{"id":13809040,"url":"https://github.com/rootkit-io/awesome-malware-development","last_synced_at":"2025-04-09T05:08:04.527Z","repository":{"id":37388901,"uuid":"481810301","full_name":"rootkit-io/awesome-malware-development","owner":"rootkit-io","description":"Organized list of my malware development resources","archived":false,"fork":false,"pushed_at":"2022-05-16T08:16:28.000Z","size":118,"stargazers_count":1261,"open_issues_count":1,"forks_count":150,"subscribers_count":25,"default_branch":"main","last_synced_at":"2024-04-10T05:19:42.860Z","etag":null,"topics":["malware","malware-development","malware-research"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rootkit-io.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-04-15T02:20:38.000Z","updated_at":"2024-04-08T07:48:18.000Z","dependencies_parsed_at":"2022-07-07T23:09:16.765Z","dependency_job_id":null,"html_url":"https://github.com/rootkit-io/awesome-malware-development","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootkit-io%2Fawesome-malware-development/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rootkit-io","download_url":"https://codeload.github.com/rootkit-io/awesome-malware-development/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247749963,"owners_count":20989714,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","malware-development","malware-research"],"created_at":"2024-08-04T01:01:58.972Z","updated_at":"2025-04-09T05:08:04.509Z","avatar_url":"https://github.com/rootkit-io.png","language":null,"funding_links":[],"categories":["其他_安全与渗透","Other Lists"],"sub_categories":["网络服务_其他","TeX Lists"],"readme":"# Introduction \n\nThis Repo serves as a list of resources for malware development.\nNote: I am just a learner what i have im sharing some reources can be stupid, you can help me adding things.\n\n# Essentials\n\nI would say having some experience with C and assembly going to be good.\nsome resources for C and assmebly.\n\n- [C for Everyone: Programming Fundamentals](https://www.coursera.org/learn/c-for-everyone)\n- [learn-c](https://www.learn-c.org/)\n- [C cheatsheet](https://learnxinyminutes.com/docs/c/)\n- [Architecture 1001: x86-64 Assembly](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about)\n- [x86 Assembly](https://opensecuritytraining.info/IntroX86.html)\n\n# Blogs \n\n[Vitali Kremez blog](https://www.vkremez.com/)\n\u003e Lot's of Malware related content.\n\n[0xPat blog](https://0xpat.github.io/)\n\u003e Have an amazing malware development series i would recommend to take a look.\n\n[zerosum0x0 blog](https://zerosum0x0.blogspot.com/)\n\u003e Some good posts.\n\n[Guitmz blog](https://www.guitmz.com/)\n\u003e Dope Maldev Content.\n\n[TheXcellerator](https://xcellerator.github.io/)\n\u003e Amazing LKM rookit series and maldev posts.\n\n---\n\n# Talks\n\n[Horse Pill: A New Type of Linux Rootkit](https://www.youtube.com/watch?v=wyRRbow4-bc)\\\n[Not a talk but good LKM rootkit series](https://www.youtube.com/playlist?list=PLrdeBRwgL0TrjHL0iHqRJD8Pz9t9FECHy)\\\n[Good talk on Creating and Countering the Next Generation of Linux Rootkits](https://www.youtube.com/watch?v=g6SKWT7sROQ)\\\n[Kernel Mode Threats and Practical Defenses](https://www.youtube.com/watch?v=BBJgKuXzfwc)\\\n[Alex Ionescu - Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys)\\\n[BlueHat v18 || Return of the kernel rootkit malware (on windows 10)](https://youtu.be/qVIxFfXpyNc)\n\n---\n\n# Youtube channels\n\n[AGDC Services](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA)\n\u003e HQ Malware Content.\n\n[TheSphinx](https://www.youtube.com/c/TheSphinx/)\n\u003e Have an amazing series on Writing your Rat from Scratch.\n\n[Joey Abrams](https://www.youtube.com/channel/UCIjKM-9G9r2Og2E080Wfbvw)\n\u003e Amazing Malware stuff, have a good code injection series, Linux stuff.\n\n[w3w3w3](https://www.youtube.com/c/w3w3w3)\n\u003e Have a good LKM rootkit series.\n\n# Courses\n\nThere are some courses I would love to recommend.\n\n[RED TEAM Operator: Malware Development Essentials course | Sektor7](https://www.sektor7.net/institute/RTO-MalDev)\n\u003eThis course will teach you how to become a better ethical hacker, pentester and red teamer by learning malware development. It covers developing droppers, trojans and payload/DLL injectors using some basic C and Intel assembly skills. \n\n[RED TEAM Operator: Malware Development Intermediate course](https://www.sektor7.net/institute/RTO-MalDev2)\n\u003e Advanced malware development techniques in Windows, including: API hooking, 32-/64-bit migrations, reflective binaries and more. \n\n[RingZerø: Windows Kernel Rootkits: Techniques and Analysis](https://ringzer0.training/2019/windows-kernel-rootkits.html)\n\u003e Key Learnings:\n- Machine architecture for kernel programmers\n- Virtual memory management\n- Interrupts and exceptions\n- CPU security features\n- Windows kernel architecture\n- Kernel components (Ps, Io, Mm, Ob, Se, Cm, etc.)