└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Notes
  2 | Collection of resources and articles I need to look at. Mostly regarding malware/exploit development or analysis.
  3 | 
  4 | ## Malware Dev
  5 | * [https://0xpat.github.io/](https://0xpat.github.io/)
  6 | * [https://github.com/m0n0ph1/Process-Hollowing](https://github.com/m0n0ph1/Process-Hollowing)
  7 | * [https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs](https://github.com/NVISOsecurity/brown-bags/tree/main/DInvoke%20to%20defeat%20EDRs)
  8 | * [https://iwantmore.pizza/posts/PEzor.html](https://iwantmore.pizza/posts/PEzor.html)
  9 | * [https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker](https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker)
 10 | * [https://github.com/RedLectroid/APIunhooker](https://github.com/RedLectroid/APIunhooker)
 11 | * [https://blog.xpnsec.com/protecting-your-malware/](https://blog.xpnsec.com/protecting-your-malware/)
 12 | * [https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/](https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/)
 13 | * [https://www.ired.team/offensive-security/code-injection-process-injection](https://www.ired.team/offensive-security/code-injection-process-injection)
 14 | * [https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf](https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf)
 15 | * [https://github.com/vxunderground/VXUG-Papers/tree/main/Hells%20Gate](https://github.com/vxunderground/VXUG-Papers/tree/main/Hells%20Gate)
 16 | * [https://greysec.net/](https://greysec.net/)
 17 | * [https://github.com/vxunderground/VXUG-Papers/blob/main/Hells%20Gate/HellsGate.pdf](https://github.com/vxunderground/VXUG-Papers/blob/main/Hells%20Gate/HellsGate.pdf)
 18 | * [https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA](https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA)
 19 | * [https://github.com/0xthirteen/StayKit](https://github.com/0xthirteen/StayKit)
 20 | * [https://www.youtube.com/watch?v=mZyMs2PP38w](https://www.youtube.com/watch?v=mZyMs2PP38w)
 21 | * [https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf](https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf)
 22 | * [https://www.ired.team/offensive-security/code-injection-process-injection](https://www.ired.team/offensive-security/code-injection-process-injection)
 23 | * [https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/](https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/)
 24 | * [https://connormcgarr.github.io/thread-hijacking/](https://connormcgarr.github.io/thread-hijacking/)
 25 | * [https://github.com/connormcgarr/cThreadHijack](https://github.com/connormcgarr/cThreadHijack)
 26 | * [https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/entry.c](https://github.com/ajpc500/BOFs/blob/main/SyscallsInject/entry.c)
 27 | * [https://github.com/Microwave89/createuserprocess/](https://github.com/Microwave89/createuserprocess/)
 28 | * [https://movaxbx.ru/2018/10/31/interesting-technique-to-inject-malicious-code-into-svchost-exe/](https://movaxbx.ru/2018/10/31/interesting-technique-to-inject-malicious-code-into-svchost-exe/)
 29 | * [https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection](https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection)
 30 | * [https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/](https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/)
 31 | * [https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/)
 32 | * [https://modexp.wordpress.com/2020/04/08/red-teams-etw/](https://modexp.wordpress.com/2020/04/08/red-teams-etw/)
 33 | * [https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider](https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider)
 34 | * [https://www.youtube.com/watch?v=Cch8dvp836w](https://www.youtube.com/watch?v=Cch8dvp836w)
 35 | * [https://github.com/fozavci/WeaponisingCSharp-Fundamentals](https://github.com/fozavci/WeaponisingCSharp-Fundamentals)
