MalDev Files

⁠

MiniShell.exe

23.6 kB

⁠

HellShell.exe

34.8 kB

⁠

LocalPayloadExec.zip

10.3 kB

⁠

Dll.dll

10.8 kB

⁠

LocalDllExec.exe

11.8 kB

⁠

HellShell.exe

34.8 kB

⁠

LocalThreadEnum.exe

13.8 kB

⁠

Malware Test⁠

⁠

All x64s.zip

66.9 kB

⁠

C Executables Testing:

Wrote “C” code within Windows 10+ OS to leverage techniques used by threat actors within the Windows Ecosystem to compromise an endpoint. I attempted the following:

Windows Hooking: API hooking is a technique used to intercept and modify the behavior of an API function. API hooking involves replacing the original implementation of an API function with a custom version that performs some additional actions before or after calling the original function. This allows one to modify the behavior of a program without modifying its source code.

Via Windows API: Performing API hooking using WinAPIs. [62]

Via Detours Library: Performing API hooking using the Detours library. [59]

IAT Hiring & Obfuscation (GetProcAddress): The Import Address Table (IAT) contains information regarding a PE file, such as the functions used and the DLLs exporting them. This type of information can be used to signature and detect the binary by most EDRs and NGAVs. The test obfuscates the GetProcAddress WinAPI, which retrieves the address of an exported function from a specified module handle – now, you can hide, IF you can do this. [52]

Local DLL Injection: Loading a malicious DLL file in the local process. [26]

Local Thread Hijacking (Enum): Thread Execution Hijacking is a technique that can execute a payload without creating a new thread. This technique works by suspending the thread and updating the register that points to the next instruction in memory to point to the start of the payload. When the thread resumes execution, the payload is executed. [37]

PPID Spoofing: Parent Process ID (PPID) Spoofing is a technique used to alter the PPID of a process, effectively disguising the relationship between the child process and its true parent process. This can be accomplished by changing the PPID of the child process to a different value, making it appear that the process was spawned by a different legitimate Windows process rather than the true parent process. [47]

Function Stomping: Function stomping is a technique where the original function's bytes are replaced with new code, resulting in the function being replaced or no longer working as intended. Instead, the function will execute different logic. To implement this, a sacrificial function address is required to be stomped - local or remote process [45]

Suspended Process Unhooking: An alternative method to unhook ntdll.dll involves reading it from a suspended process. This works because EDRs require a running process to install their hooks. Therefore, a process created in a suspended state will contain a clean ntdll.dll image, allowing for the text section of the current process to be substituted with that of the suspended one. [86]

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.