Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rootkit-io/awesome-malware-development

Organized list of my malware development resources
https://github.com/rootkit-io/awesome-malware-development

List: awesome-malware-development

malware malware-development malware-research

Last synced: 18 days ago
JSON representation

Organized list of my malware development resources

Awesome Lists containing this project

README 

        
# Introduction 



This Repo serves as a list of resources for malware development.

Note: I am just a learner what i have im sharing some reources can be stupid, you can help me adding things.



# Essentials



I would say having some experience with C and assembly going to be good.

some resources for C and assmebly.



- [C for Everyone: Programming Fundamentals](https://www.coursera.org/learn/c-for-everyone)

- [learn-c](https://www.learn-c.org/)

- [C cheatsheet](https://learnxinyminutes.com/docs/c/)

- [Architecture 1001: x86-64 Assembly](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about)

- [x86 Assembly](https://opensecuritytraining.info/IntroX86.html)



# Blogs 



[Vitali Kremez blog](https://www.vkremez.com/)

> Lot's of Malware related content.



[0xPat blog](https://0xpat.github.io/)

> Have an amazing malware development series i would recommend to take a look.



[zerosum0x0 blog](https://zerosum0x0.blogspot.com/)

> Some good posts.



[Guitmz blog](https://www.guitmz.com/)

> Dope Maldev Content.



[TheXcellerator](https://xcellerator.github.io/)

> Amazing LKM rookit series and maldev posts.



---



# Talks



[Horse Pill: A New Type of Linux Rootkit](https://www.youtube.com/watch?v=wyRRbow4-bc)\

[Not a talk but good LKM rootkit series](https://www.youtube.com/playlist?list=PLrdeBRwgL0TrjHL0iHqRJD8Pz9t9FECHy)\

[Good talk on Creating and Countering the Next Generation of Linux Rootkits](https://www.youtube.com/watch?v=g6SKWT7sROQ)\

[Kernel Mode Threats and Practical Defenses](https://www.youtube.com/watch?v=BBJgKuXzfwc)\

[Alex Ionescu - Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys)\

[BlueHat v18 || Return of the kernel rootkit malware (on windows 10)](https://youtu.be/qVIxFfXpyNc)



---



# Youtube channels



[AGDC Services](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA)

> HQ Malware Content.



[TheSphinx](https://www.youtube.com/c/TheSphinx/)

> Have an amazing series on Writing your Rat from Scratch.



[Joey Abrams](https://www.youtube.com/channel/UCIjKM-9G9r2Og2E080Wfbvw)

> Amazing Malware stuff, have a good code injection series, Linux stuff.



[w3w3w3](https://www.youtube.com/c/w3w3w3)

> Have a good LKM rootkit series.



# Courses



There are some courses I would love to recommend.



[RED TEAM Operator: Malware Development Essentials course | Sektor7](https://www.sektor7.net/institute/RTO-MalDev)

>This course will teach you how to become a better ethical hacker, pentester and red teamer by learning malware development. It covers developing droppers, trojans and payload/DLL injectors using some basic C and Intel assembly skills. 



[RED TEAM Operator: Malware Development Intermediate course](https://www.sektor7.net/institute/RTO-MalDev2)

> Advanced malware development techniques in Windows, including: API hooking, 32-/64-bit migrations, reflective binaries and more. 



[RingZerø: Windows Kernel Rootkits: Techniques and Analysis](https://ringzer0.training/2019/windows-kernel-rootkits.html)

> Key Learnings:

- Machine architecture for kernel programmers

- Virtual memory management

- Interrupts and exceptions

- CPU security features

- Windows kernel architecture

- Kernel components (Ps, Io, Mm, Ob, Se, Cm, etc.)

