malware-development.md

opensource-malware-development

A collection of open source malware development tools

Collections

3rd-party lists

• ExpLife0011/awesome-windows-kernel-security-development

Virtualization

• Gbps/gbhv - Simple x86-64 VT-x Hypervisor with EPT Hooking

Windows libraries

• DarthTon/Blackbone - Windows memory hacking library - 文档少，直接看例子
• hakril/PythonForWindows - A codebase aimed to make interaction with Windows and native execution easier - Python 库，获取一些底层信息
• arbiter34/GetProcAddress - Recreation of GetProcAddress without external dependencies on Windows Libraries
• cobbr/SharpSploit - a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers
• woanware/win-catalog-dotnet - Managed library for accessing the Windows security catalog files
• Memory loading
  • zeroSteiner/reflective-polymorphism - provides various utilities for the self-modification of PE images
  • stephenfewer/ReflectiveDLLInjection - a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
• UWP
  • zodiacon/RunAppContainer - Run executables in an AppContainer - 通过白名单权限方式，在UWP下面执行命令

Windows kernel

• nsacyber/Driver-Collider - Blocks drivers from loading by using a name collision technique

Linux libraries

• finixbit/elf-parser - ELF 解析库
• Kernel module
  • perceptionpoint/suprotect - Changing memory protection in an arbitrary process

Scripting libraries

• squirrel-lang.org - 一个类似LUA的脚本语言

Dotnet

• ZenLulz/MemorySharp - A C# based memory editing library targeting Windows applications, offering various functions to extract and inject data and codes into remote processes to allow interoperability
• DLL Export
  • 3F/DllExport - .NET DllExport
• Link tool
  • dgiagio/warp - Create self-contained single binary applications
  • dotnet/ILMerge - a static linker for .NET Assemblies - 作者说无法处理WPF程序
  • Fody/Costura - Embeds dependencies as resources - 会增加一些PDB特征，不建议使用

Python

• operatorequals/httpimport - Module for remote in-memory Python package/module loading through HTTP/S

IOT

• landley/aboriginal - IOT 跨平台开发环境，最后更新2017年

Browser

• wekillpeople/browser-dumpwd - Dump browser passwords(chrome, firefox) with sqlite3 lib

Process injection / DLL injection

• UNIX
  • SoldierX/libhijack - FreeBSD Code Injection Swiss Army Knife
• Windows C++
  • rootm0s/Injectors - DLL/Shellcode injection techniques
  • theevilbit/injection - Injection techniques
  • odzhan/injection - Windows process injection methods (modexp 新研究的各种注入方式)
  • wbenny/injdrv - proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC
  • vallejocc/PoC-Inject-Data-WM_COPYDATA - A tiny PoC to inject and execute code into explorer.exe with WM_SETTEXT+WM_COPYDATA+SetThreadContext
  • countercept/doublepulsar-usermode-injector - A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process,
  • DarthTon/Xenos - Windows dll injector
• Windows dotnet
  • pwndizzle/c-sharp-memory-injection - A set of scripts that demonstrate how to perform memory injection in C#
  • jonatan1024/clrinject - Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process
  • CameronAavik/ILject - Provides a way which you can load a .NET dll/exe from disk, modify/inject IL, and then run the assembly all in memory without modifying the file
  • djhohnstein/.NET-Profiler-DLL-Hijack - Implementation of the .NET Profiler DLL hijack in C#

Application hooks

• tandasat/DdiMon - a hypervisor performing inline hooking that is invisible to a guest (ie, any code other than DdiMon) by using extended page table (EPT)
• tinysec/iathook - windows kernelmode and usermode IAT hook
• gdabah/distormx - The ultimate hooking library
• stevemk14ebr/PolyHook - x86/x64 C++ Hooking Library
• tandasat/DotNetHooking - Sample use cases of the .NET native code hooking technique
• secrary/Hooking-via-InstrumentationCallback
• EasyHook - The reinvention of Windows API Hooking
• int0/ProcessIsolator - Utility to hook SSDT of specific process and transfer control to a service (usermode app) for handling to determine action allow/deny API call etc
• Sentinel-One/minhook - The Minimalistic x86/x64 API Hooking Library for Windows
• Kernel
  • ilammy/ftrace-hook - Using ftrace for function hooking in Linux kernel

Examples

• LloydLabs/Windows-API-Hashing - This is a simple example and explanation of obfuscating API resolution via hashing
• 0xbadjuju/TellMeYourSecrets - A C# DLL to Dump LSA Secrets

Uncategorized

• processhacker/phnt - Native API header files for the Process Hacker project
• 93aef0ce4dd141ece6f5/Packer - PoC executable packer using resources
• marpie/signed-loaders - signed-loaders documents Windows executables that can be used for side-loading DLLs

Source codes

Agent

• mwsrc - Malware source code database
• maestron/botnets - This is a collection of #botnet source codes, unorganized
• hzeroo/Carberp
• ytisf/theZoo - A repository of LIVE malwares for your own joy and pleasure

Panel

• runvirus/LokiPWS - Loki PWS - Control Panel New Version leaked
• prsecurity/Neutrino - Neutrino C2 Source Code

Uncategorized

• guitmz/virii - Collection of ancient computer virus source codes

APT reports

• 腾讯安全2018年高级持续性威胁（APT）研究报告