v x

Invisible Text. Fuck you.

Home Code Archive ICS SCADA Papers Linux Papers Malware Defense Papers Other Papers Windows Papers Malware Collections

Analysis and Internals

APC Series KiUserApcDispatcher and Wow64
APC Series User APC API
APC Series User APC Internals
An Introduction to Standard and Isolation Minifilters
Antimalware Scan Interface AMSI
Deep dive into user-mode Asynchronous Procedure Calls in Windows
Demystifying the SVCHOSTEXE Process and Its Command Line Options
Dissecting Windows Section Objects
Exploring Token Members Part 1
Exploring Token Members Part 2
Exploring the Windows Search Application Cache
Finding Interactive User COM Objects using PowerShell
From a C project through assembly to shellcode
Fs Minifilter Hooking Part 1
Hooking COM Objects - Intercepting Calls to COM Interfaces
How the Antimalware Scan Interface AMSI helps you defend against malware
Inside Get-AuthenticodeSignature
Inside Windows Defender System Guard Runtime Monitor
Inside the Windows Cache Manager
NTFS Alternate Streams What, When, and How To
Notes on Windows MS-CXH and MS-CXH-FULL handlers
Red Canary - Antimalware Scan Interface (AMSI)
Reversing Common Obfuscation Techniques
Studying Next Generation Malware - NightHawks Attempt At Obfuscate and Sleep
Superfetch - Unknown Spy
Understanding DISM - Servicing Stack Interaction
Understanding Windows Structured Exception Handling Part 1 – The Basics
Understanding Windows Structured Exception Handling Part 2 – Digging Deeper
Understanding Windows Structured Exception Handling Part 3 – Under The Hood
Understanding Windows Structured Exception Handling Part 4 – Pseudo __try and __except
Understanding a New Mitigation Module Tampering Protection
Updating the Undocumented ESTROBJ and STROBJ Structures for Windows 10 x64
WMI Internals Part 1 - Understanding the Basics
WOW64Hooks WOW64 Subsystem Internals and Hooking Techniques
Windows 10 Parallel Loading Breakdown
Windows Internals - Thread and Process State Change

