Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chr0n1k/AH2021Workshop

Malware development for red teaming workshop
https://github.com/chr0n1k/AH2021Workshop

Last synced: about 2 months ago
JSON representation

Malware development for red teaming workshop

Host: GitHub
URL: https://github.com/chr0n1k/AH2021Workshop
Owner: chr0n1k
Created: 2021-11-02T06:26:59.000Z (almost 3 years ago)
Default Branch: master
Last Pushed: 2021-11-15T13:31:00.000Z (almost 3 years ago)
Last Synced: 2024-06-11T04:31:29.074Z (3 months ago)
Language: C#
Size: 9.33 MB
Stars: 205
Watchers: 7
Forks: 46
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-edr-bypass - chr0n1k/AH2021Workshop: Malware development for red teaming workshop
awesome-hacking-lists - chr0n1k/AH2021Workshop - Malware development for red teaming workshop (C# #)

README

# Malware development workshop.

Welcome to the **Malware Development workshop** for **AfricaHackon 2021**. In this interactive workshop, we will take a look at the C# language and how to write malware focused on droppers/loaders that will run shellcode on Windows 10 targets that give a meterpreter session back.

The flow of this workshop is building out the code like how virus research looks at [Gain of Function](https://en.wikipedia.org/wiki/Gain-of-function_research). We start off with a simple shellcode runner and build out from there.

> In order to be able to follow the workshop properly, it is highly recommended to go through Lab 0 before the start of the workshop, as this is a setup lab to get you up and ready. You can get it here: [Lab0](https://github.com/chr0n1k/AH2021Workshop/blob/master/LabGuides/AH2021%20Workshop%20-%20Lab0.pdf)

* **Skill Level:** Intermediate

* **Prerequisites:** Basic to intermediate programming/scripting skills. Prior experience with C# helps but not required.

* **Materials:** Laptop/Desktop with virtualization software. A Windows 10 virtual machine and a Kali Linux Virtual Machine.

## Author:
Amarjit Labhuram - [@Amarjit_Labu](https://twitter.com/Amarjit_Labu)

## Labs:

Lab1: Introduction
------
The goal of this lab is to introduce basic C# coding and use of .NETs Platform Invoke (p/invoke) to access the Win32 API. We will also look at how to use System.Reflection.Assembly in powershell to run one of the programs without having to touch disk.

Lab2: Simple shellcode runner
------
The goal of this lab is to be able to create a simple shellcode runner that will execute shellcode generated from msfvenom in csharp format on a Windows 10 device. We will look at the various Win32 API calls needed and leverage p/invoke to achieve this.

Lab3: AV signature and heuristic evasion
------
The goal of this lab is to enhance the shellcode runner to be able to use some behavioural tactics to bypass sandbox and AV checks.

Lab4: Simple process injection
------
The goal of this lab is to understand process injection and enhance our shellcode runner to be able to spawn a notepad process and inject into it.

Lab5: RemoteThreadSuspended process injection
------
The goal of this lab is to enhance the Simple process injection code to create memory regions with lower malicious footprint.

Lab6: QueueUserAPC process injection
------
The goal of this lab is to leverage the Queue Asynchronus Procedure Call to do process injection.

Lab7: Let's bypass userland hooks [EDR]
------
The goal of this lab is to understand what hooking EDRs do on to ntdll.dll to detect use of malicious syscalls and block them. We will rewrite the QueueUserAPC process injection code to dynamically invoke the syscalls using d/invoke and effectively bypass any EDR that uses userland hooks only.

## Goals:
* AntiVirus bypass
* Defense evasion by Process Injection
* Defense evasion of EDR's that use Userland hooks.

## Acknowledgments

All the code snippets in this workshop started from a Github repository/gist, a Stack Overflow code snippet or a Google search. Special mention goes out to:

* Mauricio Velazco - [defcon27_csharp_workshop](https://github.com/mvelazc0/defcon27_csharp_workshop) | [Github](https://github.com/mvelazc0) | [Twitter](https://twitter.com/mvelazco)
* Jean Francois Maes - [Github](https://github.com/jfmaes) | [Twitter](https://twitter.com/Jean_Maes_1994)
* John Tear - [Github](https://github.com/plackyhacker)
* Cas Van Cooten - [Github](https://github.com/chvancooten) | [Twitter](https://twitter.com/chvancooten)
* Chirag Savla - [Github](https://github.com/3xpl01tc0d3r) | [Twitter](https://twitter.com/chiragsavla94)