v x

Invisible Text. Fuck you.

Home Code Archive ICS SCADA Papers Linux Papers Malware Defense Papers Other Papers Russian Papers Windows Papers Malware Collections

Analysis and Internals

APC Series KiUserApcDispatcher and Wow64
APC Series User APC API
APC Series User APC Internals
An Introduction to Standard and Isolation Minifilters
Antimalware Scan Interface AMSI
Deep dive into user-mode Asynchronous Procedure Calls in Windows
Demystifying the SVCHOSTEXE Process and Its Command Line Options
Dissecting Windows Section Objects
Exploring Token Members Part 1
Exploring Token Members Part 2
Exploring the Windows Search Application Cache
Finding Interactive User COM Objects using PowerShell
From a C project through assembly to shellcode
Fs Minifilter Hooking Part 1
Hooking COM Objects - Intercepting Calls to COM Interfaces
How the Antimalware Scan Interface AMSI helps you defend against malware
Inside Get-AuthenticodeSignature
Inside Windows Defender System Guard Runtime Monitor
Inside the Windows Cache Manager
Making WMI Queries In C
NTFS Alternate Streams What, When, and How To
Notes on Windows MS-CXH and MS-CXH-FULL handlers
Random Number Generation using IOCTL
Red Canary - Antimalware Scan Interface (AMSI)
Reversing Common Obfuscation Techniques
Studying Next Generation Malware - NightHawks Attempt At Obfuscate and Sleep
Superfetch - Unknown Spy
Understanding API Set Resolution
Understanding DISM - Servicing Stack Interaction
Understanding Windows Structured Exception Handling Part 1 – The Basics
Understanding Windows Structured Exception Handling Part 2 – Digging Deeper
Understanding Windows Structured Exception Handling Part 3 – Under The Hood
Understanding Windows Structured Exception Handling Part 4 – Pseudo __try and __except
Updating the Undocumented ESTROBJ and STROBJ Structures for Windows 10 x64
WMI Internals Part 1 - Understanding the Basics
WOW64Hooks WOW64 Subsystem Internals and Hooking Techniques
Windows 10 Parallel Loading Breakdown
Windows DLL Hijacking Hopefully Clarified
tagSOleTlsData and the COM concurrency model for the current thread

