vx-underground - Windows

Analysis and Internals

2005-05-30 - Making WMI Queries In C
2011-01-25 - No Loitering - Exploiting Lingering Vulnerabilities in Default COM Objects
2014-12-03 - Hooking COM Objects - Intercepting Calls to COM Interfaces
2015-08-10 - Windows 10HH Symbolic Link Mitigations
2016-02-10 - The Definitive Guide on Win32 to NT Path Conversion
2017-10-03 - Windows 10 Parallel Loading Breakdown
2017-10-06 - An Introduction to Standard and Isolation Minifilters
2017-10-15 - Understanding API Set Resolution
2018-08-07 - Windows Exploitation Tricks Exploiting Arbitrary Object Directory Creation for Local Elevation of Pri
2018-08-19 - NTFS Alternate Streams What, When, and How To
2018-09-09 - Finding Interactive User COM Objects using PowerShell
2019-08-23 - How the Antimalware Scan Interface AMSI helps you defend against malware
2019-11-11 - Antimalware Scan Interface AMSI
2020-02-23 - A stealthier approach to spoofing process command line
2020-04-01 - Updating the Undocumented ESTROBJ and STROBJ Structures for Windows 10 x64
2020-04-24 - Windows DLL Hijacking Hopefully Clarified
2020-05-17 - APC Series User APC API
2020-06-03 - APC Series User APC Internals
2020-06-28 - APC Series KiUserApcDispatcher and Wow64
2020-07-10 - Fs Minifilter Hooking Part 1
2020-07-11 - Superfetch - Unknown Spy
2020-09-26 - Deep dive into user-mode Asynchronous Procedure Calls in Windows
2020-09-26 - Demystifying the SVCHOSTEXE Process and Its Command Line Options
2020-10-11 - From a C project through assembly to shellcode
2020-11-09 - WOW64Hooks WOW64 Subsystem Internals and Hooking Techniques
2021-01-12 - tagSOleTlsData and the COM concurrency model for the current thread
2022-01-04 - Exploring Token Members Part 1
2022-01-09 - Understanding Windows Structured Exception Handling Part 1 – The Basics
2022-01-12 - Red Canary - Antimalware Scan Interface (AMSI)
2022-01-16 - Notes on Windows MS-CXH and MS-CXH-FULL handlers
2022-01-16 - Understanding Windows Structured Exception Handling Part 2 – Digging Deeper
2022-01-22 - Understanding Windows Structured Exception Handling Part 3 – Under The Hood
2022-01-23 - Understanding Windows Structured Exception Handling Part 4 – Pseudo __try and __except
2022-02-16 - Exploring Token Members Part 2
2022-03-14 - Reversing Common Obfuscation Techniques
2022-05-05 - Studying Next Generation Malware - NightHawks Attempt At Obfuscate and Sleep
2022-06-08 - Inside Get-AuthenticodeSignature
2022-07-05 - WMI Internals Part 1 - Understanding the Basics
2022-07-26 - Understanding DISM - Servicing Stack Interaction
2022-08-02 - Inside Windows Defender System Guard Runtime Monitor
2022-08-05 - Exploring the Windows Search Application Cache
2022-09-05 - Inside the Windows Cache Manager
2022-09-16 - Dissecting Windows Section Objects
2022-09-28 - MS Help 2 Primer
2022-10-13 - Random Number Generation using IOCTL
2022-12-18 - Diving into Intel Killer bloatware part 1
2023-02-01 - Weird things I learned while writing an x86 emulator
2023-02-06 - Diving Deeper Into Pre-created Computer Accounts
2023-03-16 - Minimal Executables
2023-04-18 - Diving into Intel Killer bloatware part 2

Data Theft

2011-06-29 - Implementing keyloggers in Windows
2021-03-10 - Exfiltrating Data from Outlook Demonstration
2021-03-25 - Demonstrating Keylogging Using NtUserGetRawInputDataKeylogger
2021-06-20 - Demonstrating How to Dump Chrome Passwords
2022-04-19 - Dumping passwords using KRShowKeyMgr
2022-05-01 - GetRawInputData Keylogger Demonstration
2022-06-21 - WebView2 Cookie Stealer Demonstration
2022-10-22 - WAM BAM - Recovering Web Tokens From Office

