├── LICENSE
├── Labs
    ├── extra
    │   ├── binaries
    │   │   ├── KernelBase.dll
    │   │   ├── kernel32.dll
    │   │   └── ntdll.dll
    │   ├── extra.md
    │   └── images
    │   │   ├── APISets.PNG
    │   │   ├── FunctionGraph.png
    │   │   ├── NtObjectManager.PNG
    │   │   ├── OpenProcess.PNG
    │   │   ├── imports_OpenProcess.PNG
    │   │   ├── kernel32_OpenProcess.PNG
    │   │   ├── kernelbase_OpenProcess.PNG
    │   │   ├── kernelbase_analyze_openprocess.PNG
    │   │   ├── kernelbase_ntopenprocess.PNG
    │   │   ├── ntdll_NtOpenProcess.PNG
    │   │   └── ntdll_NtOpenProcessSyscall.PNG
    ├── lab1
    │   ├── README.md
    │   └── images
    │   │   ├── CloseHandle.png
    │   │   ├── GetUserNameW.png
    │   │   ├── ImpersonateLoggedOnUser-FunctionFlow.png
    │   │   ├── ImpersonateLoggedOnUser.png
    │   │   ├── OpenProcess.png
    │   │   └── OpenProcessToken.png
    ├── lab2
    │   ├── README.md
    │   ├── binaries
    │   │   ├── KernelBase.dll
    │   │   ├── kernel32.dll
    │   │   └── ntdll.dll
    │   └── images
    │   │   ├── APISets.PNG
    │   │   ├── NtObjectManager.PNG
    │   │   ├── SetThreadToken.png
    │   │   ├── SetThreadTokenCallStack.png
    │   │   ├── SetThreadTokenFunctionView.png
    │   │   ├── SetThreadTokenStub.png
    │   │   ├── kernelbase_NtSetInformationThread.png
    │   │   ├── kernelbase_SetThreadToken.png
    │   │   ├── kernelbase_analyze_setthreadtoken.png
    │   │   ├── ntdll_NtSetInformationThread.png
    │   │   └── ntdll_NtSetInformationThreadSyscall.png
    ├── lab3
    │   ├── README.md
    │   ├── binaries
    │   │   ├── KernelBase.dll
    │   │   ├── advapi32.dll
    │   │   └── ntdll.dll
    │   └── images
    │   │   ├── FunctionGraph.png
    │   │   ├── ImpersonateLoggedOnUserStub.png
    │   │   ├── NtDuplicateToken.png
    │   │   ├── NtQueryInformationToken.png
    │   │   ├── NtSetInformationThread.png
    │   │   ├── advapi32-apiset.PNG
    │   │   ├── advapi32-imports.png
    │   │   ├── advapi32.png
    │   │   ├── kernelbase_ImpersonateLoggedOnUser.PNG
    │   │   └── kernelbase_ImpersonateLoggedOnUser_decompliation.PNG
    ├── lab4
    │   ├── README.md
    │   └── images
    │   │   └── ImpersonateLoggedOnUser-Operations.png
    └── lab5
    │   └── README.md
├── Presentation.pdf
├── README.md
├── Sample 1
    ├── Sample 1.json
    └── src
    │   └── Source.cpp
├── Sample 2
    ├── Sample 2.json
    └── src
    │   └── Set-ThreadToken.ps1
├── Sample 3
    ├── Sample 3.json
    └── src
    │   └── Source.cpp
├── Sample 4
    ├── Sample 4.json
    └── src
    │   └── Source.cpp
├── Sample 5
    ├── Sample 5.json
    └── src
    │   └── Source.cpp
├── Sample 6
    ├── Sample 6.json
    └── src
    │   └── Source.cpp
└── arrows
    ├── functionchains.json
    └── operationchains.json


/LICENSE:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/LICENSE


--------------------------------------------------------------------------------
/Labs/extra/binaries/KernelBase.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/binaries/KernelBase.dll


