RED TEAM Operator: Malware Development Essentials Course
Sektor7 Institute https://institute.sektor7.net/
Here are some of my notes from this course.
| Notes |
|---|
| PE file |
| PE Bear |
| loader |
| DOS header |
| DOS stub |
| PE header |
| DLL |
| Microsoft Windows |
| PE signature |
| Optional Header |
| Data Directories |
| Section Headers |
| .text section |
| .data section |
| .rsrc section |
| resources: icons, manifests, … |
| dumpbin.exe |
| hasherezade |
| IMAGE_DOS_HEADER structure |
| IMAGE_NT_HEADERS structure |
| winnt.h |
| IMAGE_FILE_HEADER structure |
| IMAGE_OPTIONAL_HEADER structure |
| IMAGE_DATA_DIRECTORY structure |
| imported DLL |
| imported function |
| digital certificate |
| compiler |
| main(), DllMain() |
| C |
| object file |
| lexical analysis |
| syntax analysis |
| semantic analysis |
| intermediate code generation |
| intermediate representation |
| optimization |
| code generation |
| linking |
| exe vs dll |
| MSVC compiler |
| dropper |
| storing payloads in .text, .data, .rsrc, … |
| reflective DLL |
| initialized local variable (.text) |
| shellcode |
| VirtualAlloc |
| RtlMoveMemory |
| VirtualProtect |
| CreateThread |
| NOP |
| INT3 |
| RET |
| WinAPI |
| return value |
| memcpy |
| VirtualProtect |
| global variable (.data) |
| C++ |
| rc.exe |
| cvtres.exe |
| storing payload in resources (.rsrc) |
| FindResource |
| LoadResource |
| LockResource |
| SizeofResource |
| .res file |
| .coff file/format |
| Common Object File |
| .rc extention |
| .res extension |
| Visual Studio |
| kernel32.dll |
| Obfuscation |
| why obfuscate? |
| difference between obfuscation, encoding, encryption |
| base64 |
| XOR |
| AES |
| certutil.exe |
| RFC 4648 |
| ASCII |
| URL |
| CryptBinaryToString, CryptStringToBinary |
| Cryptography API |
| symmetric key |
| Rijndael |
| CryptAcquireContextW, CryptHashData, CryptEncrypt, CryptDecrypt |
| Cryptography API: Next Generation (CNG) |
| BCryptOpenAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptEncrypt |
| CryptCreateHash |
| CryptDeriveKey |
| Cryptographic Service Provider (CSP) |
| advapi32.dll |
| function call obfuscation |
| GetModuleHandle |
| GetProcAddress |
| Import Table (PE file) |
| strings.exe |
| backdooring pe files |
| trojan |
| malware |
| code cave |
| adding new sections to PE files |
| extending existing PE file sections |
| PUSHAD/POPAD |
| register |
| general-purpose register |
| stack |
| PUSHFD/POPFD |
| stack pointer |
| DWORD |
| EFLAGS |
| x64dbg |
| code injection |
| TOON rule: two is one, one is none |
| remote code injection: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread |
| OpenProcess |
| PROCESSENTRY32 structure |
| tlhelp32.h |
| Tool Help library |
| tool help shapshot |
| SECURITY_ATTRIBUTES structure |
| SECURITY_DESCRIPTOR structure |
| SECURITY_DESCRIPTOR_CONTROL structure |
| CreateToolhelp32Shapshot |
| Process32First |
| Process32Next |
| DLL injection |
| DLL injection: locate LoadLibrary address in local process, open remote process, allocate remote process buffer for DLL path, write path to remote buffer, execute with CreateRemoteThread |
| thread |
| LoadLibrary/LoadLibraryA |
| console window problem w/ malware |
| FreeConsole |
| WinMain() |
| Windows Defender |
| Python |
| debugger |
| explorer.exe |
| CreateFile, ReadFile |
| file concatenation |