Evasion - Anti-debugging

Evasion - EDR and AV specific

2010-01-12 - Exercising the Firewall using Cplusplus
2018-06-18 - Exploring PowerShell AMSI and Logging Evasion
2019-06-03 - How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
2020-02-03 - Bypass EDRs memory protection - an introduction to hooking
2020-02-10 - WDExtract - Extracting data from Windows Defender
2021-06-19 - Backstab - Demonstrating how to kill EDR protected processes
2021-08-23 - Another AMSI-Bypass paper
2021-10-23 - From AMSI to Reflection 0x0
2021-11-15 - Design issues of modern EDRs bypassing ETW-based solutions
2022-04-18 - A blueprint for evading industry leading endpoint protection in 2022
2022-06-22 - Extracting Whitelisted Paths from Windows Defender ASR Rules
2022-09-27 - Constrained Language Mode Bypass When __PSLockDownPolicy Is Used

Evasion - Other

2012-03-21 - Using UPX as a Security Packer
2018-12-12 - VBA RunPE - Breaking Out of Highly Constrained Desktop Environments
2019-12-02 - Evading WinDefender ATP credential-theft a hit after a hit-and-miss start
2020-05-18 - How to use Trend Micro's Rootkit Remover to Install a Rootkit
2020-12-31 - Antivirus Artifacts III
2021-04-22 - Binary Data Hiding in VB6 Executables
2021-05-01 - Symantec Endpoint Protection Meets COM - Using Symantec.SSHelper As A LOLBIN
2021-05-12 - Breaking the WDAPT Rules with COM
2021-08-05 - Evil Model - Hiding Malware
2021-10-09 - Trololololobin and other lolololocoasters
2022-01-15 - Stealing Process Tokens POC
2022-01-23 - Reload Executable Files to Achieve Efficient Inline-Hook
2022-02-07 - Invisible Sandbox Evasion - Check Point Research
2022-02-16 - wlrmdr.exe LOLBIN
2022-03-24 - Manipulating LastWriteTime without leaving traces in the NTFS USN Journal
2022-04-02 - Unmanaged Code Execution with .NET Dynamic PInvoke
2022-04-18 - Token Manipulation in Rust Demonation
2022-04-18 - UACMe
2022-06-17 - Sleep Obfuscation - Ekko
2022-08-01 - DLL Hijacking Windows Defender NisSrv
2022-08-01 - DeathSleep - Demonstrating sleep obfuscation
2023-03-21 - EkkoEx Sleep obfuscation
2023-05-03 - Exploring Impersonation through the Named Pipe Filesystem Driver

Evasion - Process Creation and Shellcode Execution

Evasion - Systems Call and Memory Evasion

2020-05-10 - The Fake Entry Point Trick
2020-12-31 - Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
2021-01-09 - Heresys Gate Kernel ZwNTDLL Scraping and Work Out Ring 0 to Ring 3 via Worker Factories
2021-01-10 - Offensive Windows IPC Internals 1 Named Pipes
2021-02-12 - Offensive Windows IPC Internals 2 RPC
2021-03-28 - Executing a PE File in Memory
2021-12-07 - Dynamically Retrieving SYSCALLs - Hells Gate
2021-12-07 - Identifying Antivirus Software by enumerating Minifilter String Names
2022-02-04 - AppLocker bypass by hash caching misuse
2022-02-04 - JmpNoCall
2022-04-03 - NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll
2022-04-09 - Demonstrating API Hooking in Rust
2022-04-11 - Demonstrating Copying Data To A GPU - GpuMemoryAbuse
2022-04-19 - Resolving System Service Numbers using the Exception Directory
2022-04-22 - Bypassing LSA Protection in Userland
2022-04-23 - Bypassing PESieve and Moneta The easy way
2022-05-05 - A very simple and alternative PID finder
2022-05-24 - Gargoyle x64 - DeepSleep
2022-06-14 - Demonstrating inline syscalls in Cplusplus
2022-06-17 - Demonstrating Thread Stack Spoofing
2022-06-26 - Protecting the Heap - Encryption and Hooks
2022-06-30 - CallStack Spoofer Demonstration
2022-06-30 - Spoofing Call Stacks To Confuse EDRs
2022-07-05 - Vulpes - Obfuscating Memory Regions with Timers
2022-08-02 - Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service LSASS
2022-08-04 - API Resolving Obfuscation via Veh
2022-08-07 - Tampering With Windows Syscalls
2022-08-08 - Manual Implementation of BlockDLLs and ACG
2022-08-16 - Demonstrating inline function importing in Cplusplus
2022-09-26 - Sacrificing Suspended Processes
2022-10-18 - Changing memory protection using APC
2022-10-31 - Heavens Gate in CSharp
2022-10-31 - Resolving syscalls in CSharp
2022-11-22 - x64 return address spoofing
2022-12-08 - Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
2023-02-07 - Demonstrating Unhooking NTDLL from Disk
2023-02-07 - Demonstrating Unhooking NTDLL from KnownDlls
2023-02-07 - Demonstrating Unhooking NTDLL from Remote Server
2023-02-07 - Demonstrating Unhooking NTDLL from Suspended Process
2023-04-17 - An in-depth look at the Golang Windows calls

