.elastic.co/cn/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process -
Malicious Application Compatibility Shims
https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf -
Plata o plomo code injections/execution tricks
https://www.hexacorn.com/blog/2019/05/26/plata-o-plomo-code-injections-execution-tricks/ -
Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection
https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html -
sRDI – Shellcode Reflective DLL Injection
https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/ -
An Improved Reflective DLL Injection Technique (Passing arguments to injected dlls, Shadow Space)
https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html -
Windows DLL Injection Basics
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html -
A More Complete DLL Injection Solution Using CreateRemoteThread (Inject a DLL implemented with Microsoft standard)
https://www.codeproject.com/Articles/20084/A-More-Complete-DLL-Injection-Solution-Using-Creat -
Injecting Code into Windows Protected Processes using COM - Part 1 (COM, PPL)
https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html -
Reflective DLL Injection In C++
https://depthsecurity.com/blog/reflective-dll-injection-in-c -
SeasideBishop: A C port of the UrbanBishop shellcode injector
https://www.solomonsklash.io/seaside-bishop.html -
Process Injection Part 1: The Theory
https://secarma.com/process-injection-part-1-the-theory/ -
Process Injection Part 2: Modern Process Injection
https://secarma.com/process-injection-part-2-modern-process-injection/ -
NO ALLOC, NO PROBLEM: LEVERAGING PROGRAM ENTRY POINTS FOR PROCESS INJECTION
https://bohops.com/2023/06/09/no-alloc-no-problem-leveraging-program-entry-points-for-process-injection/ -
From Process Injection to Function Hijacking [-]
https://klezvirus.github.io/RedTeaming/AV_Evasion/FromInjectionToHijacking/ -
Code injection via return-oriented programming [-]
https://www.virusbulletin.com/virusbulletin/2012/10/code-injection-return-oriented-programming -
Three Ways to Inject Your Code into Another Process [-]
https://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces -
Process Injection Techniques - Gotta Catch Them All [-]
https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Itzik-Kotler-Amit-Klein-Gotta-Catch-Them-All.pdf -
What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection
https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf -
Needles Without The Thread: Threadless Process Injection - Ceri Coburn
https://www.youtube.com/watch?v=z8GIjk0rfbI -
Using SetWindowsHookEx for DLL injection on windows
https://resources.infosecinstitute.com/topic/using-setwindowshookex-for-dll-injection-on-windows/ -
Sharing is Caring: Abusing Shared Sections for Code Injection
https://billdemirkapi.me/sharing-is-caring-abusing-shared-sections-for-code-injection/ -
Abusing Exceptions for Code Execution, Part 1
https://billdemirkapi.me/exception-oriented-programming-abusing-exceptions-for-code-execution-part-1/ -
Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/ -
Talking to, and handling (edit) boxes
https://www.hexacorn.com/blog/2019/06/28/talking-to-and-handling-edit-boxes/ -
Process Doppelgänging meets Process Hollowing in Osiris dropper
https://www.malwarebytes.com/blog/news/2018/08/process-doppelganging-meets-process-hollowing_osiris -
Process Herpaderping Technical Deep Dive
https://github.com/jxy-s/herpaderping/blob/main/res/DivingDeeper.md
-
Thread Stack Spoofing [-]
https://guidedhacking.com/threads/in-memory-evasion-technique-thread-stack-spoofing.18500/ -
Hardware Callstack [-]
https://www.coresecurity.com/blog/hardware-call-stack -
Stack Spoofing: A New Threat to Security Products [-]
https://akbu.medium.com/stack-spoofing-a-new-threat-to-security-products-1eb1ccf0e2ae -
Behind the Mask: Spoofing Call Stacks Dynamically with Timers [-]
https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/ -
Spoofing Call Stacks To Confuse EDRs [-]
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs -
ThreadStackSpoofer v0.2 releases: advanced in-memory evasion technique [-]
https://securityonline.info/thread-stack-spoofing-advanced-in-memory-evasion-technique/
-
The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
https://www.alex-ionescu.com/the-evolution-of-protected-processes-pass-the-hash-mitigations-in-windows-8-1/ -
The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
https://www.alex-ionescu.com/wip-draft-the-evolution-of-protected-processes-part-2-exploitjailbreak-mitigations-unkillable-processes-and-protected-services/ -
Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)
https://www.alex-ionescu.com/146/ -
LSASS dumping in 2021/2022 - from memory - without C2
https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/ -
Bypassing LSA Protection in Userland
https://blog.scrt.ch/2021/04/22/bypassing-lsa-protection-in-userland/ -
Do You Really Know About LSA Protection (RunAsPPL)?
