└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Introduction 
  2 | 
  3 | This Repo serves as a list of resources for malware development.
  4 | Note: I am just a learner what i have im sharing some reources can be stupid, you can help me adding things.
  5 | 
  6 | # Essentials
  7 | 
  8 | I would say having some experience with C and assembly going to be good.
  9 | some resources for C and assmebly.
 10 | 
 11 | - [C for Everyone: Programming Fundamentals](https://www.coursera.org/learn/c-for-everyone)
 12 | - [learn-c](https://www.learn-c.org/)
 13 | - [C cheatsheet](https://learnxinyminutes.com/docs/c/)
 14 | - [Architecture 1001: x86-64 Assembly](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about)
 15 | - [x86 Assembly](https://opensecuritytraining.info/IntroX86.html)
 16 | 
 17 | # Blogs 
 18 | 
 19 | [Vitali Kremez blog](https://www.vkremez.com/)
 20 | > Lot's of Malware related content.
 21 | 
 22 | [0xPat blog](https://0xpat.github.io/)
 23 | > Have an amazing malware development series i would recommend to take a look.
 24 | 
 25 | [zerosum0x0 blog](https://zerosum0x0.blogspot.com/)
 26 | > Some good posts.
 27 | 
 28 | [Guitmz blog](https://www.guitmz.com/)
 29 | > Dope Maldev Content.
 30 | 
 31 | [TheXcellerator](https://xcellerator.github.io/)
 32 | > Amazing LKM rookit series and maldev posts.
 33 | 
 34 | ---
 35 | 
 36 | # Talks
 37 | 
 38 | [Horse Pill: A New Type of Linux Rootkit](https://www.youtube.com/watch?v=wyRRbow4-bc)\
 39 | [Not a talk but good LKM rootkit series](https://www.youtube.com/playlist?list=PLrdeBRwgL0TrjHL0iHqRJD8Pz9t9FECHy)\
 40 | [Good talk on Creating and Countering the Next Generation of Linux Rootkits](https://www.youtube.com/watch?v=g6SKWT7sROQ)\
 41 | [Kernel Mode Threats and Practical Defenses](https://www.youtube.com/watch?v=BBJgKuXzfwc)\
 42 | [Alex Ionescu - Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys)\
 43 | [BlueHat v18 || Return of the kernel rootkit malware (on windows 10)](https://youtu.be/qVIxFfXpyNc)
 44 | 
 45 | ---
 46 | 
 47 | # Youtube channels
 48 | 
 49 | [AGDC Services](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA)
 50 | > HQ Malware Content.
 51 | 
 52 | [TheSphinx](https://www.youtube.com/c/TheSphinx/)
 53 | > Have an amazing series on Writing your Rat from Scratch.
 54 | 
 55 | [Joey Abrams](https://www.youtube.com/channel/UCIjKM-9G9r2Og2E080Wfbvw)
 56 | > Amazing Malware stuff, have a good code injection series, Linux stuff.
 57 | 
 58 | [w3w3w3](https://www.youtube.com/c/w3w3w3)
 59 | > Have a good LKM rootkit series.
 60 | 
 61 | # Courses
 62 | 
 63 | There are some courses I would love to recommend.
 64 | 
 65 | [RED TEAM Operator: Malware Development Essentials course | Sektor7](https://www.sektor7.net/institute/RTO-MalDev)
 66 | >This course will teach you how to become a better ethical hacker, pentester and red teamer by learning malware development. It covers developing droppers, trojans and payload/DLL injectors using some basic C and Intel assembly skills. 
 67 | 
 68 | [RED TEAM Operator: Malware Development Intermediate course](https://www.sektor7.net/institute/RTO-MalDev2)
 69 | > Advanced malware development techniques in Windows, including: API hooking, 32-/64-bit migrations, reflective binaries and more. 
 70 | 
 71 | [RingZerø: Windows Kernel Rootkits: Techniques and Analysis](https://ringzer0.training/2019/windows-kernel-rootkits.html)
 72 | > Key Learnings:
 73 | - Machine architecture for kernel programmers
 74 | - Virtual memory management
 75 | - Interrupts and exceptions
 76 | - CPU security features
 77 | - Windows kernel architecture
 78 | - Kernel components (Ps, Io, Mm, Ob, Se, Cm, etc.)