Infection

2008-12-27 - Detailed Guide to PE Infection
2015-03-06 - PE Infection - Add a PE section - with code
2015-03-30 - Another detailed guide to PE infection

Initial Access Malcode

2017-07-31 - Malicious XLL Demonstration
2020-12-24 - The worst of the two worlds - Excel meets Outlook
2021-10-28 - Malicious ZIP Demonstration
2021-12-09 - Create Microsoft-Signed Phishing Documents
2022-04-15 - Make phishing great again VSTO office files are the new macro nightmare
2022-05-14 - About XLL Phishing
2022-06-28 - Weaponizing and Abusing Hidden Functionalities Contained in Office Document Properties
2022-08-05 - Backdooring Office Structures Part 1 The Oldschool
2022-08-08 - Backdooring Office Structures Part 2 Payload Crumbs In Custom Parts
2023-02-07 - Home Grown Red Team - Lets Make Some OneNote Phishing Attachments

Kernel Mode

2014-02-06 - Hide process with DKOM without hard coded offsets
2015-04-06 - Hiding loaded driver with DKOM
2019-11-06 - Bypassing Kernel Function Pointer Integrity Checks
2020-02-29 - Windows Kernel Ps Callbacks Experiments
2020-08-02 - Removing Kernel Callbacks Using Signed Drivers
2021-02-13 - x64 Deep Dive
2021-03-30 - KeDll Injector
2022-01-11 - Signed Kernal Drivers - Unguarded Gateway to Windows Core
2022-01-15 - Demonstrating EAT hooking from Kernel space
2022-01-15 - Modifying the EPROCESS structure
2022-05-02 - g_CiOptions in a Virtualized World
2022-07-14 - Lord Of The Ring0 - Part 1 Introduction
2022-08-04 - Lord Of The Ring0 - Part 2 A tale of routines IOCTLs and IRPs
2022-08-19 - Warbird Hook - Demonstrating shellcode injection and application hijacking
2022-10-18 - Fantastic Rootkits And Where to Find Them Part 1
2022-10-30 - Lord Of The Ring0 - Part 3 Sailing to the land of the user and debugging the ship
2022-12-29 - Bootkitting Windows Sandbox
2023-02-09 - Transitioning from User Mode to Kernel mode - Extravagant Prick
2023-02-24 - Lord Of The Ring0 - Part 4 The call back home
2023-04-11 - Stepping Insyde System Management Mode
2023-05-04 - Fantastic Rootkits and Where to Find Them Part 2

Network Communications

2006-05-22 - Windows Network Services Internals
2017-12-07 - Ares - Demonstrating A Python C2
2018-10-20 - Using DropBox As A C2
2021-06-18 - Knock Knock The postman is here (abusing Mailslots and PortKnocking for connectionless shells)
2021-09-30 - Azure Outlook C2
2021-10-25 - C3 - Demonstrating C2s from MatterMost - GitHub - OneDrive and more
2022-01-03 - NTSockets - Downloading a file via HTTP using the NtCreateFile
2022-04-04 - AtlasC2 - Demonstrating A C2 in CSharp
2022-04-27 - Alternate Method Of Contacting IPV4
2022-05-01 - Ipv4Fuscation Demonstration
2022-05-09 - Spawning IE on Windows 11
2022-09-14 - Myths About External C2
2022-09-28 - Demonstrating the VirusTotal C2
2022-10-01 - Manual ICMP implementation using NtDeviceIoControlFile
2022-10-09 - Windows Server LDIF File Abuse for Silently Downloading Files
2023-01-23 - Exfiltrating data using Powershell and WAV files
2023-05-20 - Demonstrating using SMS as a C2

