└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # About
  2 | This document serves as a list of resources, and other things that aid in malware analysis / dev and exploit dev, which will be updated frequently\
  3 | Feel free to contribute resources
  4 | 
  5 | # Courses
  6 | 
  7 | ## Paid courses/certificates
  8 | - OSED
  9 | - eCXD
 10 | - SLAE x86
 11 | - OSEE
 12 | - eCMAP
 13 | - Sektor 7 Red Team Operator
 14 | - Zero2Automated: Ultimate Malware Reverse Engineering
 15 | - CREST Certified Malware Reverse Engineer
 16 | - SANS FOR610
 17 | - SANS FOR500
 18 | - FireEye Malware Analysis Master Course
 19 | - RingZerø: Windows Kernel Rootkits: Techniques and Analysis
 20 | - RingZerø: Windows Internals for Reverse Engineers
 21 | - CodeMachine: Windows Kernel Rootkits
 22 | 
 23 | ## Free courses
 24 | [Offensive Software Exploitation by Ali Hadi](https://exploitation.ashemery.com/)
 25 | > Course taught at Champlain College by Ali Hadi\
 26 | > Topics:
 27 | - PE format
 28 | - Bug hunting and fuzzing
 29 | - Vanilla BoF
 30 | - ROP
 31 | - Egghunters
 32 | - x64 and x86 assembly
 33 | - Reverse engineering
 34 | 
 35 | 
 36 | [Malwareunicorn RE101 and 102](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA)
 37 | > Great introduction to malware analysis and RE
 38 | > Covers setting up your environmemt, and basic static / dynamic analysis
 39 | 
 40 | [hasherezade Windows malware analysis vol 1](https://github.com/hasherezade/malware_training_vol1)
 41 | > Focus on Windows malware and internals specifically.\
 42 | > Includes intermediate topics, such as hooking, UAC bypass, persistence, and much more\
 43 | > Requires some knowledge beforehand\
 44 | > Inlcudes exercises and slides 
 45 | 
 46 | 
 47 | [dostackbufferoverflowgood](https://github.com/justinsteven/dostackbufferoverflowgood)
 48 | >This course is my go to for anyone new to exploit dev, it is dead simple, and will teach anyone basic buffer overflows in a couple hours\
 49 | >It goes from teaching basic assembly, to finding a vulnerable function, fuzzing it, and performing a basic buffer overflow to obtain remote RCE
 50 | 
 51 | [RPI modern binary exploitation](http://security.cs.rpi.edu/courses/binexp-spring2015/) 
 52 | > Modern binary exploitation \
 53 | > Topics: 
 54 | - ASLR
 55 | - DEP
 56 | - ROP
 57 | - Heap exploitation
 58 | - Stack cookies
 59 | - Basic kernel exploitation
 60 | - Reverse engineering
 61 | - Shellcoding
 62 | 
 63 | [CS6038/CS5138 introduction to malware analysis and reverse engineering](https://class.malware.re/)
 64 | >Introduction to malware analysis and reverse engineering \
 65 | > Topics cover a wide range of malware analysis topics, a few samples:
 66 | - Android static analysis
 67 | - Java malware
 68 | - Ghidra reverse engineering
 69 | - Debugging
 70 | - Building malware
 71 | - Yara
 72 | - Malicious PDF analysis
 73 | - Assembly language crash course
 74 | - Virtualbox setup
 75 | 
 76 | [Intro to x86 32 bit Assembly](http://opensecuritytraining.info/IntroX86.html)
 77 | >Introduction to x86 32 bit Assembly, covers everything needed to get started with x86 Assembly 
 78 | - Includes exercises
 79 | - Includes Youtube videos, and powerpoint slides
 80 | 
 81 | [Intro to x86 64 bit Assembly](http://opensecuritytraining.info/IntroX86-64.html)
 82 | >Same as the 32 bit, assumes 32 bit knowledge
 83 | 
 84 | [Intro to Linux binary exploitation](https://github.com/r0hi7/BinExp)
 85 | >Covers Linux bin exp from basic assembly to heap exploitation
 86 | 
 87 | [Nightmare: Binary exploitation and reverse engineering course](https://guyinatuxedo.github.io/index.html)
 88 | >Binary exploitation course using CTFs as examples
 89 | 
 90 | [Max Kersten Zero to hero binary analysis course](https://maxkersten.nl/binary-analysis-course/)
 91 | >Assumes little to no low level knowledge\
 92 | >Requires basic understanding of programming \
 93 | >Content:
 94 | >- Assembly basics
 95 | >- Malware analysis 
 96 | >- Script analysis
 97 | >- Sample collection
 98 | 
 99 | [Buffer overflow practice](https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice)
100 | >Various applications to practice buffer overflows on. \
101 | >Includes exploit code.
