Within the age of EDR, purple crew operators can’t get away with utilizing pre-compiled payloads anymore. As such, malware growth is changing into an important talent for any operator. Getting began with maldev could seem daunting, however is definitely very straightforward. This workshop will present you all it’s essential get began!
This repository incorporates the slides and accompanying workouts for the ‘MalDev for Dummies’ workshop that will likely be facilitated at Hack in Paris 2022 (extra conferences TBA). The workouts will stay out there right here to be accomplished at your individual tempo – the training course of ought to by no means be rushed! Points and pull requests to this repo with questions and/or recommendations are welcomed.
Disclaimer: Malware growth is a talent that may -and should- be used for good, to additional the sector of (offensive) safety and preserve our defenses sharp. In case you ever use this skillset to carry out actions that you haven’t any authorization for, you’re a greater dummy than this workshop is meant for and you need to skidaddle on out of right here.
Workshop Description
With antivirus (AV) and Enterprise Detection and Response (EDR) tooling changing into extra mature by the minute, the purple crew is being pressured to remain forward of the curve. Gone are the occasions of execute-assembly and dropping unmodified payloads on disk – if you’d like your engagements to last more than every week you’ll have to step up your payload creation and malware growth recreation. Beginning out on this discipline may be daunting nevertheless, and discovering the suitable sources is just not all the time straightforward.
This workshop is aimed toward newcomers within the area and can information you thru your first steps as a malware developer. It’s aimed primarily at offensive practitioners, however defensive practitioners are additionally very welcome to attend and broaden their skillset.
Throughout the workshop we are going to go over some idea, after which we are going to set you up with a lab atmosphere. There will likely be numerous workouts you could full relying in your present skillset and degree of consolation with the topic. Nonetheless, the purpose of the workshop is to study, and explicitly not to finish all of the workouts. You might be free to decide on your most popular programming language for malware growth, however help in the course of the workshop is offered primarily for the C# and Nim programming languages.
Throughout the workshop, we are going to talk about the important thing subjects required to get began with constructing your individual malware. This contains (however is just not restricted to):
- The Home windows API
- Filetypes and execution strategies
- Shellcode execution and injection
- AV and EDR evasion strategies
Getting Began
To get began with malware growth, you will want a dev machine so that you’re not bothered by any defensive tooling which will run in your host machine. I choose Home windows for growth, however Linux or MacOS will just do as high-quality. Set up your IDE of alternative (I exploit VS Code for nearly every little thing besides C#, for which I exploit Visible Studio, after which set up the toolchains required in your MalDev language of alternative:
- C#: Visible Studio offers you the choice to incorporate the .NET packages you will want to develop C#. If you wish to develop with out Visible Studio, you may obtain the .NET Framework individually.
- Nim lang: Observe the obtain directions. Choosenim is a handy utility that can be utilized to automate the set up course of.
- Golang (not supported throughout workshop):Observe the obtain directions.
- Rust (not supported throughout workshop): Rustup can be utilized to put in Rust together with the required toolchains.
Do not forget to disable Home windows Defender or add the suitable exclusions, so your onerous work does not get quarantined!
ℹ
Notice: Oftentimes, bundle managers reminiscent of apt or software program administration instruments reminiscent of Chocolatey can be utilized to automate the set up and administration of dependencies in a handy and repeatable approach. Be acutely aware nevertheless that variations in bundle managers are sometimes behind on the true factor! Beneath is an instance Chocolatey command to put in the talked about tooling suddenly.
choco set up -y nim choosenim go rust vscode visualstudio2019community dotnetfx
Compiling packages
Each C# and Nim are compiled languages, that means {that a} compiler is used to translate your supply code into binary executables of your chosen format. The method of compilation differs per language.
C#
C# code (.cs recordsdata) can both be compiled instantly (with the csc utility) or by way of Visible Studio itself. Most supply code on this repo (besides the answer to bonus train 3) may be compiled as follows.
ℹ
Notice: Be sure to run the under command in a “Visible Studio Developer Command Immediate” so it is aware of the place to seek out
csc, it’s endorsed to make use of the “x64 Native Instruments Command Immediate” in your model of Visible Studio.
You possibly can allow compile-time optimizations with the /optimize flag. You possibly can cover the console window by including /goal:winexe as effectively, or compile as DLL with /goal:library (however be certain your code construction is appropriate for this).
Nim
Nim code (.nim recordsdata) is compiled with the nim c command. The supply code on this repo may be compiled as follows.
If you wish to optimize your construct for dimension and strip debug data (a lot better for opsec!), you may add the next flags.
nim c -d:launch -d:strip --opt:dimension filename.nim
Optionally you may cover the console window by including --app:gui as effectively.
Dependencies
Nim
Most Nim packages depend upon a library known as “Winim” to interface with the Home windows API. You possibly can set up the library with the Nimble bundle supervisor as follows (after putting in Nim):
Assets
The workshop slides reference some sources that you should utilize to get began. Extra sources are listed within the README.md recordsdata for each train!