--------------------------------------------------------------------------------
/Labs/extra/binaries/kernel32.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/binaries/kernel32.dll


--------------------------------------------------------------------------------
/Labs/extra/binaries/ntdll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/binaries/ntdll.dll


--------------------------------------------------------------------------------
/Labs/extra/extra.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/extra.md


--------------------------------------------------------------------------------
/Labs/extra/images/APISets.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/APISets.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/FunctionGraph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/FunctionGraph.png


--------------------------------------------------------------------------------
/Labs/extra/images/NtObjectManager.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/NtObjectManager.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/OpenProcess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/OpenProcess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/imports_OpenProcess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/imports_OpenProcess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/kernel32_OpenProcess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/kernel32_OpenProcess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/kernelbase_OpenProcess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/kernelbase_OpenProcess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/kernelbase_analyze_openprocess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/kernelbase_analyze_openprocess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/kernelbase_ntopenprocess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/kernelbase_ntopenprocess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/ntdll_NtOpenProcess.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/ntdll_NtOpenProcess.PNG


--------------------------------------------------------------------------------
/Labs/extra/images/ntdll_NtOpenProcessSyscall.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/extra/images/ntdll_NtOpenProcessSyscall.PNG


--------------------------------------------------------------------------------
/Labs/lab1/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/README.md


--------------------------------------------------------------------------------
/Labs/lab1/images/CloseHandle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/images/CloseHandle.png


--------------------------------------------------------------------------------
/Labs/lab1/images/GetUserNameW.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/images/GetUserNameW.png


--------------------------------------------------------------------------------
/Labs/lab1/images/ImpersonateLoggedOnUser-FunctionFlow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/images/ImpersonateLoggedOnUser-FunctionFlow.png


--------------------------------------------------------------------------------
/Labs/lab1/images/ImpersonateLoggedOnUser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/images/ImpersonateLoggedOnUser.png


--------------------------------------------------------------------------------
/Labs/lab1/images/OpenProcess.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/images/OpenProcess.png


--------------------------------------------------------------------------------
/Labs/lab1/images/OpenProcessToken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab1/images/OpenProcessToken.png


--------------------------------------------------------------------------------
/Labs/lab2/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/README.md


--------------------------------------------------------------------------------
/Labs/lab2/binaries/KernelBase.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/binaries/KernelBase.dll


--------------------------------------------------------------------------------
/Labs/lab2/binaries/kernel32.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/binaries/kernel32.dll


--------------------------------------------------------------------------------
/Labs/lab2/binaries/ntdll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/binaries/ntdll.dll


--------------------------------------------------------------------------------
/Labs/lab2/images/APISets.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/APISets.PNG


--------------------------------------------------------------------------------
/Labs/lab2/images/NtObjectManager.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/NtObjectManager.PNG


--------------------------------------------------------------------------------
/Labs/lab2/images/SetThreadToken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/SetThreadToken.png


--------------------------------------------------------------------------------
/Labs/lab2/images/SetThreadTokenCallStack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/SetThreadTokenCallStack.png


--------------------------------------------------------------------------------
/Labs/lab2/images/SetThreadTokenFunctionView.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/SetThreadTokenFunctionView.png


--------------------------------------------------------------------------------
/Labs/lab2/images/SetThreadTokenStub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/SetThreadTokenStub.png


--------------------------------------------------------------------------------
/Labs/lab2/images/kernelbase_NtSetInformationThread.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/kernelbase_NtSetInformationThread.png


--------------------------------------------------------------------------------
/Labs/lab2/images/kernelbase_SetThreadToken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/kernelbase_SetThreadToken.png


--------------------------------------------------------------------------------
/Labs/lab2/images/kernelbase_analyze_setthreadtoken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/kernelbase_analyze_setthreadtoken.png


--------------------------------------------------------------------------------
/Labs/lab2/images/ntdll_NtSetInformationThread.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/ntdll_NtSetInformationThread.png