\n- System mechanisms\n- Debugging with WinDbg\n- Rootkit techniques\n- Driver development\n\n[CodeMachine: Windows Kernel Rootkits](https://www.codemachine.com/trainings/kerrkt.html)\n\u003e Topics:\n- Kernel Attacks\n- Kernel Shellcoding\n- Kernel Hooking and Injection\n- Kernel Callbacks\n- Kernel Filtering\n- Kernel Networking\n- Virtualization Based Security\n\n---\n\n# Books\n\n- The Art of Computer Virus Research and Defense\n- The Giant Black Book of Computer Viruses \n- Designing BSD Rootkits: An Introduction to Kernel Hacking\n- Rootkits and Bootkits\n- The Antivirus Hackers' Handbook\n\n## Free books\n\n[Make your own first fud crypter](https://www.docdroid.net/GrvkCtu/make-your-fud-crypter-pdf)\n\n---\n\n# Articles/posts\n\n[Malware Development – Welcome to the Dark Side: Part 1](https://niiconsulting.com/checkmate/2018/02/malware-development-welcome-dark-side-part-1/)\\\n[Art of Malware](https://danusminimus.github.io/2020/03/04/The-Art-of-Malware.html)\\\n[Malware Development Part 1](https://0xpat.github.io/Malware_development_part_1/)\\\n[Basic Ransomware guide](https://0x00sec.org/t/basic-ransomware-guide/28345)\\\n[Understanding TRITON and the Missing Final Stage of the Attack good read.](https://threatpost.com/understanding-triton-and-the-missing-final-stage-of-the-attack/134895/)\\\n[Master of RATs - How to create your own Tracker](https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848)\\\n[Amazing article to read with some good resources (Personal Tale and the Road to Malware Development, Resources)](https://0x00sec.org/t/personal-tale-and-the-road-to-malware-development-resources/20369)\\\n[PT_NOTE -\u003e PT_LOAD x64 ELF virus written in Assembly](https://www.guitmz.com/linux-midrashim-elf-virus/)\\\n[The magic of LD_PRELOAD for Userland Rootkits(good read if you wanna get into rootkits this blog is for userland rootkits)](https://fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland-rootkits/)\\\n[(Recommended Read) if you want to creat your first userland rootkit and you just know C you can go for this blog if you wanna start into rootkit development](https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/#)\\\n[Function Hooking Part I: Hooking Shared Library Function Calls in Linux](https://www.netspi.com/blog/technical/network-penetration-testing/function-hooking-part-i-hooking-shared-library-function-calls-in-linux/)\\\n[Inline Hooking for Programmers (Part 1: Introduction)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)\\\n[Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html)\\\n[PE injection for beginners](https://www.malwaretech.com/2013/11/portable-executable-injection-for.html)\\\n[Becoming-rat-your-system](https://devilinside.me/blogs/becoming-rat-your-system)\\\n[Complete guide on LKM hacking](http://www.ouah.org/LKM_HACKING.html)\\\n[Best series i will say if you wanna get into programming/malware dev recommended series to follow it will start with learn programming thats needed asm and stuff after that getting into maldev](https://0x00sec.org/t/programming-for-wannabes-part-i/1143)\\\n[Filess malware](https://0x00sec.org/t/fileless-malware/26973)\\\n[Examining the Morris Worm Source Code](https://0x00sec.org/t/examining-the-morris-worm-source-code-malware-series-0x02/685)\\\n[IOT Malware](https://0x00sec.org/t/iot-malware-droppers-mirai-and-hajime/1966)\\\n[DoublePulsar SMB backdoor analysis](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)\\\n[Eset Turla Outlook backdoor report](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf)\\\n[Writing a custom encoder](https://smarinovic.github.io/posts/Custom-Encoder/)\\\n[Engineering antivirus evasion](https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)\\\n[Analysis of Project Sauron APT](https://securelist.com/faq-the-projectsauron-apt/75533/)\\\n[WastedLocker analysis](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/)\\\n[Lazarus shellcode execution](https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method)\\\n[Detailed analysis of Zloader](https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf)\\\n[BendyBear shellcode malware](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/)\\\n[A Basic Windows DKOM Rootkit](https://blog.landhb.dev/posts/v9eRa/a-basic-windows-dkom-rootkit-pt-1/)\\\n[Loading Kernel Shellcode](https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html)\\\n[Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1)\\\n[Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2)\\\n[Windows Kernel Shellcode on Windows 10 – Part 