Evasion - Process Creation and Shellcode Execution

Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
An alternate way to execute a binary - NtQueryInformationProcess and the AeDebugProtected key
Bluffy the AV Slayer
Callback Injection in CSharp via CertFindChainInStore
Callback Injection in CSharp via CopyFileTransacted
Callback Injection in CSharp via DSA_EnumCallback
Callback Injection in CSharp via EncryptedFileRaw
Callback Injection in CSharp via EvtSubscribe_CVEEventWrite
Callback Injection in CSharp via MFAddPeriodicCallback
Callback Injection in CSharp via MessageBoxIndirect
Callback Injection in CSharp via NotifyIpInterfaceChange
Callback Injection in CSharp via NotifyRouteChange2
Callback Injection in CSharp via NotifyTeredoPortChange
Callback Injection in CSharp via NotifyUnicastIpAddressChange
Callback Injection in CSharp via PerfStartProviderEx
Callback Injection in CSharp via RegisterWaitForSingleObject
Callback Injection in CSharp via SetWaitableTimer
Callback Injection in CSharp via StackWalk
Callback Injection in CSharp via SymRegisterCallback
Callback Injection in CSharp via WinHttpSetStatusCallback
Callback Injection via CDefFolderMenu_Create2
Callback Injection via CertEnumSystemStore
Callback Injection via CertEnumSystemStoreLocation
Callback Injection via CertFindChainInStore
Callback Injection via CopyFile2
Callback Injection via CopyFileEx
Callback Injection via CopyFileTransacted
Callback Injection via CreateThreadPoolWait
Callback Injection via CreateTimerQueueTimer
Callback Injection via CreateTimerQueueTimer_Tech
Callback Injection via CryptEnumOIDInfo
Callback Injection via DSA_EnumCallback
Callback Injection via EncryptedFileRaw
Callback Injection via EnumChildWindows
Callback Injection via EnumDateFormatsA
Callback Injection via EnumDesktopW
Callback Injection via EnumDesktopWindows
Callback Injection via EnumDirTreeW
Callback Injection via EnumDisplayMonitors
Callback Injection via EnumFontFamiliesExW
Callback Injection via EnumFontFamiliesW
Callback Injection via EnumFontsW
Callback Injection via EnumICMProfiles
Callback Injection via EnumLanguageGroupLocalesW
Callback Injection via EnumObjects
Callback Injection via EnumPageFilesW
Callback Injection via EnumPropsEx
Callback Injection via EnumPropsW
Callback Injection via EnumPwrSchemes
Callback Injection via EnumResourceTypesExW
Callback Injection via EnumResourceTypesW
Callback Injection via EnumSystemCodePagesA
Callback Injection via EnumSystemCodePagesW
Callback Injection via EnumSystemGeoID
Callback Injection via EnumSystemLanguageGroupsA
Callback Injection via EnumSystemLocales
Callback Injection via EnumSystemLocalesA
Callback Injection via EnumThreadWindows
Callback Injection via EnumTimeFormatsEx
Callback Injection via EnumUILanguagesA
Callback Injection via EnumUILanguagesW
Callback Injection via EnumWindowStationsW
Callback Injection via EnumWindows
Callback Injection via EnumerateLoadedModules
Callback Injection via EvtSubscribe_CVEEventWrite
Callback Injection via FiberContextEdit
Callback Injection via FlsAlloc
Callback Injection via ImageGetDigestStream
Callback Injection via ImmEnumInputContext
Callback Injection via InitOnceExecuteOnce
Callback Injection via LdrEnumerateLoadedModules
Callback Injection via LdrpCallInitRoutine
Callback Injection via MFAddPeriodicCallback
Callback Injection via MessageBoxIndirect
Callback Injection via MiniDumpWriteDump
Callback Injection via NotifyIpInterfaceChange
Callback Injection via NotifyRouteChange2
Callback Injection via NotifyTeredoPortChange
Callback Injection via NotifyUnicastIpAddressChange
Callback Injection via PerfStartProviderEx
Callback Injection via RegisterWaitForSingleObject
Callback Injection via RtlUserFiberStart
Callback Injection via SHCreateThreadWithHandle
Callback Injection via SetTimer
Callback Injection via SetWaitableTimer
Callback Injection via SetupCommitFileQueueW
Callback Injection via StackWalk
Callback Injection via SymEnumProcesses
Callback Injection via SymFindFileInPath
Callback Injection via SymRegisterCallback
Callback Injection via SysEnumSourceFiles
Callback Injection via TaskDialogIndirect
Callback Injection via VerifierEnumerateResource
Callback Injection via WinHttpSetStatus
Creating Processes By Using Undocumented COM APIs
Creating Processes Using System Calls
Making NtCreateUserProcess Work
Playing Around COM Objects Part 1 - DllGetClassObject and ShellExecute IDispatch for Process creation
Shellcode - Recycling Compression Algorithms for the Z80, 8088, 6502, 8086 and 68K Architectures
Weird Ways to Run Unmanaged Code in NET

Evasion - Systems Call and Memory Evasion

A very simple and alternative PID finder
API Resolving Obfuscation via Veh
An Alternative Method To Enumerate Processes
AppLocker bypass by hash caching misuse
Bypassing LSA Protection in Userland
Bypassing PESieve and Moneta The easy way
Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
CallStack Spoofer Demonstration
Changing memory protection using APC
Demonstrating API Hooking in Rust
Demonstrating Copying Data To A GPU - GpuMemoryAbuse
Demonstrating Thread Stack Spooling
Demonstrating inline function importing in Cplusplus
Demonstrating inline syscalls in Cplusplus
Dynamically Retrieving SYSCALLs - Hells Gate
Executing a PE File in Memory
Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service LSASS
Gargoyle x64 - DeepSleep
Heavens Gate in CSharp
Heresys Gate Kernel ZwNTDLL Scraping + Work Out Ring 0 to Ring 3 via Worker Factories
Identifying Antivirus Software by enumerating Minifilter String Names
Manual Implementation of BlockDLLs and ACG
NtdllPipe - Using cmd.exe to retrieve a clean version of ntdll.dll
Offensive Windows IPC Internals 1 Named Pipes
Offensive Windows IPC Internals 2 RPC
Protecting the Heap - Encryption and Hooks
Resolving System Service Numbers using the Exception Directory
Resolving syscalls in CSharp
Spoofing Call Stacks To Confuse EDRs
Tampering With Windows Syscalls
The Fake Entry Point Trick
Vulpes - Obfuscating Memory Regions with Timers
x64 return address spoofing