102 | 
103 | [OpenSecurityTraining introduction to Reverse Engineering](https://opensecuritytraining.info/IntroductionToReverseEngineering.html)
104 | > Covers the basics and use cases of RE\
105 | > Goes over IDA and debugger usage\
106 | > Helps you identify control flows and Win32 API code\
107 | > Older course, but worth the time
108 | 
109 | 
110 | 
111 | [Intermediate Linux Exploitation](https://github.com/nnamon/linux-exploitation-course)
112 | >Assumes prior knowledge of x86-64 assembly and familiarity with C and Python.\
113 | >Comfortable with basic binary exploits, like vanilla buffer overflow.
114 | # Books
115 | - Windows internals 7th edition, part 1 and 2 
116 | - Practical malware analysis
117 | - Windows Kernel Programming by Pavel Yosifovich
118 | - Malware Analysts Cookbook
119 | - The Shellcoders Handbook
120 | - Rootkits: Subverting the Windows Kernel
121 | - Rootkits and Bootkits
122 | - A Guide to Kernel Exploitation
123 | - Windows 10 System Programming, Part 1 (Pavel Yosifovich)
124 | - Windows 10 System Programming, Part 2 (Pavel Yosifovich)
125 | - The IDA Pro book
126 | - The Ghidra book
127 | - Sandworm by Andy Greenberg
128 | - C++ primer 5th edition
129 | - The Art of Assembly Language 2nd edition
130 | - The Antivirus Hackers' Handbook
131 | - The Art of Memory Forensics
132 | - Inside Windows Debugging
133 | - Practical Reverse Engineering
134 | 
135 | ## Free books
136 | - [x86-64 deep dive with Ed Jorgensen](http://www.egr.unlv.edu/~ed/assembly64.pdf)
137 | 
138 | 
139 | # Blogs
140 | [Corelan exploit dev](https://www.corelan.be/index.php/articles/)
141 | >Must read!! 
142 | 
143 | [Fuzzysecurity exploit dev](https://www.fuzzysecurity.com/tutorials.html)
144 | >Their Windows exploitation series is gold
145 | 
146 | [Vitali Kremez blog](https://www.vkremez.com/)
147 | >Lots of awesome malware related content
148 | 
149 | [repnz](https://repnz.github.io/)
150 | > Content on Windows internals, malware reversing 
151 | 
152 | [Connor Mcgarr](https://connormcgarr.github.io/)
153 | > Lots of content about exploit development
154 | 
155 | [Google Project Zero](https://googleprojectzero.blogspot.com/)
156 | 
157 | [Shameless self plug - Logicbug](https://logicbug-io.github.io/)
158 | > My own blog, mainly content about malware dev
159 | 
160 | [Redbluepurple.io](https://blog.redbluepurple.io/)
161 | > blog with a couple posts about EDR, Windows internals and malware analysis
162 | 
163 | [Malware Traffic analysis](https://malware-traffic-analysis.net/2021/index.html)
164 | 
165 | # Talks
166 | [Kernel Mode Threats and Practical Defenses](https://www.youtube.com/watch?v=BBJgKuXzfwc)\
167 | [Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level](https://youtu.be/33Jr1wkaCmQ)\
168 | [The Life & Death of Kernel Object Abuse](https://youtu.be/_u7d9kLdi0c)\
169 | [Alex Ionescu - Advancing the State of UEFI Bootkits](https://www.youtube.com/watch?v=dpG97TBR3Ys)\
170 | [BlueHat v18 || Return of the kernel rootkit malware (on windows 10)](https://youtu.be/qVIxFfXpyNc)\
171 | [Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)](https://www.youtube.com/watch?v=1Ie20b5IGgY)\
172 | [Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator](https://www.youtube.com/watch?v=LvW68czaEGs)\
173 | [Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1](https://www.youtube.com/watch?v=pJZjWXxUEl4)\
174 | [Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2](https://www.youtube.com/watch?v=UGWqq5kTiso)\
175 | [W32.Duqu: The Precursor to the Next Stuxnet](https://www.youtube.com/watch?v=SbkXffokmPE)
176 | 
177 | 
178 | # Youtube channels
179 | 
180 | [KindredSec](https://www.youtube.com/channel/UCwTH3RkRCIE35RJ16Nh8V8Q)
181 | >Malware and reverse engineering
182 | 
183 | [OAlabs](https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg)
184 | >Great reverse engineering content
185 | 
186 | [Josh Stroschein intro to Assembly](https://www.youtube.com/playlist?list=PLHJns8WZXCdvESvdr1BRjo4RHiR1Ylhw9)
187 | > Intro to Assembly
188 | 
189 | [AGDC Services](https://m.youtube.com/channel/UCnpn999NpDMMPxZXW8sgZLA)