https://itm4n.github.io/lsass-runasppl/ -
Duping AV with handles
https://skelsec.medium.com/duping-av-with-handles-537ef985eb03
https://github.com/ufrisk/MemProcFS -
Windows Exploitation Tricks: Exploiting Arbitrary Object Directory Creation for Local Elevation of Privilege
https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html -
The End of PPLdump
https://itm4n.github.io/the-end-of-ppldump/ -
BYPASSING WINDOWS DEFENDER AND PPL PROTECTION WITH PPLBLADE TO DUMP LSASS WITHOUT DETECTION
https://tacticaladversary.io/adversary-tactics/bypass-defender-and-ppl-protection-to-dump-lsass/
-
Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams (Look into the Reference part at the end)
https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ -
Hell’s Gate
https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf -
Halo's Gate
https://blog.sektor7.net/#!res/2021/halosgate.md -
Tartarus Gate
https://github.com/trickster0/TartarusGate -
Direct Syscalls: A journey from high to low
https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low -
SysWhispers is dead, long live SysWhispers! (Egg-Hunter, Problematic syscall from not within ntdll.dll - Nirvana to the rescue, syscall-detect.dll, syscall called within another syscall, Kernel Tracing)
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ -
Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ -
Tools that make syscalls from NTDLL.DLL
https://github.com/crummie5/FreshyCalls -
Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs
-
Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
https://0xdarkvortex.dev/hiding-in-plainsight/ -
Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing
https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
- Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less! [-]
https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/
-
Implementing SysCall Detection into Fennec
https://pre.empt.blog/2022/implementing-syscall-detection-into-fennec -
Detecting Manual Syscalls from User Mode
https://winternl.com/detecting-manual-syscalls-from-user-mode/
https://github.com/jackullrich/syscall-detect -
A catalog of NTDLL kernel mode to user mode callbacks, part 1: Overview
http://www.nynaeve.net/?p=200 -
Understanding Telemetry: Kernel Callbacks
https://posts.specterops.io/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3 -
Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver
-
Uncovering Windows Events
https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54 -
Tampering with Windows Event Tracing: Background, Offense, and Defense
https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 -
Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7 -
Introduction to Threat Intelligence ETW
https://undev.ninja/introduction-to-threat-intelligence-etw/ -
ETW: Event Tracing for Windows 101
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101 -
Uncovering Windows Events
https://jsecurity101.medium.com/uncovering-windows-events-b4b9db7eac54 -
Hiding Your .NET – ETW
https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/ -
Design issues of modern EDRs: bypassing ETW-based solutions
https://www.binarly.io/posts/Design_issues_of_modern_EDRs_bypassing_ETW-based_solutions/index.html
- Memory Obfuscation and Hiding
https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/#mone
https://github.com/JLospinoso/gargoyle
https://github.com/waldo-irc/YouMayPasser
https://github.com/SecIdiot/FOLIAGE
https://github.com/janoglezcampos/DeathSleep
https://github.com/Cracked5pider/Ekko - GuLoader’s Anti-Analysis Techniques (#1 — VM Detection 1 — Memory Scan)
https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195 - Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario
https://www.lasca.ic.unicamp.br/paulo/papers/2017-SBSeg-marcus.botacin-anti.anti.analysis.evasive.malware.pdf - Anti-Analysis Techniques
https://www.oic-cert.org/en/download/Anti-Analysis%20techniques%20(OIC%20Talk).pdf - Bypassing Qakbot Anti-Analysis
https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/ - PEB-Process-Environment-Block/NtGlobalFlag
https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag - Github Repose Related to Anti-analysis Topic
https://github.com/topics/anti-analysis - Obfuscation Resources:
https://github.com/HikariObfuscator/Hikari/
https://medium.com/@polarply/build-your-first-llvm-obfuscator-80d16583392b
http://www.babush.me/dumbo-llvm-based-dumb-obfuscator.html
https://github.com/emc2314/YANSOllvm
https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/
https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
- Windows x64 System Service Hooks and Advanced Debugging (Hook system services in a less invasive way - manual system call, anti-debugging, function table, EPROCESS, KPROCESS, InstrumentationCallback, NtSetInformationProcess, r10, Dr7)
https://www.codeproject.com/Articles/543542/Windows-x64-system-service-hooks-and-advanced-debu
- Threat Hunting with File Entropy
https://practicalsecurityanalytics.com/file-entropy/
-
Dancing with COM - Deep dive into understanding Component Object Model