 36 | * [https://github.com/med0x2e/ExecuteAssembly](https://github.com/med0x2e/ExecuteAssembly)
 37 | * [https://github.com/outflanknl/TamperETW](https://github.com/outflanknl/TamperETW)
 38 | * [https://github.com/hasherezade/process_doppelganging/blob/master/main.cpp](https://github.com/hasherezade/process_doppelganging/blob/master/main.cpp)
 39 | * [https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Sections%20Shellcode%20Process%20Injector/Program.cs](https://github.com/chvancooten/OSEP-Code-Snippets/blob/main/Sections%20Shellcode%20Process%20Injector/Program.cs)
 40 | * [https://www.thehive-kb.xyz/rem-essentials-windows-malware-evasion-part1](https://www.thehive-kb.xyz/rem-essentials-windows-malware-evasion-part1)
 41 | * [https://gist.github.com/apsun/1adb6557a44ea8372e7cc27c3ad827ad](https://gist.github.com/apsun/1adb6557a44ea8372e7cc27c3ad827ad)
 42 | * [https://github.com/am0nsec/wspe/blob/master/AMSI/amsi_module_patch.c#L220](https://github.com/am0nsec/wspe/blob/master/AMSI/amsi_module_patch.c#L220)
 43 | * [https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx](https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx)
 44 | * [https://github.com/hasherezade/libpeconv/tree/master/run_pe](https://github.com/hasherezade/libpeconv/tree/master/run_pe)
 45 | * [https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-i-phantom-dll-hollowing-2](https://www.cyberark.com/resources/threat-research-blog/masking-malicious-memory-artifacts-part-i-phantom-dll-hollowing-2)
 46 | * [https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners](https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-iii-bypassing-defensive-scanners)
 47 | * [https://github.com/forrest-orr/phantom-dll-hollower-poc/blob/master/PhantomDllHollower/PhantomDllHollower.cpp](https://github.com/forrest-orr/phantom-dll-hollower-poc/blob/master/PhantomDllHollower/PhantomDllHollower.cpp)
 48 | * [https://github.com/BreakingMalwareResearch/atom-bombing/blob/master/AtomBombing/main.cpp](https://github.com/BreakingMalwareResearch/atom-bombing/blob/master/AtomBombing/main.cpp)
 49 | * [https://www.arashparsa.com/hook-heaps-and-live-free/](https://www.arashparsa.com/hook-heaps-and-live-free/)
 50 | * [https://www.first.org/resources/papers/telaviv2019/Ensilo-Omri-Misgav-Udi-Yavo-Analyzing-Malware-Evasion-Trend-Bypassing-User-Mode-Hooks.pdf](https://www.first.org/resources/papers/telaviv2019/Ensilo-Omri-Misgav-Udi-Yavo-Analyzing-Malware-Evasion-Trend-Bypassing-User-Mode-Hooks.pdf)
 51 | * [https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6](https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6)
 52 | * [https://medium.com/falconforce/bof2shellcode-a-tutorial-converting-a-stand-alone-bof-loader-into-shellcode-6369aa518548](https://medium.com/falconforce/bof2shellcode-a-tutorial-converting-a-stand-alone-bof-loader-into-shellcode-6369aa518548)
 53 | * [https://medium.com/@omribaso/this-is-how-i-bypassed-almost-every-edr-6e9792cf6c44](https://medium.com/@omribaso/this-is-how-i-bypassed-almost-every-edr-6e9792cf6c44)
 54 | * [https://www.blackhat.com/docs/eu-14/materials/eu-14-Andrivet-C-plus-plus11-Metaprogramming-Applied-To-software-Obfuscation-wp.pdf](https://www.blackhat.com/docs/eu-14/materials/eu-14-Andrivet-C-plus-plus11-Metaprogramming-Applied-To-software-Obfuscation-wp.pdf)
 55 | * [https://rp.os3.nl/2020-2021/p68/report.pdf](https://rp.os3.nl/2020-2021/p68/report.pdf)
 56 | * [https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html](https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
 57 | 
 58 | ## Exploit Dev
 59 | * [https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
 60 | * [https://github.com/ChoiSG/UuidShellcodeExec](https://github.com/ChoiSG/UuidShellcodeExec)
 61 | 
 62 | ## Kernel Dev
 63 | * [https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/](https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/)
 64 | * [https://synzack.github.io/Blinding-EDR-On-Windows/](https://synzack.github.io/Blinding-EDR-On-Windows/)