 79 | - System mechanisms
 80 | - Debugging with WinDbg
 81 | - Rootkit techniques
 82 | - Driver development
 83 | 
 84 | [CodeMachine: Windows Kernel Rootkits](https://www.codemachine.com/trainings/kerrkt.html)
 85 | > Topics:
 86 | - Kernel Attacks
 87 | - Kernel Shellcoding
 88 | - Kernel Hooking and Injection
 89 | - Kernel Callbacks
 90 | - Kernel Filtering
 91 | - Kernel Networking
 92 | - Virtualization Based Security
 93 | 
 94 | ---
 95 | 
 96 | # Books
 97 | 
 98 | - The Art of Computer Virus Research and Defense
 99 | - The Giant Black Book of Computer Viruses 
100 | - Designing BSD Rootkits: An Introduction to Kernel Hacking
101 | - Rootkits and Bootkits
102 | - The Antivirus Hackers' Handbook
103 | 
104 | ## Free books
105 | 
106 | [Make your own first fud crypter](https://www.docdroid.net/GrvkCtu/make-your-fud-crypter-pdf)
107 | 
108 | ---
109 | 
110 | # Articles/posts
111 | 
112 | [Malware Development – Welcome to the Dark Side: Part 1](https://niiconsulting.com/checkmate/2018/02/malware-development-welcome-dark-side-part-1/)\
113 | [Art of Malware](https://danusminimus.github.io/2020/03/04/The-Art-of-Malware.html)\
114 | [Malware Development Part 1](https://0xpat.github.io/Malware_development_part_1/)\
115 | [Basic Ransomware guide](https://0x00sec.org/t/basic-ransomware-guide/28345)\
116 | [Understanding TRITON and the Missing Final Stage of the Attack good read.](https://threatpost.com/understanding-triton-and-the-missing-final-stage-of-the-attack/134895/)\
117 | [Master of RATs - How to create your own Tracker](https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848)\
118 | [Amazing article to read with some good resources (Personal Tale and the Road to Malware Development, Resources)](https://0x00sec.org/t/personal-tale-and-the-road-to-malware-development-resources/20369)\
119 | [PT_NOTE -> PT_LOAD x64 ELF virus written in Assembly](https://www.guitmz.com/linux-midrashim-elf-virus/)\
120 | [The magic of LD_PRELOAD for Userland Rootkits(good read if you wanna get into rootkits this blog is for userland rootkits)](https://fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland-rootkits/)\
121 | [(Recommended Read) if you want to creat your first userland rootkit and you just know C you can go for this blog if you wanna start into rootkit development](https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/#)\
122 | [Function Hooking Part I: Hooking Shared Library Function Calls in Linux](https://www.netspi.com/blog/technical/network-penetration-testing/function-hooking-part-i-hooking-shared-library-function-calls-in-linux/)\
123 | [Inline Hooking for Programmers (Part 1: Introduction)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)\
124 | [Inline Hooking for Programmers (Part 2: Writing a Hooking Engine)](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html)\
125 | [PE injection for beginners](https://www.malwaretech.com/2013/11/portable-executable-injection-for.html)\
126 | [Becoming-rat-your-system](https://devilinside.me/blogs/becoming-rat-your-system)\
127 | [Complete guide on LKM hacking](http://www.ouah.org/LKM_HACKING.html)\
128 | [Best series i will say if you wanna get into programming/malware dev recommended series to follow it will start with learn programming thats needed asm and stuff after that getting into maldev](https://0x00sec.org/t/programming-for-wannabes-part-i/1143)\
129 | [Filess malware](https://0x00sec.org/t/fileless-malware/26973)\
130 | [Examining the Morris Worm Source Code](https://0x00sec.org/t/examining-the-morris-worm-source-code-malware-series-0x02/685)\
131 | [IOT Malware](https://0x00sec.org/t/iot-malware-droppers-mirai-and-hajime/1966)\
132 | [DoublePulsar SMB backdoor analysis](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)\
133 | [Eset Turla Outlook backdoor report](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf)\
134 | [Writing a custom encoder](https://smarinovic.github.io/posts/Custom-Encoder/)\
135 | [Engineering antivirus evasion](https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)\
136 | [Analysis of Project Sauron APT](https://securelist.com/faq-the-projectsauron-apt/75533/)\
137 | [WastedLocker analysis](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/)\
138 | [Lazarus shellcode execution](https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method)\
139 | [Detailed analysis of Zloader](https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf)\
140 | [BendyBear shellcode malware](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/)\
141 | [A Basic Windows DKOM Rootkit](https://blog.landhb.dev/posts/v9eRa/a-basic-windows-dkom-rootkit-pt-1/)\
142 | [Loading Kernel Shellcode](https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html)\
143 | [Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1)\
144 | [Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2)\