https://www.youtube.com/watch?v=8tjrFm2K30Q -
The Component Object Model
https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model -
Intercepting and Instrumenting COM Applications [-]
https://www.usenix.org/legacy/events/coots99/full_papers/hunt/hunt.pdf -
Abusing COM & DCOM objects [-]
https://iotsecuritynews.com/abusing-com-dcom-objects/ -
COM in plain C [-]
https://www.codeproject.com/Articles/13601/COM-in-plain-C -
Playing around COM objects - PART 1
https://mohamed-fakroud.gitbook.io/red-teamings-dojo/windows-internals/playing-around-com-objects-part-1 -
Lateral Movement using DCOM Objects - How to do it the right way? [-]
https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects -
Abusing COM objects [-]
https://0xpat.github.io/Abusing_COM_Objects/ -
New lateral movement techniques abuse DCOM technology [-]
https://www.cybereason.com/blog/dcom-lateral-movement-techniques -
LATERAL MOVEMENT VIA DCOM: ROUND 2 [-]
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/ -
ABUSING EXPORTED FUNCTIONS AND EXPOSED DCOM INTERFACES FOR PASS-THRU COMMAND EXECUTION AND LATERAL MOVEMENT [-]
https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ -
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtApiDotNet/Ndr
-
Abusing COM & DCOM objects [-]
https://dl.packetstormsecurity.net/papers/general/abusing-objects.pdf -
Process Injection via Component Object Model (COM) IRundown::DoCallback()
https://samples.vx-underground.org/root/Papers/Windows/Process%20Injection/2022-05-05%20-%20Process%20Injection%20via%20Component%20Object%20Model%20(COM)%20IRundown-DoCallback().pdf -
Part I: The Fundamentals of Windows Named Pipes
https://versprite.com/vs-labs/microsoft-windows-pipes-intro/ -
Part II: Analysis of a Vulnerable Microsoft Windows Named Pipe Application
https://versprite.com/vs-labs/vulnerable-named-pipe-application/ -
Hosting the CLR the Right Way
https://www.mode19.net/posts/clrhostingright/ -
Call a C# Method from C/C++ (native process)
https://codingvision.net/calling-a-c-method-from-c-c-native-process -
clr_via_native.c
https://gist.github.com/xpn/e95a62c6afcf06ede52568fcd8187cc2
-
Linked lists
https://www.learn-c.org/en/Linked_lists -
Merge Sort Algorithm
https://github.com/Leyxargon/c-linked-list -
Stack alignment when mixing assembly and C code
https://www.isabekov.pro/stack-alignment-when-mixing-asm-and-c-code/ -
Windows x64 Shellcode Development
https://www.bordergate.co.uk/windows-x64-shellcode-development/ -
A noinline inline function? What sorcery is this?
https://devblogs.microsoft.com/oldnewthing/20200521-00/?p=103777 -
Enumerating opened handles from a process
https://blez.wordpress.com/2012/09/17/enumerating-opened-handles-from-a-process/
-
Closing "Heaven’s Gate" Brief Overview of WoW64
https://www.alex-ionescu.com/closing-heavens-gate/ -
Last branch records and branch tracing
https://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing -
Hooking Heaven’s Gate — a WOW64 hooking technique
https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73 -
Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching
http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/ -
WoW64 and So Can You - Bypassing EMET With a Single Instruction
https://duo.com/assets/pdf/wow-64-and-so-can-you.pdf -
Code obFU(N)scation mixing 32 and 64 bit mode instructions
http://scrammed.blogspot.com/2014/10/code-obfunscation-mixing-32-and-64-bit.html -
Red Team Tactics: Active Directory Recon using ADSI and Reflective DLLs
https://outflank.nl/blog/2019/10/20/red-team-tactics-active-directory-recon-using-adsi-and-reflective-dlls/ -
Experimenting with Protected Processes and Threat-Intelligence (ELAM, PPL, Kernel Driver Programming, Driver Singing, ETW Event Logs)
https://blog.tofile.dev/2020/12/16/elam.html -
Protected Processes Part 3: Windows PKI Internals (Signing Levels, Scenarios, Signers, Root Keys, EKUs & Runtime Signers)
https://www.crowdstrike.com/blog/protected-processes-part-3-windows-pki-internals-signing-levels-scenarios-signers-root-keys/ -
Hooking via InstrumentationCallback
https://secrary.com/Random/InstrumentationCallback/ -
'Hooking Nirvana" by Alex Ionescu at REcon 2015
https://www.youtube.com/watch?v=bqU0y4FzvT0 -
KUSER_SHARED_DATA
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm -
Challenges of Debugging Optimized x64 Code
https://learn.microsoft.com/en-us/archive/blogs/ntdebugging/challenges-of-debugging-optimized-x64-code -
The path to code execution in the era of EDR, Next-Gen AVs, and AMSI
https://klezvirus.github.io/RedTeaming/AV_Evasion/CodeExeNewDotNet/ -
Shadow Space
https://stackoverflow.com/questions/30190132/what-is-the-shadow-space-in-x64-assembly -
Pin a Binary
https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-binary-instrumentation-tool-downloads.html -
Vectored Exception Handling, Hooking Via Forced Exception
https://medium.com/@fsx30/vectored-exception-handling-hooking-via-forced-exception-f888754549c6 -
Writing Optimized Windows Shellcode in C
https://phasetw0.com/malware/writing-optimized-windows-shellcode-in-c/ -
The original version of the previous article (save it!!!)
