Malware Development

This section contains articles that explore modern malware techniques. This includes concepts behind code injection strategies, evasion techniques, kernel‑level manipulation, persistence mechanisms, and command‑and‑control communication.

• Blocking EDR Traffic
  Using the Windows Filtering Platform to block EDR traffic.
• Driver Signature Enforcement
  Bypassing DSE using vulnerable drivers.
• Protected Process Light
  Examining the PPL Windows security feature.
• Killing Protected Processes
  Exploiting kernel mode drivers to terminate protected processes.
• Kernel Mode Drivers
  Creating a Windows kernel mode driver to hide and kill processes.
• Windows Kernel Debugging
  Modifying Kernel data structures to hide processes and elevate privileges.
• AppDomainManager Injection
  Executing arbitrary code inside a .NET process.
• Android Remote Access
  Creating an APK to gain remote access to an Android 14 device.
• DLL Proxying
  Using DLL’s as a persistence mechanism.
• LLVM Obfuscation
  Setting up Obfuscator LLVM with Visual Studio 2022.
• Encoding Shellcode as IP Addresses
  Converting shellcode to look like a series of IP addresses.
• Function Name Hashing
  Replacing existing ROR13 function hash names in shellcode to evade signature based detection.
• Module Stomping
  Executing Shellcode from the address space of known good DLL’s.
• Callback Shellcode Execution
  Executing Shellcode using function callbacks.
• Inline Function Hooking
  Creating a C++ DLL to modify a target applications behaviour.
• Disguising Client Side Payloads
  Ways of making payloads a little less suspicious.
• User Mode APC Queue Injection
  Using user-mode APC functions to execute code in remote processes.
• Sleep Masks
  Writing sleep masks in x64 assembly.
• Offensive PowerShell
  Using GetDelegateForFunctionPointer to execute Win32 API’s from memory in Powershell.
• Reflective DLL Injection
  Executing DLL’s from memory.
• DLL Injection
  Injecting DLL’s into remote processes.
• Interacting with Foreign Handlers
  Writing stagers to interact with foreign C2 frameworks.
• Persistence Mechanisms
  Maintaining access to a target system.
• Password Filters
  Using password filters to intercept logon credentials.
• Keystroke Logging
  Logging Keystrokes with SetWindowHookEx.
• Process Mitigation Policies & ACG
  Attempting to use binary signature policies and arbitrary code guard to bypass userland hooks.
• Parent Process ID Spoofing
  Supplying arbitrary PPID values to CreateProcess.
• Shellcode Obfuscation
  Encoding Shellcode for use within malware.
• Import Address Tables
  Hiding IAT entries to evade detection.
• Malicious Nim Code
  Using Nim to write some simple tools.
• System Call Execution
  Writing a process injection tool using direct system calls.
• ClickOnce Droppers
  Creating a ClickOnce installer for Phishing campaigns.
• NT API Shellcode Execution
  Process Injection using NtCreateSection and NtMapViewOfSection.
• Access Token Manipulation
  Assuming other users identities by copying access tokens.
• Shellcode Execution via Fibers
  Using fibers instead of threads to run shellcode.
• Process Argument Spoofing
  Modifying the Process Environment Block for process argument spoofing.
• Windows Defender Memory Scanning Evasion
  Evading Windows Defender memory scanning.
• Process Injection
  CreateRemoteThread Process Injection in C#
• Unhooking Event Tracing for Windows
  Bypassing ETW userland hooks.
• Assembly.Load & AMSI
  Bypassing AMSI when using Assembly.Load.
• DNS Tunneling
  Using the Domain Name System as a Command & Control mechanism.
• ICMP Tunneling
  Tunneling C2 messages in ICMP traffic.