- System mechanisms

- Debugging with WinDbg

- Rootkit techniques

- Driver development



[CodeMachine: Windows Kernel Rootkits](https://www.codemachine.com/trainings/kerrkt.html)

> Topics:

- Kernel Attacks

- Kernel Shellcoding

- Kernel Hooking and Injection

- Kernel Callbacks

- Kernel Filtering

- Kernel Networking

- Virtualization Based Security



---



# Books



- The Art of Computer Virus Research and Defense

- The Giant Black Book of Computer Viruses 

- Designing BSD Rootkits: An Introduction to Kernel Hacking

- Rootkits and Bootkits

- The Antivirus Hackers' Handbook



## Free books



[Make your own first fud crypter](https://www.docdroid.net/GrvkCtu/make-your-fud-crypter-pdf)



---



# Articles/posts



[Malware Development – Welcome to the Dark Side: Part 1](https://niiconsulting.com/checkmate/2018/02/malware-development-welcome-dark-side-part-1/)\

[Art of Malware](https://danusminimus.github.io/2020/03/04/The-Art-of-Malware.html)\

[Malware Development Part 1](https://0xpat.github.io/Malware_development_part_1/)\

[Basic Ransomware guide](https://0x00sec.org/t/basic-ransomware-guide/28345)\

[Understanding TRITON and the Missing Final Stage of the Attack good read.](https://threatpost.com/understanding-triton-and-the-missing-final-stage-of-the-attack/134895/)\

[Master of RATs - How to create your own Tracker](https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848)\

[Amazing article to read with some good resources (Personal Tale and the Road to Malware Development, Resources)](https://0x00sec.org/t/personal-tale-and-the-road-to-malware-development-resources/20369)\

[PT_NOTE -> PT_LOAD x64 ELF virus written in Assembly](https://www.guitmz.com/linux-midrashim-elf-virus/)\

[The magic of LD_PRELOAD for Userland Rootkits(good read if you wanna get into rootkits this blog is for userland rootkits)](https://fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland-rootkits/)\

[(Recommended Read) if you want to creat your first userland rootkit and you just know C you can go for this blog if you wanna start into rootkit development](https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/#)\

[Function Hooking Part I: Hooking Shared Library Function Calls in Linux](https://www.netspi.com/blog/technical/network-penetration-testing/function-hooking-part-i-hooking-shared-library-function-calls-in-linux/)\

[Inline Hooking for Programmers (Part 1: Introduction)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)\

[Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html)\

[PE injection for beginners](https://www.malwaretech.com/2013/11/portable-executable-injection-for.html)\

[Becoming-rat-your-system](https://devilinside.me/blogs/becoming-rat-your-system)\

[Complete guide on LKM hacking](http://www.ouah.org/LKM_HACKING.html)\

[Best series i will say if you wanna get into programming/malware dev recommended series to follow it will start with learn programming thats needed asm and stuff after that getting into maldev](https://0x00sec.org/t/programming-for-wannabes-part-i/1143)\

[Filess malware](https://0x00sec.org/t/fileless-malware/26973)\

[Examining the Morris Worm Source Code](https://0x00sec.org/t/examining-the-morris-worm-source-code-malware-series-0x02/685)\

[IOT Malware](https://0x00sec.org/t/iot-malware-droppers-mirai-and-hajime/1966)\

[DoublePulsar SMB backdoor analysis](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)\

[Eset Turla Outlook backdoor report](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf)\

[Writing a custom encoder](https://smarinovic.github.io/posts/Custom-Encoder/)\

[Engineering antivirus evasion](https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)\

[Analysis of Project Sauron APT](https://securelist.com/faq-the-projectsauron-apt/75533/)\

[WastedLocker analysis](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/)\

[Lazarus shellcode execution](https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method)\

[Detailed analysis of Zloader](https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf)\

[BendyBear shellcode malware](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/)\

[A Basic Windows DKOM Rootkit](https://blog.landhb.dev/posts/v9eRa/a-basic-windows-dkom-rootkit-pt-1/)\

[Loading Kernel Shellcode](https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html)\

[Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1)\

[Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2)\

[Windows Kernel Shellcode on Windows 10 – Part 3](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-3)\

[Introduction to Shellcode Development](https://owasp.org/www-pdf-archive/Introduction_to_shellcode_development.pdf)\

