└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # DEPRECATED 2 | Going forwards, this repo won't be updated.\ 3 | The list is instead being maintained on my blog (https://reversing.blog) 4 | 5 | # About 6 | This document serves as a list of resources, and other things that aid in malware analysis / dev and exploit dev, which will be updated frequently\ 7 | Feel free to contribute resources 8 | 9 | # Courses 10 | 11 | ## Paid courses/certificates 12 | - OSED 13 | - eCXD 14 | - SLAE x86 15 | - OSEE 16 | - eCMAP 17 | - Sektor 7 Red Team Operator 18 | - Zero2Automated: Ultimate Malware Reverse Engineering 19 | - CREST Certified Malware Reverse Engineer 20 | - SANS FOR610 21 | - SANS FOR500 22 | - FireEye Malware Analysis Master Course 23 | - RingZerø: Windows Kernel Rootkits: Techniques and Analysis 24 | - RingZerø: Windows Internals for Reverse Engineers 25 | - CodeMachine: Windows Kernel Rootkits 26 | 27 | ## Free courses 28 | [Offensive Software Exploitation by Ali Hadi](https://exploitation.ashemery.com/) 29 | > Course taught at Champlain College by Ali Hadi\ 30 | > Topics: 31 | - PE format 32 | - Bug hunting and fuzzing 33 | - Vanilla BoF 34 | - ROP 35 | - Egghunters 36 | - x64 and x86 assembly 37 | - Reverse engineering 38 | 39 | 40 | [Malwareunicorn RE101 and 102](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA) 41 | > Great introduction to malware analysis and RE 42 | > Covers setting up your environmemt, and basic static / dynamic analysis 43 | 44 | [hasherezade Windows malware analysis vol 1](https://github.com/hasherezade/malware_training_vol1) 45 | > Focus on Windows malware and internals specifically.\ 46 | > Includes intermediate topics, such as hooking, UAC bypass, persistence, and much more\ 47 | > Requires some knowledge beforehand\ 48 | > Inlcudes exercises and slides 49 | 50 | 51 | [dostackbufferoverflowgood](https://github.com/justinsteven/dostackbufferoverflowgood) 52 | >This course is my go to for anyone new to exploit dev, it is dead simple, and will teach anyone basic buffer overflows in a couple hours\ 53 | >It goes from teaching basic assembly, to finding a vulnerable function, fuzzing it, and performing a basic buffer overflow to obtain remote RCE 54 | 55 | [RPI modern binary exploitation](http://security.cs.rpi.edu/courses/binexp-spring2015/) 56 | > Modern binary exploitation \ 57 | > Topics: 58 | - ASLR 59 | - DEP 60 | - ROP 61 | - Heap exploitation 62 | - Stack cookies 63 | - Basic kernel exploitation 64 | - Reverse engineering 65 | - Shellcoding 66 | 67 | [CS6038/CS5138 introduction to malware analysis and reverse engineering](https://class.malware.re/) 68 | >Introduction to malware analysis and reverse engineering \ 69 | > Topics cover a wide range of malware analysis topics, a few samples: 70 | - Android static analysis 71 | - Java malware 72 | - Ghidra reverse engineering 73 | - Debugging 74 | - Building malware 75 | - Yara 76 | - Malicious PDF analysis 77 | - Assembly language crash course 78 | - Virtualbox setup 79 | 80 | [Intro to x86 32 bit Assembly](http://opensecuritytraining.info/IntroX86.html) 81 | >Introduction to x86 32 bit Assembly, covers everything needed to get started with x86 Assembly 82 | - Includes exercises 83 | - Includes Youtube videos, and powerpoint slides 84 | 85 | [Intro to x86 64 bit Assembly](http://opensecuritytraining.info/IntroX86-64.html) 86 | >Same as the 32 bit, assumes 32 bit knowledge 87 | 88 | [Intro to Linux binary exploitation](https://github.com/r0hi7/BinExp) 89 | >Covers Linux bin exp from basic assembly to heap exploitation 90 | 91 | [Nightmare: Binary exploitation and reverse engineering course](https://guyinatuxedo.github.io/index.html) 92 | >Binary exploitation course using CTFs as examples 93 | 94 | [Max Kersten Zero to hero binary analysis course](https://maxkersten.nl/binary-analysis-course/) 95 | >Assumes little to no low level knowledge\ 96 | >Requires basic understanding of programming \ 97 | >Content: 98 | >- Assembly basics 99 | >- Malware analysis 100 | >- Script analysis 101 | >- Sample collection 102 | 103 | [Buffer overflow