Process Injection

CreateRemoteThread Process Injection
Ctrl-Inject Demonstration 1
Ctrl-Inject Demonstration 2
Ctrl-Inject
Demonstating Various Process Injection Techniques - Pinjecta
Demonstrating ATOM Bombing
Demonstrating Process Injection in Rust - Rusty Memory LoadLibrary
Demonstrating Reflective DLL Loading - KaynLdr
From Process Injection to Function Hijacking
GetEnvironmentVariable As Alternative to WriteProccessMemory in Process Injections
Ghostwrite Demonstration
Hunting for Ghosts in Fileless Attacks
Implementing Global Injection and Hooking in Windows
Injecting Code into Windows Protected Processes using COM - Part 1
Injecting Code into Windows Protected Processes using COM - Part 2
KCTHIJACK - KernelCallbackTable Hijack
Masking Malicious Memory Artifacts Part 1 – Phantom DLL Hollowing
NINA - x64 Process Injection
Nls Code Injection Through The Registry
Notes on RtlCloneUserProcess
NtCreateSection and NtMapViewOfSection for Code Injection
PE Injection Demonstration 1
PE Injection Demonstration 2
PE Injection Explained Advanced memory code injection technique
PE Injection_ Executing PEs inside Remote Processes
PE Resource section for Process Injection
Process Doppelgänging POC
Process HerpaDerping
Process Injection Techniques - Gotta Catch Them All
Process Injection Techniques and Detection using the Volatility Framework
Process Injection Techniques used by Malware
Process Injection Techniques
Process Injection via Component Object Model (COM) IRundown-DoCallback()
Process Overwriting - yet another variant
Process-Hollowing Example
ReflectiveDLLInjection Example
Remote Library Injection
SetThreadContextInjection Example
SetWindowsHookExInjection Example
The ExtraWindowInject Process Injection Technique
The state of advanced code injections
UserApcInject Example
Weaponize GhostWriting Injection Code Injection Series Part 5
Weaponizing Mapping Injection With instrumentation Callback

Windows Internals Video Series

Emulation, Emulation, Emulation
Engineering security into Windows Vista
Going deep inside Windows Vista's kernel architecture
Inside File System Filter, part I
Inside File System Filter, part II
Inside Windows 7 - Audio Stack
Inside Windows 7 - Diagnostics and Troubleshooting
Inside Windows 7 - Farewell to the Windows Kernel Dispatcher Lock
Inside Windows 7 - Fault Tolerant Heap
Inside Windows 7 - Service Controller and Background Processing
Inside Windows 7 - User Mode Scheduler (UMS)
Inside Windows 7 - Windows Automatic Memory Leak Detection
Inside Windows 7 Redux
Inside Windows 7
Inside Windows 8 - Boot Environment
Inside Windows 8 - Desktop Activity Moderator and Connected Standby
Inside Windows 8 - Heap Manager
Inside Windows 8 - Thread pools
Inside Windows 8 - Windows App Model
Kernel Mode Driver Framework
Kernel Transaction Manager and friends (TxF, TxR)
Mark Russinovich - From Winternals to Microsoft, On Windows Security, Windows CoreArch
Mark Russinovich - On Working at Microsoft, Windows Server 2008 Kernel, MinWin vs ServerCore, HyperV
Process Management in Windows Vista
Processes Gone Wild - Understanding Windows Vista Reliability Mechanics
The Advancement of Windows - Windows Vista SuperFetch
The Advancement of Windows -Windows Vista IO
UAC - What. How. Why
Virtualization
Vista - Diving into the Heap
Vista Audio Stack and API
Vista Transactional File System
Windows Memory Manager
Windows Plug and Play
Windows Presentation Foundation(WPF) Architecture
Windows Shell Architecture
Windows Vista - PreOS Environment, What happens before the OS loads
Windows, NT Cache Manager Part II
Windows, NT Cache Manager
Windows, NT Object Manager
Windows, Part I
Windows, Part II
Windows, Part III
Windows, Part IV
Windows, the IO Manager and Driver Model Part I
Windows, the IO Manager and Driver Model, Part II
XBox 360 Architecture

Sponsor

sponsor Tutorial from zetalytics.com

Want to sponsor vx-underground?

Your information could go here