190 | > High quality content with a lot of potential
191 | 
192 | # Whitepapers/articles/posts
193 | [Reverse engineering Cisco ASA for EXTRABACON offsets ](https://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.html) \
194 | [DoublePulsar SMB backdoor analysis](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html)\
195 | [Kaspersky Shamoon and StoneDrill Report](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf)\
196 | [Eset Turla Outlook backdoor report](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf)\
197 | [Introduction Format String exploits](https://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html)\
198 | [Writing a custom encoder](https://smarinovic.github.io/posts/Custom-Encoder/)\
199 | [MinaliC 2.0.0 buffer overflow](https://smarinovic.github.io/posts/MinaliC-webserver-BoF/)\
200 | [BigAnt server 2.52 buffer overflow](https://smarinovic.github.io/posts/BigAnt-server-BoF/)\
201 | [Anatomy of an exploit – inside CVE-2013-3893](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)\
202 | [Understanding type confusion vulnerabilities](https://www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/)\
203 | [Engineering antivirus evasion](https://blog.scrt.ch/2020/06/19/engineering-antivirus-evasion/)\
204 | [Deep dive into IOS exploit chain](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html?m=1)\
205 | [Writing IOS kernel exploits](https://secfault-security.com/blog/chain3.html)\
206 | [Analysis of Cyber attack on Ukrainian power grid](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf)\
207 | [Analysis of Project Sauron APT](https://securelist.com/faq-the-projectsauron-apt/75533/)\
208 | [SWEED: Exposing years of Agent Tesla campaigns](https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html?m=1)
209 | [WastedLocker analysis](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/)\
210 | [OilRig novel steganography C2](https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/)\
211 | [FritzFrog analysis](https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/)\
212 | [Rotten Apples: Apple-like domains phishing](https://www.fireeye.com/blog/threat-research/2016/06/rotten_apples_apple.html)\
213 | [Wil it blend? This is the Question, new Macro based Evasions spotted](https://www.joesecurity.org/blog/4978232240698722172)\
214 | [Lazarus shellcode execution](https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method)\
215 | [In-Depth analysis of Racoon stealer](https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html)\
216 | [Detailed analysis of Zloader](https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf)\
217 | [Interview with LockBit Ransomware operator](https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf)\
218 | [BendyBear shellcode malware](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/)\
219 | [Emotet C2 case study](https://unit42.paloaltonetworks.com/emotet-command-and-control/)\
220 | [WeSteal Analysis](https://unit42.paloaltonetworks.com/westeal/)\
221 | [A Basic Windows DKOM Rootkit](https://blog.landhb.dev/posts/v9eRa/a-basic-windows-dkom-rootkit-pt-1/)\
222 | [Loading Kernel Shellcode](https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html)\
223 | [Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1)\
224 | [Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2)\
225 | [Windows Kernel Shellcode on Windows 10 – Part 3](https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-3)\
226 | [Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP](https://connormcgarr.github.io/x64-Kernel-Shellcode-Revisited-and-SMEP-Bypass/)\
227 | [Introduction to Shellcode Development](https://owasp.org/www-pdf-archive/Introduction_to_shellcode_development.pdf)\
228 | [Autochk Rootkit Analysis](https://repnz.github.io/posts/autochk-rootkit-analysis/)\
229 | [pierogi backdoor](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838)\
230 | [New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one)\
231 | [Pay2Kitten](https://vx-underground.org/archive/APTs/2020/2020.12.17(1)/Pay2Kitten.pdf)\