practice](https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice) 104 | >Various applications to practice buffer overflows on. \ 105 | >Includes exploit code. 106 | 107 | [OpenSecurityTraining introduction to Reverse Engineering](https://opensecuritytraining.info/IntroductionToReverseEngineering.html) 108 | > Covers the basics and use cases of RE\ 109 | > Goes over IDA and debugger usage\ 110 | > Helps you identify control flows and Win32 API code\ 111 | > Older course, but worth the time 112 | 113 | 114 | 115 | [Intermediate Linux Exploitation](https://github.com/nnamon/linux-exploitation-course) 116 | >Assumes prior knowledge of x86-64 assembly and familiarity with C and Python.\ 117 | >Comfortable with basic binary exploits, like vanilla buffer overflow. 118 | # Books 119 | - Windows internals 7th edition, part 1 and 2 120 | - Practical malware analysis 121 | - Windows Kernel Programming by Pavel Yosifovich 122 | - Malware Analysts Cookbook 123 | - The Shellcoders Handbook 124 | - Rootkits: Subverting the Windows Kernel 125 | - Rootkits and Bootkits 126 | - A Guide to Kernel Exploitation 127 | - Windows 10 System Programming, Part 1 (Pavel Yosifovich) 128 | - Windows 10 System Programming, Part 2 (Pavel Yosifovich) 129 | - The IDA Pro book 130 | - The Ghidra book 131 | - Sandworm by Andy Greenberg 132 | - C++ primer 5th edition 133 | - The Art of Assembly Language 2nd edition 134 | - The Antivirus Hackers' Handbook 135 | - The Art of Memory Forensics 136 | - Inside Windows Debugging 137 | - Practical Reverse Engineering 138 | 139 | ## Free books 140 | - [x86-64 deep dive with Ed Jorgensen](http://www.egr.unlv.edu/~ed/assembly64.pdf) 141 | 142 | 143 | # Blogs 144 | [Corelan exploit dev](https://www.corelan.be/index.php/articles/) 145 | >Must read!! 146 | 147 | [Fuzzysecurity exploit dev](https://www.fuzzysecurity.com/tutorials.html) 148 | >Their Windows exploitation series is gold 149 | 150 | [Vitali Kremez blog](https://www.vkremez.com/) 151 | >Lots of awesome malware related content 152 | 153 | [repnz](https://repnz.github.io/) 154 | > Content on Windows internals, malware reversing 155 | 156 | [Connor Mcgarr](https://connormcgarr.github.io/) 157 | > Lots of content about exploit development 158 | 159 | [Google Project Zero](https://googleprojectzero.blogspot.com/) 160 | 161 | [Shameless self plug - Logicbug](https://logicbug-io.github.io/) 162 | > My own blog, mainly content about malware dev 163 | 164 | [Redbluepurple.io](https://blog.redbluepurple.io/) 165 | > blog with a couple posts about EDR, Windows internals and malware analysis 166 | 167 | [Malware Traffic analysis](https://malware-traffic-analysis.net/2021/index.html) 168 | 169 | # Talks 170 | [Kernel Mode Threats and Practical Defenses](https://www.youtube.com/watch?v=BBJgKuXzfwc)\ 171 | [Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level](https://youtu.be/33Jr1wkaCmQ)\ 172 | [The Life & Death of Kernel Object Abuse](https://youtu.be/_u7d9kLdi0c)\ 173 | [Alex Ionescu - Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys)\ 174 | [BlueHat v18 || Return of the kernel rootkit malware (on windows 10)](https://youtu.be/qVIxFfXpyNc)\ 175 | [Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)](https://www.youtube.com/watch?v=1Ie20b5IGgY)\ 176 | [Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator](https://www.youtube.com/watch?v=LvW68czaEGs)\ 177 | [Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1](https://www.youtube.com/watch?v=pJZjWXxUEl4)\ 178 | [Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2](https://www.youtube.com/watch?v=UGWqq5kTiso)\ 179 | [W32.Duqu: The Precursor to the Next Stuxnet](https://www.youtube.com/watch?v=SbkXffokmPE) 180 | 181 | 182 | # Youtube channels 183 | 184 | [KindredSec](https://www.youtube.com/channel/UCwTH3RkRCIE35RJ16Nh8V8Q) 185 | >Malware and reverse engineering 186 | 187 | [OAlabs](https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg) 188 | >Great reverse engineering content 189 | 190 | [Josh Stroschein intro to Assembly](https://www.youtube.com/playlist?list=PLHJns8WZXCdvESvdr1BRjo4RHiR1Ylhw9) 191 | > Intro to Assembly 192 | 193 | [AGDC