Evasion - Process Creation and Shellcode Execution

Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
An alternate way to execute a binary - NtQueryInformationProcess and the AeDebugProtected key
Bluffy the AV Slayer
Callback Injection in CSharp via CertFindChainInStore
Callback Injection in CSharp via CopyFileTransacted
Callback Injection in CSharp via DSA_EnumCallback
Callback Injection in CSharp via EncryptedFileRaw
Callback Injection in CSharp via EvtSubscribe_CVEEventWrite
Callback Injection in CSharp via MFAddPeriodicCallback
Callback Injection in CSharp via MessageBoxIndirect
Callback Injection in CSharp via NotifyIpInterfaceChange
Callback Injection in CSharp via NotifyRouteChange2
Callback Injection in CSharp via NotifyTeredoPortChange
Callback Injection in CSharp via NotifyUnicastIpAddressChange
Callback Injection in CSharp via PerfStartProviderEx
Callback Injection in CSharp via RegisterWaitForSingleObject
Callback Injection in CSharp via SetWaitableTimer
Callback Injection in CSharp via StackWalk
Callback Injection in CSharp via SymRegisterCallback
Callback Injection in CSharp via WinHttpSetStatusCallback
Callback Injection via CDefFolderMenu_Create2
Callback Injection via CertEnumSystemStore
Callback Injection via CertEnumSystemStoreLocation
Callback Injection via CertFindChainInStore
Callback Injection via CopyFile2
Callback Injection via CopyFileEx
Callback Injection via CopyFileTransacted
Callback Injection via CreateThreadPoolWait
Callback Injection via CreateTimerQueueTimer
Callback Injection via CreateTimerQueueTimer_Tech
Callback Injection via CryptEnumOIDInfo
Callback Injection via DSA_EnumCallback
Callback Injection via EncryptedFileRaw
Callback Injection via EnumChildWindows
Callback Injection via EnumDateFormatsA
Callback Injection via EnumDesktopW
Callback Injection via EnumDesktopWindows
Callback Injection via EnumDirTreeW
Callback Injection via EnumDisplayMonitors
Callback Injection via EnumFontFamiliesExW
Callback Injection via EnumFontFamiliesW
Callback Injection via EnumFontsW
Callback Injection via EnumICMProfiles
Callback Injection via EnumLanguageGroupLocalesW
Callback Injection via EnumObjects
Callback Injection via EnumPageFilesW
Callback Injection via EnumPropsEx
Callback Injection via EnumPropsW
Callback Injection via EnumPwrSchemes
Callback Injection via EnumResourceTypesExW
Callback Injection via EnumResourceTypesW
Callback Injection via EnumSystemCodePagesA
Callback Injection via EnumSystemCodePagesW
Callback Injection via EnumSystemGeoID
Callback Injection via EnumSystemLanguageGroupsA
Callback Injection via EnumSystemLocales
Callback Injection via EnumSystemLocalesA
Callback Injection via EnumThreadWindows
Callback Injection via EnumTimeFormatsEx
Callback Injection via EnumUILanguagesA
Callback Injection via EnumUILanguagesW
Callback Injection via EnumWindowStationsW
Callback Injection via EnumWindows
Callback Injection via EnumerateLoadedModules
Callback Injection via EvtSubscribe_CVEEventWrite
Callback Injection via FiberContextEdit
Callback Injection via FlsAlloc
Callback Injection via ImageGetDigestStream
Callback Injection via ImmEnumInputContext
Callback Injection via InitOnceExecuteOnce
Callback Injection via LdrEnumerateLoadedModules
Callback Injection via LdrpCallInitRoutine
Callback Injection via MFAddPeriodicCallback
Callback Injection via MessageBoxIndirect
Callback Injection via MiniDumpWriteDump
Callback Injection via NotifyIpInterfaceChange
Callback Injection via NotifyRouteChange2
Callback Injection via NotifyTeredoPortChange
Callback Injection via NotifyUnicastIpAddressChange
Callback Injection via PerfStartProviderEx
Callback Injection via RegisterWaitForSingleObject
Callback Injection via RtlUserFiberStart
Callback Injection via SHCreateThreadWithHandle
Callback Injection via SetTimer
Callback Injection via SetWaitableTimer
Callback Injection via SetupCommitFileQueueW
Callback Injection via StackWalk
Callback Injection via SymEnumProcesses
Callback Injection via SymFindFileInPath
Callback Injection via SymRegisterCallback
Callback Injection via SysEnumSourceFiles
Callback Injection via TaskDialogIndirect
Callback Injection via VerifierEnumerateResource
Callback Injection via WinHttpSetStatus
Creating Processes By Using Undocumented COM APIs
Creating Processes Using System Calls
Making NtCreateUserProcess Work
Playing Around COM Objects Part 1 - DllGetClassObject and ShellExecute IDispatch for Process creation
Shellcode - Recycling Compression Algorithms for the Z80, 8088, 6502, 8086 and 68K Architectures
Weird Ways to Run Unmanaged Code in NET

Process Injection

CreateRemoteThread Process Injection
Ctrl-Inject Demonstration 1
Ctrl-Inject Demonstration 2
Ctrl-Inject
Demonstating Various Process Injection Techniques - Pinjecta
Demonstrating ATOM Bombing
Demonstrating Process Injection in Rust - Rusty Memory LoadLibrary
Demonstrating Reflective DLL Loading - KaynLdr
From Process Injection to Function Hijacking
GetEnvironmentVariable As Alternative to WriteProccessMemory in Process Injections
Ghostwrite Demonstration
Hunting for Ghosts in Fileless Attacks
Implementing Global Injection and Hooking in Windows
KCTHIJACK - KernelCallbackTable Hijack
Masking Malicious Memory Artifacts Part 1 – Phantom DLL Hollowing
NINA - x64 Process Injection
Nls Code Injection Through The Registry
Notes on RtlCloneUserProcess
NtCreateSection and NtMapViewOfSection for Code Injection
PE Injection Demonstration 1
PE Injection Demonstration 2
PE Injection Explained Advanced memory code injection technique
PE Injection_ Executing PEs inside Remote Processes
PE Resource section for Process Injection
Process Doppelgänging POC
Process HerpaDerping
Process Injection Techniques - Gotta Catch Them All
Process Injection Techniques and Detection using the Volatility Framework
Process Injection Techniques used by Malware
Process Injection Techniques
Process Injection via Component Object Model (COM) IRundown-DoCallback()
Process Overwriting - yet another variant
Process-Hollowing Example
ReflectiveDLLInjection Example
Remote Library Injection
SetThreadContextInjection Example
SetWindowsHookExInjection Example
The ExtraWindowInject Process Injection Technique
The state of advanced code injections
UserApcInject Example
Weaponize GhostWriting Injection Code Injection Series Part 5
Weaponizing Mapping Injection With instrumentation Callback

Sponsor

sponsor Tutorial from zetalytics.com

Sponsor

sponsor2 A privacy oriented free webhosting service for malware writeups, tech blogs, and personal sites.

Want to sponsor vx-underground?

Your information could go here