3](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-3)\\\n[Introduction to Shellcode Development](https://owasp.org/www-pdf-archive/Introduction_to_shellcode_development.pdf)\\\n[Autochk Rootkit Analysis](https://repnz.github.io/posts/autochk-rootkit-analysis/)\\\n[pierogi backdoor](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912\u0026utm_medium=social\u0026utm_source=twitter\u0026hss_channel=tw-835463838)\\\n[Pay2Kitten](https://samples.vx-underground.org/APTs/2020/2020.12.17(1)/Paper/Pay2Kitten.pdf)\\\n[STEELCORGI](https://samples.vx-underground.org/APTs/2021/2021.01.12(2)/Paper/STEEL%20CORGI.pdf)\\\n[Lebanese Cedar APT](https://samples.vx-underground.org/APTs/2021/2021.01.28/Paper/Lebanese%20Cedar%20APT.pdf)\\\n[LazyScripter](https://samples.vx-underground.org/APTs/2021/2021.02.24(1)/Paper/LazyScripter.pdf)\\\n[Maze deobfuscation](https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/)\\\n[Darkside overview](https://unit42.paloaltonetworks.com/darkside-ransomware/)\\\n[SunBurst backdoor - FireEye analysis](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)\\\n[Code obfuscation techniques](https://chris124567.github.io/2021-06-23-survey-obfuscation/)\\\n[SideCopy APT tooling](https://talosintelligence.com/resources/257)\\\n[Hiding in PEB sight: Custom loader](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)\\\n[Zloader: New infection technique](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/)\\\n[FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines](https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)\\\n[A tale of EDR bypass methods](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/)\\\n[In-depth dive into the security features of the Intel/Windows platform secure boot process](https://igor-blue.github.io/2021/02/04/secure-boot.html)\\\n[Process Injection Techniques](https://www.cynet.com/attack-techniques-hands-on/process-injection-techniques/)\\\n[Adventures with KernelCallbackTable Injection](https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html)\\\n[Useful Libraries for Malware Development](https://captmeelo.com//redteam/maldev/2022/02/16/libraries-for-maldev.html)\\\n[Parent Process ID (PPID) Spoofing](https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html)\\\n[Mutants Sessions Self Deletion](https://github.com/Octoberfest7/Mutants_Sessions_Self-Deletion)\\\n[OffensiVe Security with V - Process Hollowing](https://alexfrancow.github.io/app-development/OffensiVe-Security-with-V-Hollowing/)\\\n[Looking for Remote Code Execution bugs in the Linux kernel](https://xairy.io/articles/syzkaller-external-network)\\\n[memory-analysis-evasion](https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)\\\n[100% evasion - Write a crypter in any language to bypass AV](https://netsec.expert/posts/write-a-crypter-in-any-language/)\n\n---\n\n# Forums\n- https://0x00sec.org/\n\u003e One of the best Malware Development fourms that helped me a lot.\n\n--- \n\n# Sample Sharing\n\n- [Underground](https://vx-underground.org/samples.html)\n- [MalShare](https://www.malshare.com/)\n- [Malware Bazaar](https://bazaar.abuse.ch/browse/)\n\n--- \n\n# Some interesting Github Repos(miscellaneous)\n\n[TL-TROJAN](https://github.com/threatland/TL-TROJAN)\n\u003e A collection of source code for various RATs, Stealers, and other Trojans. \n\n[Linker_preloading_virus](https://github.com/elfmaster/linker_preloading_virus)\n\u003e An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses.\n\n[Awesome-linux-rootkits](https://github.com/tkmru/awesome-linux-rootkits)\n\u003e A summary of linux rootkits published on GitHub.\n\n[Virii](https://github.com/guitmz/virii)\n\u003e Collection of ancient computer virus source codes.\n\n[Flare-floss](https://github.com/mandiant/flare-floss)\n\u003e FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.\n\n[Ebpfkit](https://github.com/Gui774ume/ebpfkit)\n\u003e Ebpfkit is a rootkit powered by eBPF.\n\n[Al-Khaser](https://github.com/LordNoteworthy/al-khaser#al-khaser-v081)\n\u003e Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.\n\n[Evasions](https://github.com/CheckPointSW/Evasions)\n\u003e Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment.\n\n[loonix_syscall_hook](https://github.com/null0333/loonix_syscall_hook)\n\u003e System call hooking on arm64 linux via a variety of methods.\n\n[awesome-executable-packing](https://github.com/dhondta/awesome-executable-packing)\n\u003e A curated list of awesome resources related to executable packing. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootkit-io%2Fawesome-malware-development","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frootkit-io%2Fawesome-malware-development","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootkit-io%2Fawesome-malware-development/lists"}