 65 | * [https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/](https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/)
 66 | * [https://posts.bluraven.io/detecting-edr-bypass-malicious-drivers-kernel-callbacks-f5e6bf8f7481](https://posts.bluraven.io/detecting-edr-bypass-malicious-drivers-kernel-callbacks-f5e6bf8f7481)
 67 | * [http://blog.deniable.org/posts/windows-callbacks/](http://blog.deniable.org/posts/windows-callbacks/)
 68 | * [https://codemachine.com/articles/kernel_callback_functions.html](https://codemachine.com/articles/kernel_callback_functions.html)
 69 | * [https://gitlab.com/deniable/windows-ps-callbacks-experiments](https://gitlab.com/deniable/windows-ps-callbacks-experiments)
 70 | * [https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf](https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.01.pdf)
 71 | * [https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7338165/](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7338165/)
 72 | * [https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/](https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/)
 73 | * [https://aviadshamriz.medium.com/part-1-fs-minifilter-hooking-7e743b042a9d](https://aviadshamriz.medium.com/part-1-fs-minifilter-hooking-7e743b042a9d)
 74 | * [https://av.tib.eu/media/49774](https://av.tib.eu/media/49774)
 75 | * [https://www.codeproject.com/Articles/13677/Hooking-the-kernel-directly](https://www.codeproject.com/Articles/13677/Hooking-the-kernel-directly)
 76 | * [https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/](https://www.adlice.com/kernelmode-rootkits-part-2-irp-hooks/)
 77 | * [https://secret.club/2019/11/06/kernel-code-alignment.html](https://secret.club/2019/11/06/kernel-code-alignment.html)
 78 | * [http://www.rohitab.com/discuss/topic/41522-hiding-loaded-driver-with-dkom/](http://www.rohitab.com/discuss/topic/41522-hiding-loaded-driver-with-dkom/)
 79 | * [https://reverseengineering.stackexchange.com/questions/22245/possible-to-get-address-of-driver-object-programmatically](https://reverseengineering.stackexchange.com/questions/22245/possible-to-get-address-of-driver-object-programmatically)
 80 | * [https://windows-internals.com/dkom-now-with-symbolic-links/](https://windows-internals.com/dkom-now-with-symbolic-links/)
 81 | * [https://windows-internals.com/symhooks-part-two/](https://windows-internals.com/symhooks-part-two/)
 82 | * [https://www.rohitab.com/discuss/topic/40696-list-loaded-drivers-with-ntquerysysteminformation/](https://www.rohitab.com/discuss/topic/40696-list-loaded-drivers-with-ntquerysysteminformation/)
 83 | * [https://github.com/vmcall/owned_alignment](https://github.com/vmcall/owned_alignment)
 84 | * [https://github.com/namazso/hdd_serial_spoofer/blob/master/hwid.cpp](https://github.com/namazso/hdd_serial_spoofer/blob/master/hwid.cpp)
 85 | * [https://github.com/repnz/autochk-rootkit/blob/master/AutochkRootkit/FileSystem.c](https://github.com/repnz/autochk-rootkit/blob/master/AutochkRootkit/FileSystem.c)
 86 | * [https://github.com/zodiacon/DriverMon/blob/master/DriverMonitor/DriverMon.cpp](https://github.com/zodiacon/DriverMon/blob/master/DriverMonitor/DriverMon.cpp)
 87 | * [CrikeyCon 2019 - Christopher Vella - Reversing & bypassing EDRs](https://www.youtube.com/watch?v=85H4RvPGIX4)
 88 | * [https://posts.specterops.io/mimidrv-in-depth-4d273d19e148](https://posts.specterops.io/mimidrv-in-depth-4d273d19e148)
 89 | * [https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/](https://redcursor.com.au/bypassing-lsa-protection-aka-protected-process-light-without-mimikatz-on-windows-10/)
 90 | * [https://github.com/lawiet47/STFUEDR/blob/main/StfuEdr/StfuEdr.cpp](https://github.com/lawiet47/STFUEDR/blob/main/StfuEdr/StfuEdr.cpp)
 91 | * [https://github.com/gentilkiwi/mimikatz/blob/master/mimidrv/mimidrv.c](https://github.com/gentilkiwi/mimikatz/blob/master/mimidrv/mimidrv.c)
 92 | * [https://www.infosec.tirol/master-of-puppets-part-ii-how-to-tamper-the-edr/](https://www.infosec.tirol/master-of-puppets-part-ii-how-to-tamper-the-edr/)