145 | [Windows Kernel Shellcode on Windows 10 – Part 3](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-3)\
146 | [Introduction to Shellcode Development](https://owasp.org/www-pdf-archive/Introduction_to_shellcode_development.pdf)\
147 | [Autochk Rootkit Analysis](https://repnz.github.io/posts/autochk-rootkit-analysis/)\
148 | [pierogi backdoor](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838)\
149 | [Pay2Kitten](https://samples.vx-underground.org/APTs/2020/2020.12.17(1)/Paper/Pay2Kitten.pdf)\
150 | [STEELCORGI](https://samples.vx-underground.org/APTs/2021/2021.01.12(2)/Paper/STEEL%20CORGI.pdf)\
151 | [Lebanese Cedar APT](https://samples.vx-underground.org/APTs/2021/2021.01.28/Paper/Lebanese%20Cedar%20APT.pdf)\
152 | [LazyScripter](https://samples.vx-underground.org/APTs/2021/2021.02.24(1)/Paper/LazyScripter.pdf)\
153 | [Maze deobfuscation](https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/)\
154 | [Darkside overview](https://unit42.paloaltonetworks.com/darkside-ransomware/)\
155 | [SunBurst backdoor - FireEye analysis](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)\
156 | [Code obfuscation techniques](https://chris124567.github.io/2021-06-23-survey-obfuscation/)\
157 | [SideCopy APT tooling](https://talosintelligence.com/resources/257)\
158 | [Hiding in PEB sight: Custom loader](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)\
159 | [Zloader: New infection technique](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/)\
160 | [FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines](https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)\
161 | [A tale of EDR bypass methods](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/)\
162 | [In-depth dive into the security features of the Intel/Windows platform secure boot process](https://igor-blue.github.io/2021/02/04/secure-boot.html)\
163 | [Process Injection Techniques](https://www.cynet.com/attack-techniques-hands-on/process-injection-techniques/)\
164 | [Adventures with KernelCallbackTable Injection](https://captmeelo.com/redteam/maldev/2022/04/21/kernelcallbacktable-injection.html)\
165 | [Useful Libraries for Malware Development](https://captmeelo.com//redteam/maldev/2022/02/16/libraries-for-maldev.html)\
166 | [Parent Process ID (PPID) Spoofing](https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html)\
167 | [Mutants Sessions Self Deletion](https://github.com/Octoberfest7/Mutants_Sessions_Self-Deletion)\
168 | [OffensiVe Security with V - Process Hollowing](https://alexfrancow.github.io/app-development/OffensiVe-Security-with-V-Hollowing/)\
169 | [Looking for Remote Code Execution bugs in the Linux kernel](https://xairy.io/articles/syzkaller-external-network)\
170 | [memory-analysis-evasion](https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)\
171 | [100% evasion - Write a crypter in any language to bypass AV](https://netsec.expert/posts/write-a-crypter-in-any-language/)
172 | 
173 | ---
174 | 
175 | # Forums
176 | - https://0x00sec.org/
177 | > One of the best Malware Development fourms that helped me a lot.
178 | 
179 | --- 
180 | 
181 | # Sample Sharing
182 | 
183 | - [Underground](https://vx-underground.org/samples.html)
184 | - [MalShare](https://www.malshare.com/)
185 | - [Malware Bazaar](https://bazaar.abuse.ch/browse/)
186 | 
187 | --- 
188 | 
189 | # Some interesting Github Repos(miscellaneous)
190 | 
191 | [TL-TROJAN](https://github.com/threatland/TL-TROJAN)
192 | > A collection of source code for various RATs, Stealers, and other Trojans. 
193 | 
194 | [Linker_preloading_virus](https://github.com/elfmaster/linker_preloading_virus)
195 | > An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses.
196 | 
197 | [Awesome-linux-rootkits](https://github.com/tkmru/awesome-linux-rootkits)
198 | > A summary of linux rootkits published on GitHub.
199 | 
200 | [Virii](https://github.com/guitmz/virii)
201 | > Collection of ancient computer virus source codes.
202 | 
203 | [Flare-floss](https://github.com/mandiant/flare-floss)
204 | > FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
205 | 
206 | [Ebpfkit](https://github.com/Gui774ume/ebpfkit)
207 | > Ebpfkit is a rootkit powered by eBPF.
208 | 
209 | [Al-Khaser](https://github.com/LordNoteworthy/al-khaser#al-khaser-v081)
210 | > Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
211 | 
212 | [Evasions](https://github.com/CheckPointSW/Evasions)
213 | > Evasions encyclopedia gathers methods used by malware to evade detection when run in virtualized environment.
214 | 
215 | [loonix_syscall_hook](https://github.com/null0333/loonix_syscall_hook)
216 | > System call hooking on arm64 linux via a variety of methods.
217 | 
218 | [awesome-executable-packing](https://github.com/dhondta/awesome-executable-packing)
219 | > A curated list of awesome resources related to executable packing. 
220 | 


--------------------------------------------------------------------------------