VXadventure-amethystbasilisk2024

0001-01-01

Broodsac A VX Adventure in Build Systems and Oldchool Techniques

This article explores the use of modular build systems with malware development.

Remark
Broodsac
virus
payload
compiler
code maintainability
dopamine addiction
shellcode
NASM
one-liner
binary blob
C
C23 - large binary blobs
concatenation
encrypted shellcode
encryption
dynamic obfuscation
dark arts
project management
payload factory
matryoshka obfuscation
code portability
build system
GNU make
Windows
Visual Studio Projects
IDE
MSVC build system
autotools suite
black box
black magic
SmokeLoader
C++
CMake
PE files
executable infector
Rust
binary signing
infector, infection
shellcoding
C-then-asm shellcoding approach
compiler optimizer
demons lurk in your code
high ground
bugs
pain points
PE entry redirection
stealth malware
29a technique (reference: 29A #2: PE infection under Win32)
code cave
size considerations for Windows vs Linux shellcode
TLS directory injection
TLS directory
Thread Local Storage
initialization callback
TLS takes precedence over main()
attack surface
Program Files directory
AppData
Documents folder
home directory
unzip
recursion
Desktop pet project/eSheep
Volatility
Assembly language
static library
ASM file
hexadecimal
add_subdirectory()
add_executable()
target_link_libraries()
string encryption
virtual address
ASLR / /DYNAMICBASE
relocation directory
debugging
testing
threat actor
GetFileAttributes
URLDownloadToFileA
ShellExecuteA
CreateProcessA
NtCreateProcess
ntdll.dll
PowerShell
Zen garden
antivirus
Windows Defender
wacatac
AV signature
false positive
one-liner
hard code
add_custom_command()
cmd.exe
random key
xor encryption
NASM include file
DefenderCheck
ThreatCheck
Network Realtime Inspection Service (NID)
Hell’s Gate
EDR evasion
reverse engineering
NisSrv.exe
cross-platform
dc949

References
40Hex #8: An Introduction to Nonoverwriting Virii, Part II: EXE Infectors https://amethyst.systems/zines/40hex8/40HEX-8.007.txt
29A #6: W32.Shrug, by roy g biv https://amethyst.systems/zines/29a6/29A-6.615.txt
29A #2: PE infection under Win32 https://amethyst.systems/zines/29a2/29A-2.3_1.txt
https://github.com/Adrianotiger/desktopPet
https://github.com/commial/experiments/tree/master/windows-defender/VDM
https://github.com/matterpreter/DefenderCheck
https://github.com/rasta-mouse/ThreatCheck
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/enhancements-to-behavior-monitoring-and-network-inspection/ba-p/247706
https://en.wikipedia.org/wiki/Leucochloridium_paradoxum
https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/

Links to this note

Notes

VXadventure-amethystbasilisk2024

0001-01-01

Links to this note

Recent Posts

Linux Persistence: Startup Scripts

2024-11-10 DFIR CTF linux persistence systemd SysV init startup script

Linux Persistence: Cron

2024-11-10 DFIR CTF linux persistence cron

Linux Persistence: User Accounts

2021-06-27 DFIR linux persistence

Review: Adversarial Tradecraft in Cybersecurity

2021-06-15 Reviews CTF