Services](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA) 194 | > High quality content with a lot of potential 195 | 196 | # Whitepapers/articles/posts 197 | [Reverse engineering Cisco ASA for EXTRABACON offsets ](https://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.html) \ 198 | [DoublePulsar SMB backdoor analysis](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)\ 199 | [Kaspersky Shamoon and StoneDrill Report](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf)\ 200 | [Eset Turla Outlook backdoor report](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf)\ 201 | [Introduction Format String exploits](https://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html)\ 202 | [Writing a custom encoder](https://smarinovic.github.io/posts/Custom-Encoder/)\ 203 | [MinaliC 2.0.0 buffer overflow](https://smarinovic.github.io/posts/MinaliC-webserver-BoF/)\ 204 | [BigAnt server 2.52 buffer overflow](https://smarinovic.github.io/posts/BigAnt-server-BoF/)\ 205 | [Anatomy of an exploit – inside CVE-2013-3893](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)\ 206 | [Understanding type confusion vulnerabilities](https://www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/)\ 207 | [Engineering antivirus evasion](https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)\ 208 | [Deep dive into IOS exploit chain](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1)\ 209 | [Writing IOS kernel exploits](https://secfault-security.com/blog/chain3.html)\ 210 | [Analysis of Cyber attack on Ukrainian power grid](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf)\ 211 | [Analysis of Project Sauron APT](https://securelist.com/faq-the-projectsauron-apt/75533/)\ 212 | [SWEED: Exposing years of Agent Tesla campaigns](https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html?m=1) 213 | [WastedLocker analysis](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/)\ 214 | [OilRig novel steganography C2](https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/)\ 215 | [FritzFrog analysis](https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/)\ 216 | [Rotten Apples: Apple-like domains phishing](https://www.fireeye.com/blog/threat-research/2016/06/rotten_apples_apple.html)\ 217 | [Wil it blend? This is the Question, new Macro based Evasions spotted](https://www.joesecurity.org/blog/4978232240698722172)\ 218 | [Lazarus shellcode execution](https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method)\ 219 | [In-Depth analysis of Racoon stealer](https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html)\ 220 | [Detailed analysis of Zloader](https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf)\ 221 | [Interview with LockBit Ransomware operator](https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf)\ 222 | [BendyBear shellcode malware](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/)\ 223 | [Emotet C2 case study](https://unit42.paloaltonetworks.com/emotet-command-and-control/)\ 224 | [WeSteal Analysis](https://unit42.paloaltonetworks.com/westeal/)\ 225 | [A Basic Windows DKOM Rootkit](https://blog.landhb.dev/posts/v9eRa/a-basic-windows-dkom-rootkit-pt-1/)\ 226 | [Loading Kernel Shellcode](https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html)\ 227 | [Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1)\ 228 | [Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2)\ 229 | [Windows Kernel Shellcode on Windows 10 – Part 3](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-3)\ 230 | [Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP](https://connormcgarr.github.io/x64-Kernel-Shellcode-Revisited-and-SMEP-Bypass/)\ 231 | [Introduction to Shellcode Development](https://owasp.org/www-pdf-archive/Introduction_to_shellcode_development.pdf)\ 232 | [Autochk Rootkit Analysis](https://repnz.github.io/posts/autochk-rootkit-analysis/)\ 233 | [pierogi backdoor](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838)\ 234 | [New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one)\ 235 | [Pay2Kitten](https://vx-underground.org/archive/APTs/2020/2020.12.17(1)/Pay2Kitten.pdf)\ 236 | [STEELCORGI](https://vx-underground.org/archive/APTs/2021/2021.01.12(2)/STEEL%20CORGI.pdf)\ 237 | [Lebanese Cedar APT](https://vx-underground.org/archive/APTs/2021/2021.01.28/Lebanese%20Cedar%20APT.pdf)\ 238 | [LazyScripter](https://vx-underground.org/archive/APTs/2021/2021.02.24(1)/LazyScripter.pdf)\ 239 | [Maze deobfuscation](https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/)\ 240 | [Darkside overview](https://unit42.paloaltonetworks.com/darkside-ransomware/)\ 241 | [SunBurst backdoor - FireEye analysis](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)\ 242 | [Code obfuscation techniques](https://chris124567.github.io/2021-06-23-survey-obfuscation/)\ 243 | [SideCopy APT tooling](https://talosintelligence.com/resources/257)\ 244 | [Hiding in PEB sight: Custom loader](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)\ 245 | [Zloader: New infection technique](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/)\ 246 | [This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)\ 247 | [FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines](https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)\ 248 | [Rolf Rolles: Statically unpacking / anazlying FinFisher VM part 1](https://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation)\ 249 | [Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 2](https://www.msreverseengineering.com/blog/2018/1/31/finspy-vm-part-2-vm-analysis-and-bytecode-disassembly)\ 250 | [Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 3](https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization)\ 251 | [Operation SpoofedScholars: A Conversation with TA453](https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453)\ 252 | [Hooking Candiru - Another spyware vendor comes into focus](https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/)\ 253 | [A tale of EDR bypass methods](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/) 254 | 255 | 256 | 257 | # Not really courses, not really articles 258 | [Heap exploitation free "book"](https://heap-exploitation.dhavalkapil.com/) 259 | 260 | # Practice 261 | [Phoenix, succesor to Protostar](https://exploit.education/phoenix/) 262 | >Covers various topics, including: 263 | >- Network programming 264 | >- Stack overflows 265 | >- Heap overflows 266 | >- Format string exploits 267 | 268 | [ROP practice](https://ropemporium.com/) 269 | 270 | [HEVD Vulnerable driver](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver) 271 | > Various exploits to practice on a driver 272 | 273 | [Network traffic of malware to analyze](https://malware-traffic-analysis.net/training-exercises.html) 274 | 275 | # Resources/tools 276 | [NTAPI undocumented functions](https://undocumented.ntinternals.net)\ 277 | [x86/x64 Windows syscall table](https://j00ru.vexillium.org/syscalls/nt/64/)\ 278 | [Malware Windows API Cheatsheet](https://cerbersec.com/malware-cheatsheet.html)\ 279 | [Malware evasion / protection techniques](http://unprotect.tdgt.org/index.php/Unprotect_Project)\ 280 | [Malware analysis awesome list](https://project-awesome.org/rshipp/awesome-malware-analysis)\ 281 | [Linux rootkits awesome list](https://github.com/milabs/awesome-linux-rootkits)\ 282 | [Common evasions techniques used by malware](https://evasions.checkpoint.com/)\ 283 | [Common anti debugging techniques used by malware](https://anti-debug.checkpoint.com/)\ 284 | [Win32 Programming C++ notes](https://caiorss.github.io/C-Cpp-Notes/WindowsAPI-cpp.html)\ 285 | [APT mindmap](https://embed.kumu.io/0b023bf1a971ba32510e86e8f1a38c38#apt-index) 286 | 287 | 288 | # Forums 289 | - https://vx-underground.org/ 290 | - https://greysec.net/ 291 | - https://0x00sec.org/ 292 | 293 | 294 | # Sample sharing 295 | - [MWDB CERT PL](https://mwdb.cert.pl) 296 | - [Malware Bazaar](https://bazaar.abuse.ch/browse/) 297 | - [VX Underground](https://vx-underground.org/samples.html) 298 | - [URLHaus](https://urlhaus.abuse.ch/browse/) 299 | - [VirusBay](https://www.virusbay.io/) 300 | - [MalShare](https://www.malshare.com/) 301 | --------------------------------------------------------------------------------