https://web.archive.org/web/20210305190309/http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html -
Writing Shellcode with a C Compiler
https://nickharbour.wordpress.com/2010/07/01/writing-shellcode-with-a-c-compiler/ -
Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL
https://modexp.wordpress.com/2019/07/21/inmem-exec-script/ -
Windows 10 1809 kernel sensors
http://redplait.blogspot.com/2019/03/windows-10-1809-kernel-sensors.html -
Hunting In Memory
https://www.elastic.co/security-labs/hunting-memory -
APC Series: User APC Internals
https://repnz.github.io/posts/apc/kernel-user-apc-api/ -
The Definitive Guide on Win32 to NT Path Conversion
https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html -
Get-InjectedThreadEx – Detecting Thread Creation Trampolines
https://www.elastic.co/security-labs/get-injectedthreadex-detection-thread-creation-trampolines -
Detecting Cobalt Strike with memory signatures
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures -
Defenders Think in Graphs Too! Part 1
https://posts.specterops.io/defenders-think-in-graphs-too-part-1-572524c71e91 -
Defenders Think in Graphs Too! Part 2
https://posts.specterops.io/defenders-think-in-graphs-too-part-2-b1fd751525d1 -
Detect (and possibly block) WriteProcessMemory calls
https://community.osr.com/discussion/280745/detect-and-possibly-block-writeprocessmemory-calls -
Old Things New
https://devblogs.microsoft.com/oldnewthing/author/oldnewthing -
EDR Observations
https://signal-labs.com/edr-observations/ -
Hooking the native API and controlling process creation on a system-wide basis [-]
https://www.codeproject.com/Articles/11985/Hooking-the-native-API-and-controlling-process-cre -
Exported functions that are really forwarders
https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473 -
Rethinking the way DLL exports are resolved for 32-bit Windows
https://devblogs.microsoft.com/oldnewthing/20060720-20/?p=30453 -
Reverse Engineering 0x4 Fun
https://rce4fun.blogspot.com/2019/03/examining-user-mode-apc-injection.html -
Why .shared sections are a security hole
https://devblogs.microsoft.com/oldnewthing/20040804-00/?p=38253 -
Tracing C function "fopen" [Part1] - IDA Free User-Mode Walk-Through tracing to NTApi
https://www.youtube.com/watch?v=1HZCg1gVPpw -
Tracing C function fopen [Part2] - Windbg Kernel Debugging - Walk-Through User-Mode to Kernel ES
https://www.youtube.com/watch?v=8oaEAPC84gc -
Grabbing Kernel Thread Call Stacks the Process Explorer Way – Part 1
http://blog.airesoft.co.uk/2009/02/grabbing-kernel-thread-contexts-the-process-explorer-way/ -
Understanding the Function Call Stack
https://posts.specterops.io/understanding-the-function-call-stack-f08b5341efa4 -
The API Set Schema
https://www.geoffchappell.com/studies/windows/win32/apisetschema/index.htm -
Windows API sets
https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-apisets?redirectedfrom=MSDN -
PART 1: How I Met Your Beacon – Overview
https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ -
PART 2: How I Met Your Beacon – Cobalt Strike
https://www.mdsec.co.uk/2022/07/part-2-how-i-met-your-beacon-cobalt-strike/
-
Inline Assembly
https://blog.malicious.group/inline-assembly/ -
Writing your own RDI /sRDI loader using C and ASM
https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/ -
Instrinsics
https://learn.microsoft.com/en-us/cpp/intrinsics/compiler-intrinsics?view=msvc-170&ref=blog.malicious.group -
Learning Assembly (TASM)
http://www.petesqbsite.com/sections/tutorials/tuts/doorknob/asm_tutorial1.html -
Converting x86 assembly from masm to nasm
https://left404.com/2011/01/04/converting-x86-assembly-from-masm-to-nasm-3/#:~:text=Masm%2C%20the%20Microsoft%20assembler%2C%20is,Intel%20syntax%20that%20masm%20does.