[Autochk Rootkit Analysis](https://repnz.github.io/posts/autochk-rootkit-analysis/)\

[pierogi backdoor](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838)\

[Pay2Kitten](https://samples.vx-underground.org/APTs/2020/2020.12.17(1)/Paper/Pay2Kitten.pdf)\

[STEELCORGI](https://samples.vx-underground.org/APTs/2021/2021.01.12(2)/Paper/STEEL%20CORGI.pdf)\

[Lebanese Cedar APT](https://samples.vx-underground.org/APTs/2021/2021.01.28/Paper/Lebanese%20Cedar%20APT.pdf)\

[LazyScripter](https://samples.vx-underground.org/APTs/2021/2021.02.24(1)/Paper/LazyScripter.pdf)\

[Maze deobfuscation](https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/)\

[Darkside overview](https://unit42.paloaltonetworks.com/darkside-ransomware/)\

[SunBurst backdoor - FireEye analysis](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)\

[Code obfuscation techniques](https://chris124567.github.io/2021-06-23-survey-obfuscation/)\

[SideCopy APT tooling](https://talosintelligence.com/resources/257)\

[Hiding in PEB sight: Custom loader](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)\

[Zloader: New infection technique](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/)\

[FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines](https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)\

[A tale of EDR bypass methods](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/)\

[In-depth dive into the security features of the Intel/Windows platform secure boot process](https://igor-blue.github.io/2021/02/04/secure-boot.html)\

[Process Injection Techniques](https://www.cynet.com/attack-techniques-hands-on/process-injection-techniques/)\

[Adventures with KernelCallbackTable Injection](https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html)\

[Useful Libraries for Malware Development](https://captmeelo.com//redteam/maldev/2022/02/16/libraries-for-maldev.html)\

[Parent Process ID (PPID) Spoofing](https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html)\

[Mutants Sessions Self Deletion](https://github.com/Octoberfest7/Mutants_Sessions_Self-Deletion)\

[OffensiVe Security with V - Process Hollowing](https://alexfrancow.github.io/app-development/OffensiVe-Security-with-V-Hollowing/)\

[Looking for Remote Code Execution bugs in the Linux kernel](https://xairy.io/articles/syzkaller-external-network)\

[memory-analysis-evasion](https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)\

[100% evasion - Write a crypter in any language to bypass AV](https://netsec.expert/posts/write-a-crypter-in-any-language/)



---



# Forums

- https://0x00sec.org/

> One of the best Malware Development fourms that helped me a lot.



--- 



# Sample Sharing



- [Underground](https://vx-underground.org/samples.html)

- [MalShare](https://www.malshare.com/)

- [Malware Bazaar](https://bazaar.abuse.ch/browse/)



--- 



# Some interesting Github Repos(miscellaneous)



[TL-TROJAN](https://github.com/threatland/TL-TROJAN)

> A collection of source code for various RATs, Stealers, and other Trojans. 



[Linker_preloading_virus](https://github.com/elfmaster/linker_preloading_virus)

> An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses.



[Awesome-linux-rootkits](https://github.com/tkmru/awesome-linux-rootkits)

> A summary of linux rootkits published on GitHub.



[Virii](https://github.com/guitmz/virii)

> Collection of ancient computer virus source codes.



[Flare-floss](https://github.com/mandiant/flare-floss)

> FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.



[Ebpfkit](https://github.com/Gui774ume/ebpfkit)

> Ebpfkit is a rootkit powered by eBPF.



[Al-Khaser](https://github.com/LordNoteworthy/al-khaser#al-khaser-v081)

> Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.



[Evasions](https://github.com/CheckPointSW/Evasions)

> Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment.



[loonix_syscall_hook](https://github.com/null0333/loonix_syscall_hook)

> System call hooking on arm64 linux via a variety of methods.



[awesome-executable-packing](https://github.com/dhondta/awesome-executable-packing)

> A curated list of awesome resources related to executable packing.