232 | [STEELCORGI](https://vx-underground.org/archive/APTs/2021/2021.01.12(2)/STEEL%20CORGI.pdf)\
233 | [Lebanese Cedar APT](https://vx-underground.org/archive/APTs/2021/2021.01.28/Lebanese%20Cedar%20APT.pdf)\
234 | [LazyScripter](https://vx-underground.org/archive/APTs/2021/2021.02.24(1)/LazyScripter.pdf)\
235 | [Maze deobfuscation](https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/)\
236 | [Darkside overview](https://unit42.paloaltonetworks.com/darkside-ransomware/)\
237 | [SunBurst backdoor - FireEye analysis](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)\
238 | [Code obfuscation techniques](https://chris124567.github.io/2021-06-23-survey-obfuscation/)\
239 | [SideCopy APT tooling](https://talosintelligence.com/resources/257)\
240 | [Hiding in PEB sight: Custom loader](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)\
241 | [Zloader: New infection technique](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/)\
242 | [This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)\
243 | [FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines](https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/)\
244 | [Rolf Rolles: Statically unpacking / anazlying FinFisher VM part 1](https://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation)\
245 | [Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 2](https://www.msreverseengineering.com/blog/2018/1/31/finspy-vm-part-2-vm-analysis-and-bytecode-disassembly)\
246 | [Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 3](https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization)\
247 | [Operation SpoofedScholars: A Conversation with TA453](https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453)\
248 | [Hooking Candiru - Another spyware vendor comes into focus](https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/)\
249 | [A tale of EDR bypass methods](https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/)
250 | 
251 | 
252 | 
253 | # Not really courses, not really articles
254 | [Heap exploitation free "book"](https://heap-exploitation.dhavalkapil.com/)
255 | 
256 | # Practice
257 | [Phoenix, succesor to Protostar](https://exploit.education/phoenix/)
258 | >Covers various topics, including:
259 | >- Network programming
260 | >- Stack overflows
261 | >- Heap overflows
262 | >- Format string exploits
263 | 
264 | [ROP practice](https://ropemporium.com/)
265 | 
266 | [HEVD Vulnerable driver](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
267 | > Various exploits to practice on a driver 
268 | 
269 | [Network traffic of malware to analyze](https://malware-traffic-analysis.net/training-exercises.html)
270 | 
271 | # Resources/tools
272 | [NTAPI undocumented functions](https://undocumented.ntinternals.net)\
273 | [x86/x64 Windows syscall table](https://j00ru.vexillium.org/syscalls/nt/64/)\
274 | [Malware Windows API Cheatsheet](https://cerbersec.com/malware-cheatsheet.html)\
275 | [Malware evasion / protection techniques](http://unprotect.tdgt.org/index.php/Unprotect_Project)\
276 | [Malware analysis awesome list](https://project-awesome.org/rshipp/awesome-malware-analysis)\
277 | [Linux rootkits awesome list](https://github.com/milabs/awesome-linux-rootkits)\
278 | [Common evasions techniques used by malware](https://evasions.checkpoint.com/)\
279 | [Common anti debugging techniques used by malware](https://anti-debug.checkpoint.com/)\
280 | [Win32 Programming C++ notes](https://caiorss.github.io/C-Cpp-Notes/WindowsAPI-cpp.html)\
281 | [APT mindmap](https://embed.kumu.io/0b023bf1a971ba32510e86e8f1a38c38#apt-index)
282 | 
283 | 
284 | # Forums
285 | - https://vx-underground.org/
286 | - https://greysec.net/
287 | - https://0x00sec.org/
288 | 
289 | 
290 | # Sample sharing
291 | - [MWDB CERT PL](https://mwdb.cert.pl)
292 | - [Malware Bazaar](https://bazaar.abuse.ch/browse/)
293 | - [VX Underground](https://vx-underground.org/samples.html)
294 | - [URLHaus](https://urlhaus.abuse.ch/browse/)
295 | - [VirusBay](https://www.virusbay.io/)
296 | - [MalShare](https://www.malshare.com/)
297 | 


--------------------------------------------------------------------------------