Persistence

2019-06-29 - Persistence with Windows Services
2019-08-16 - IBM Java Control Panel for persistence
2019-08-22 - Common Language Runtime Hook for Persistence
2019-09-07 - AutoPlay Handlers for persistence
2019-09-20 - Exotic persistence - Windows Error Reporting Debugger key
2019-10-23 - SPReview Phantom DLLs
2019-10-24 - SPReview Permanent Persistence
2019-11-18 - Abusing Intel VTune Amplifier for Persistence
2020-03-18 - ShimBad the Sailor
2020-06-09 - Abusing Windows Telemetry for Persistence
2020-07-30 - Terminal Server Utilities LOLBIN and Persistence
2020-08-16 - QT Framework QT_DEBUG_PLUGINS Persistence
2020-09-16 - Silent Runners - Exploring Persistence Methods
2020-09-18 - Covert Data Persistence with Windows Registry Keys
2020-09-18 - More Windows 10 Phantom DLLs
2020-10-08 - Cryogenically Frozen Malware
2020-10-11 - Masquerading the HKCU Run Key
2020-10-17 - DllBidEntryPoint Abuse
2020-10-18 - Commandeering Context Menu Entries
2020-10-19 - SERVICE_FAILURE_ACTIONSW Exception for Persistence
2020-11-23 - A Fresh Outlook on Mail Based Persistence
2021-02-06 - Microsoft Office HTML Editor for Persistence
2021-03-05 - Persistence via Java Environment Variables
2021-10-21 - Life is Pane - Persistence via Preview Handlers
2021-11-18 - Persistence via Recycle Bin
2021-12-14 - COM Hijacking for Persistence
2022-01-16 - Oobe Setup ErrorHandle.cmd Hijack
2022-01-18 - O365 HKCU WwlibDll Sideloading
2022-01-22 - WinINET InternetErrorDlgEx Registry Lookup persistence
2022-01-23 - Persistence via P2P_PEER_DIST_API LoadPeerDist
2022-07-17 - 30 second execution persistence with Winlogon
2022-09-14 - Abusing Notepad Plugins for Evasion and Persistence
2022-10-11 - Custom Keyboard Layout Persistence
2023-01-24 - Persistence via VSCode Profile Abuse

Process Injection

2004-04-06 - Remote Library Injection
2014-02-03 - PE Injection Demonstration 1
2014-04-13 - PE Injection Explained Advanced memory code injection technique
2017-09-19 - Abusing Delay Load DLLs for Remote Code Injection
2018-03-26 - Ghostwrite Demonstration
2018-06-14 - PE Injection Demonstration 2
2018-10-16 - Injecting Code into Windows Protected Processes using COM - Part 1
2018-11-01 - Process Injection Techniques and Detection using the Volatility Framework
2018-11-30 - Injecting Code into Windows Protected Processes using COM - Part 2
2019-02-25 - Notes on RtlCloneUserProcess
2019-04-08 - Early Bird Injection - APC Abuse
2019-04-26 - Hunting for Ghosts in Fileless Attacks
2019-08-08 - Demonstating Various Process Injection Techniques - Pinjecta
2019-08-08 - Process Injection Techniques - Gotta Catch Them All
2019-08-13 - The state of advanced code injections
2020-01-06 - NtCreateSection and NtMapViewOfSection for Code Injection
2020-02-10 - From Process Injection to Function Hijacking
2020-05-28 - GetEnvironmentVariable As Alternative to WriteProccessMemory in Process Injections
2020-06-06 - NINA - x64 Process Injection
2020-06-14 - Process Injection Techniques
2020-06-24 - Process Injection Techniques used by Malware
2020-07-10 - Masking Malicious Memory Artifacts Part 1 – Phantom DLL Hollowing
2020-07-16 - Weaponizing Mapping Injection With instrumentation Callback
2020-11-29 - Weaponize GhostWriting Injection Code Injection Series Part 5
2021-02-28 - PE Injection_ Executing PEs inside Remote Processes
2022-01-15 - CreateRemoteThread Process Injection
2022-01-15 - Demonstrating ATOM Bombing
2022-01-15 - Process Doppelgänging POC
2022-01-15 - Process HerpaDerping
2022-01-15 - ReflectiveDLLInjection Example
2022-01-15 - SetThreadContextInjection Example
2022-01-15 - SetWindowsHookExInjection Example
2022-01-15 - The ExtraWindowInject Process Injection Technique
2022-01-15 - UserApcInject Example
2022-02-04 - KCTHIJACK - KernelCallbackTable Hijack
2022-03-17 - Process Overwriting - yet another variant
2022-03-17 - Process-Hollowing Example
2022-04-18 - Implementing Global Injection and Hooking in Windows
2022-05-05 - Process Injection via Component Object Model (COM) IRundown-DoCallback()
2022-05-08 - Demonstrating Process Injection in Rust - Rusty Memory LoadLibrary
2022-05-16 - Demonstrating Reflective DLL Loading - KaynLdr
2022-05-27 - Nls Code Injection Through The Registry
2022-06-25 - PE Resource section for Process Injection
2022-12-23 - Ctrl Injection Collection