Example Code - https://left404.com/2011/01/05/masm-to-nasm-assembly-conversion-example/
- Portable Executable File Format
https://blog.kowalczyk.info/articles/pefileformat.html - https://github.com/corkami/pics/blob/master/binary/pe101/README.md
- https://resources.infosecinstitute.com/topic/2-malware-researchers-handbook-demystifying-pe-file/
- http://www.sunshine2k.de/reversing/tuts/tut_rvait.htm
- https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/pe-file-header-parser-in-c++
-
Debug Windows drivers step-by-step lab (echo kernel mode)
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode- -
Get started with WinDbg (kernel-mode)
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode- -
Activating the debugger as soon as the desired process launches its first thread
https://vimalshekar.github.io/walkthroughs/Activating-Windbg-on-process-launch
-
Genesis - The Birth Of A Windows Process Part 1 - 2 [-]
https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 -
Activation Contexts — A Love Story [-]
https://medium.com/philip-tsukerman/activation-contexts-a-love-story-5f57f82bccd -
Running programs using RtlCreateUserProcess only works occasionally
https://stackoverflow.com/questions/69599435/running-programs-using-rtlcreateuserprocess-only-works-occasionally -
Using the Activation Context API
https://learn.microsoft.com/en-us/windows/win32/sbscs/using-the-activation-context-api -
Processes, Threads, and Jobs in the Windows Operating System [-]
https://www.microsoftpressstore.com/articles/article.aspx?p=2233328&seqNum=3
- 17JAN2017 - Abusing native Windows functions for shellcode execution
http://ropgadget.com/posts/abusing_win_functions.html
- https://malapi.io/
- https://filesec.io/
- https://lots-project.com/
- https://lolbas-project.github.io/
- https://github.com/aahmad097/AlternativeShellcodeExec
- https://github.com/stephenfewer/ReflectiveDLLInjection
- https://github.com/odzhan/shellcode/tree/master
- https://github.com/j00ru/windows-syscalls
- https://github.com/klezVirus/SysWhispers3
- https://github.com/monoxgas/sRDI
- https://virustotal.github.io/yara/
- https://github.com/mandiant/capa
- https://github.com/unicorn-engine/unicorn
- https://github.com/x64dbg/ScyllaHide
- https://github.com/ionescu007/winipt
- https://github.com/intelpt/WindowsIntelPT
- https://github.com/zerosum0x0/puppetstrings
- https://github.com/OpenSecurityResearch/dllinjector (beginner-friendly)
- https://github.com/rapid7/metasploit-framework/wiki/Using-ReflectiveDll-Injection
- https://github.com/SafeBreach-Labs/pinjectra
- https://github.com/matterpreter/SHAPESHIFTER
- https://github.com/mdsecactivebreach/firewalker
- https://github.com/trustedsec/inProc_Evade_Get-InjectedThread
- https://github.com/tandasat/DdiMon
- https://github.com/ionescu007/SimpleVisor
- https://github.com/Mattiwatti/EfiGuard
- https://github.com/tyranid/oleviewdotnet
- https://github.com/S3cur3Th1sSh1t/Ruy-Lopez
- https://code.google.com/archive/p/dll-shared-sections/downloads
- https://github.com/wbenny/pdbex (exporting undocumented structures and data types from PDBs)
- https://github.com/hfiref0x/WinObjEx64
- https://www.nirsoft.net/utils/dll_export_viewer.html
- https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtObjectManager
- https://github.com/jxy-s/herpaderping#comparison
- https://github.com/Yaxser/Backstab
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-isguithread
- https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-process_mitigation_policy
- https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170
- https://learn.microsoft.com/en-us/archive/blogs/ntdebugging/challenges-of-debugging-optimized-x64-code
- https://learn.microsoft.com/en-us/windows/win32/api/winnt/nc-winnt-pvectored_exception_handler
- https://learn.microsoft.com/en-us/windows/win32/memory/creating-guard-pages
- https://docs.microsoft.com/en-us/windows/win32/adsi/active-directory-service-interfaces-adsi
- https://github.com/microsoft/Windows-classic-samples/tree/master/Samples/Win7Samples/netds/adsi/activedir
- https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/virtual-address-spaces
- https://learn.microsoft.com/en-us/windows/win32/secauthz/impersonation-levels
- https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks?redirectedfrom=MSDN
- https://learn.microsoft.com/en-us/windows/win32/procthread/fibers