 93 | * [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md](https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md)
 94 | * [https://www.n4r1b.com/posts/2019/11/understanding-wdboot-windows-defender-elam/](https://www.n4r1b.com/posts/2019/11/understanding-wdboot-windows-defender-elam/)
 95 | * [https://github.com/Shhoya/Examples/tree/master/0x00_AntiKernelDebugging/ObRegisterCallbacks](https://github.com/Shhoya/Examples/tree/master/0x00_AntiKernelDebugging/ObRegisterCallbacks)
 96 | * [https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/](https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/)
 97 | * [https://shhoya.github.io/antikernel_bypassob2.html](https://shhoya.github.io/antikernel_bypassob2.html)
 98 | * [https://gist.github.com/OlivierLaflamme/2e0670718a904f21b03cb753df02cf67](https://gist.github.com/OlivierLaflamme/2e0670718a904f21b03cb753df02cf67)
 99 | * [https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/](https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/)
100 | 
101 | ## Malware Analysis
102 | * [https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/](https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/)
103 | * [https://pnx9.github.io/thehive/Unpacking-Osiris.html](https://pnx9.github.io/thehive/Unpacking-Osiris.html)
104 | 
105 | ## GitHub Tools
106 | * [https://github.com/JustasMasiulis/inline_syscall](https://github.com/JustasMasiulis/inline_syscall)
107 | * [https://github.com/jthuraisamy/SysWhispers](https://github.com/jthuraisamy/SysWhispers)
108 | * [https://github.com/jthuraisamy/SysWhispers2](https://github.com/jthuraisamy/SysWhispers2)
109 | * [https://github.com/outflanknl/InlineWhispers](https://github.com/outflanknl/InlineWhispers)
110 | * [https://github.com/Sh0ckFR/InlineWhispers2](https://github.com/Sh0ckFR/InlineWhispers2)
111 | * [https://github.com/everdox/InfinityHook](https://github.com/everdox/InfinityHook)
112 | * [https://github.com/hfiref0x/KDU](https://github.com/hfiref0x/KDU)
113 | * [https://github.com/Shhoya/kdmapper](https://github.com/Shhoya/kdmapper)
114 | * [https://github.com/br-sn/CheekyBlinder](https://github.com/br-sn/CheekyBlinder)
115 | * [https://github.com/SHA-MRIZ/FsMinfilterHooking](https://github.com/SHA-MRIZ/FsMinfilterHooking)
116 | * [https://github.com/repnz/windows-inspector](https://github.com/repnz/windows-inspector)
117 | * [https://github.com/D4stiny/spectre](https://github.com/D4stiny/spectre)
118 | * [https://github.com/RedCursorSecurityConsulting/PPLKiller](https://github.com/RedCursorSecurityConsulting/PPLKiller)
119 | * [https://github.com/N4kedTurtle/LocalDllParse](https://github.com/N4kedTurtle/LocalDllParse)
120 | * [https://github.com/klezVirus/inceptor](https://github.com/klezVirus/inceptor)
121 | * [https://github.com/revsic/cpp-obfuscator](https://github.com/revsic/cpp-obfuscator)
122 | 
123 | ## StackOverflow
124 | * [https://stackoverflow.com/questions/45134220/how-to-convert-a-pointer-of-type-void-to-void](https://stackoverflow.com/questions/45134220/how-to-convert-a-pointer-of-type-void-to-void)
125 | 
126 | ## Misc
127 | * [https://github.com/3lp4tr0n/BeaconHunter](https://github.com/3lp4tr0n/BeaconHunter)
128 | * [https://github.com/Flangvik/SharpCollection](https://github.com/Flangvik/SharpCollection)
129 | * [https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/](https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/)
130 | * [https://www.trustedsec.com/blog/adexplorer-on-engagements/](https://www.trustedsec.com/blog/adexplorer-on-engagements/)
131 | * [https://github.com/NotMedic/NetNTLMtoSilverTicket](https://github.com/NotMedic/NetNTLMtoSilverTicket)
132 | * [https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
133 | 
134 | ## VXUG papers
135 | * [Windows papers](https://www.vx-underground.org/windows.html)
136 | * [AV tech papers](https://www.vx-underground.org/av.html)


--------------------------------------------------------------------------------