System Components and Abuse

2017-08-12 - Finding handle leaks - user mode duplicate handle in C and CSharp
2018-03-17 - Abusing Exported Functions and Exposed DCOM Interfaces
2019-04-07 - Loading and calling VB from CPlusPlus
2019-07-03 - Dumping LSASS - MiniDumpWriteDump to Disk
2019-07-03 - MiniDumpWriteDump and PssCaptureSnapshot
2019-07-07 - Dumping LSASS - MiniDumpWriteDump to Memory using MiniDump Callbacks
2019-07-21 - In-memory execution of VBScript, JavaScript or JScript
2019-08-17 - Weaponizing Privileged File Writes with the USO Service
2020-06-10 - Cmd Hijack - A Command_Argument Confustion with Path Traversal
2020-10-10 - A Deep Dive Into RUNDLL32EXE
2021-01-24 - LSASS Memory Dumps are Stealthier than Ever Before - Part 1
2021-02-16 - LSASS Memory Dumps are Stealthier than Ever Before - Part 2
2021-05-13 - Reshaping Shadow Volumes with IOCTLs
2021-08-03 - Reading, Writing, and Executing A File WITHOUT A File Path - yarhLoader
2021-10-10 - SeManageVolumePrivilege Abuse with FSCTL_SD_GLOBAL_CHANGE
2021-12-07 - Demonstrating USB Propagation
2021-12-07 - Programmatically Modifying Boot Configurations - BCDEdit
2021-12-07 - The hidden side of Seclogon part 2 - Abusing leaked handles to dump LSASS memory
2021-12-07 - Weaponizing Windows Virtualization
2022-01-15 - Programmatically Stopping Windows Defender
2022-02-09 - Hooks-On Hoot-Off Vitaminizing MiniDump
2022-02-17 - The magic behind wlrmdrexe
2022-02-25 - LogNT32 - Part 2 - Return-address hijacking implemented to improve efficiency
2022-03-26 - Digging into PssCaptureSnapshot for LSASS Dumping
2022-04-03 - FveApiDLL Abuse Demonstration
2022-04-30 - Programmatically Hiding Windows Snapshots
2022-05-31 - Crashing Windows by Abusing NtRaiseHardError
2022-06-28 - The hidden side of Seclogon part 3 - Racing for LSASS dumps
2022-08-19 - Bypassing AppLocker by abusing HashInfo
2022-08-29 - DLL Sideloading ShellChromeAPI
2022-10-07 - Short term snapshot deletion via ExecuteScheduledSPPCreation
2022-10-11 - Abusing the Windows Power Management API
2022-10-28 - Using Windows IUIAutomation for spyware and other malicious purposes
2022-11-02 - IIS Pool Credential Dumping via undocumented command line arguments
2022-12-07 - Programmatically Deleting Shadow Volumes - Xaoc
2023-02-03 - Windows Domain Controller NTDSUTIL activate instance abuse
2023-03-19 - Different ways to create a process
2023-05-02 - Preventing application creation by IFEO keys

v x

Analysis and Internals

Data Theft

Evasion - Anti-debugging

Evasion - EDR and AV specific

Evasion - Other

Evasion - Process Creation and Shellcode Execution

Evasion - Systems Call and Memory Evasion

Infection

Initial Access Malcode

Kernel Mode

Network Communications

Persistence

Process Injection

System Components and Abuse

Other VXUG Links

Contents

Sponsor

Sponsor

Sponsor

Sponsor

Want to sponsor vx-underground?