--------------------------------------------------------------------------------
/Labs/lab2/images/ntdll_NtSetInformationThreadSyscall.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab2/images/ntdll_NtSetInformationThreadSyscall.png


--------------------------------------------------------------------------------
/Labs/lab3/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/README.md


--------------------------------------------------------------------------------
/Labs/lab3/binaries/KernelBase.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/binaries/KernelBase.dll


--------------------------------------------------------------------------------
/Labs/lab3/binaries/advapi32.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/binaries/advapi32.dll


--------------------------------------------------------------------------------
/Labs/lab3/binaries/ntdll.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/binaries/ntdll.dll


--------------------------------------------------------------------------------
/Labs/lab3/images/FunctionGraph.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/FunctionGraph.png


--------------------------------------------------------------------------------
/Labs/lab3/images/ImpersonateLoggedOnUserStub.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/ImpersonateLoggedOnUserStub.png


--------------------------------------------------------------------------------
/Labs/lab3/images/NtDuplicateToken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/NtDuplicateToken.png


--------------------------------------------------------------------------------
/Labs/lab3/images/NtQueryInformationToken.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/NtQueryInformationToken.png


--------------------------------------------------------------------------------
/Labs/lab3/images/NtSetInformationThread.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/NtSetInformationThread.png


--------------------------------------------------------------------------------
/Labs/lab3/images/advapi32-apiset.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/advapi32-apiset.PNG


--------------------------------------------------------------------------------
/Labs/lab3/images/advapi32-imports.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/advapi32-imports.png


--------------------------------------------------------------------------------
/Labs/lab3/images/advapi32.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/advapi32.png


--------------------------------------------------------------------------------
/Labs/lab3/images/kernelbase_ImpersonateLoggedOnUser.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/kernelbase_ImpersonateLoggedOnUser.PNG


--------------------------------------------------------------------------------
/Labs/lab3/images/kernelbase_ImpersonateLoggedOnUser_decompliation.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab3/images/kernelbase_ImpersonateLoggedOnUser_decompliation.PNG


--------------------------------------------------------------------------------
/Labs/lab4/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab4/README.md


--------------------------------------------------------------------------------
/Labs/lab4/images/ImpersonateLoggedOnUser-Operations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab4/images/ImpersonateLoggedOnUser-Operations.png


--------------------------------------------------------------------------------
/Labs/lab5/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Labs/lab5/README.md


--------------------------------------------------------------------------------
/Presentation.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Presentation.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/README.md


--------------------------------------------------------------------------------
/Sample 1/Sample 1.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 1/Sample 1.json


--------------------------------------------------------------------------------
/Sample 1/src/Source.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 1/src/Source.cpp


--------------------------------------------------------------------------------
/Sample 2/Sample 2.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 2/Sample 2.json


--------------------------------------------------------------------------------
/Sample 2/src/Set-ThreadToken.ps1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 2/src/Set-ThreadToken.ps1


--------------------------------------------------------------------------------
/Sample 3/Sample 3.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 3/Sample 3.json


--------------------------------------------------------------------------------
/Sample 3/src/Source.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 3/src/Source.cpp


--------------------------------------------------------------------------------
/Sample 4/Sample 4.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 4/Sample 4.json


--------------------------------------------------------------------------------
/Sample 4/src/Source.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 4/src/Source.cpp


--------------------------------------------------------------------------------
/Sample 5/Sample 5.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 5/Sample 5.json


--------------------------------------------------------------------------------
/Sample 5/src/Source.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 5/src/Source.cpp


--------------------------------------------------------------------------------
/Sample 6/Sample 6.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 6/Sample 6.json


--------------------------------------------------------------------------------
/Sample 6/src/Source.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/Sample 6/src/Source.cpp


--------------------------------------------------------------------------------
/arrows/functionchains.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/arrows/functionchains.json


--------------------------------------------------------------------------------
/arrows/operationchains.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jaredcatkinson/MalwareMorphology/HEAD/arrows/operationchains.json


--------------------------------------------------------------------------------