Maldev-For-Dummies is a Workshop About Malware Development.
With antivirus (AV) and Enterprise Detection and Response (EDR) tooling becoming more mature by the minute, the red team is being forced to stay ahead of the curve. Gone are the times of execute-assembly
and dropping unmodified payloads on disk – if you want your engagements to last longer than a week you will have to step up your payload creation and malware development game. Starting out in this field can be daunting however, and finding the right resources is not always easy.
This workshop is aimed at beginners in the space and will guide you through your first steps as a malware developer. It is aimed primarily at offensive practitioners, but defensive practitioners are also very welcome to attend and broaden their skillset.
During the workshop we will go over some theory, after which we will set you up with a lab environment. There will be various exercises that you can complete depending on your current skillset and level of comfort with the subject. However, the aim of the workshop is to learn, and explicitly not to complete all the exercises. You are free to choose your preferred programming language for malware development, but support during the workshop is provided primarily for the C# and Nim programming languages.
During the workshop, we will discuss the key topics required to get started with building your own malware. This includes (but is not limited to):
To get started with malware development, you will need a dev machine so that you are not bothered by any defensive tooling that may run on your host machine. I prefer Windows for development, but Linux or MacOS will do just as fine. Install your IDE of choice (I use VS Code for almost everything except C#, for which I use Visual Studio, and then install the toolchains required for your MalDev language of choice:
Don’t forget to disable Windows Defender or add the appropriate exclusions, so your hard work doesn’t get quarantined!
ℹ Note: Oftentimes, package managers such as apt or software management tools such as Chocolatey can be used to automate the installation and management of dependencies in a convenient and repeatable way. Be conscious however that versions in package managers are often behind on the real thing! Below is an example Chocolatey command to install the mentioned tooling all at once.
choco install -y nim choosenim go rust vscode visualstudio2019community dotnetfx
Both C# and Nim are compiled languages, meaning that a compiler is used to translate your source code into binary executables of your chosen format. The process of compilation differs per language.
C# code (.cs
files) can either be compiled directly (with the csc
utility) or via Visual Studio itself. Most source code in this repo (except the solution to bonus exercise 3) can be compiled as follows.
ℹ Note: Make sure you run the below command in a “Visual Studio Developer Command Prompt” so it knows where to find csc
, it is recommended to use the “x64 Native Tools Command Prompt” for your version of Visual Studio.
csc filename.exe /unsafe
You can enable compile-time optimizations with the /optimize
flag. You can hide the console window by adding /target:winexe
as well, or compile as DLL with /target:library
(but make sure your code structure is suitable for this).
Nim code (.nim
files) is compiled with the nim c
command. The source code in this repo can be compiled as follows.
nim c filename.nim
If you want to optimize your build for size and strip debug information (much better for opsec!), you can add the following flags.
nim c -d:release -d:strip –opt:size filename.nim
Optionally you can hide the console window by adding --app:gui
as well.
Golang code (.go
files) is compiled with the go build
command. The source code in this repo can be compiled as follows.
GOOS=windows go build
If you want to optimize your build for size and strip debug information (much better for opsec!), you can add the following flags.
GOOS=windows go build -ldflags “-s -w”
Most Nim programs depend on a library called “Winim” to interface with the Windows API. You can install the library with the Nimble
package manager as follows (after installing Nim):
nimble install winim
Some dependencies are used in the source code of this repo. You can install them as follows (after installing Go):
go mod tidy
The workshop slides reference some resources that you can use to get started. Additional resources are listed in the README.md
files for every exercise!
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…