https://r0tbyt3.dev/tags/malware-development/Recent content in Malware-Development on Jesus OsegueraHugoen-ushttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/abusing-wmi-for-persistence/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/abusing-wmi-for-persistence/Abusing WMI for Persistence Abusing WMI for Persistence - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/add-binary-icon/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/add-binary-icon/Add Binary Icon Add Binary Icon - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/ai-generated-malware/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/ai-generated-malware/AI-Generated Malware AI-Generated Malware - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/alertable-functions/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/alertable-functions/Alertable Functions Alertable Functions - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/apc-injection-via-write-to-process-memory/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/apc-injection-via-write-to-process-memory/APC Injection via Write to Process Memory APC Injection via Write to Process Memory - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/apc-queues/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/apc-queues/APC Queues APC Queues - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/api-hooking/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/api-hooking/API Hooking API Hooking - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/api-set-resolution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/api-set-resolution/API Set Resolution API Set Resolution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/assembly/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/assembly/Assembly Assembly - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-botnet-development/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-botnet-development/Automated Botnet Development Automated Botnet Development - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/automated-c2-infrastructure-setup/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/automated-c2-infrastructure-setup/Automated C2 Infrastructure Setup Automated C2 Infrastructure Setup - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-cryptojacking-malware-development/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-cryptojacking-malware-development/Automated Cryptojacking Malware Development Automated Cryptojacking Malware Development - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-fileless-malware-development/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-fileless-malware-development/Automated Fileless Malware Development Automated Fileless Malware Development - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-malware-delivery-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-malware-delivery-techniques/Automated Malware Delivery Techniques Automated Malware Delivery Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-malware-distribution-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-malware-distribution-techniques/Automated Malware Distribution Techniques Automated Malware Distribution Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-payload-generation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-payload-generation/Automated Payload Generation Automated Payload Generation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/automated-payload-generation-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/automated-payload-generation-techniques/Automated Payload Generation Techniques Automated Payload Generation Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-polymorphic-and-metamorphic-malware-development/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/automated-polymorphic-and-metamorphic-malware-development/Automated Polymorphic and Metamorphic Malware Development Automated Polymorphic and Metamorphic Malware Development - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/av-detection-mechanisms/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/av-detection-mechanisms/AV Detection Mechanisms AV Detection Mechanisms - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/Beacon Object Files (BOF) Beacon Object Files (BOF) - position-independent code objects executed in-process by C2 frameworks such as Cobalt Strike for post-exploitation. BOF Execution Introduction to BOF LSASS Dump BOF Object File Loader with Module Stomping Threadless Shellcode Injection via HWBPs BOF Writing BOF Files Related Links: C2 and Networking Credential Dumping Malware Concepts Payload and PE Persistence Process Injection Sleep Obfuscation Windows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/binary-metadata-modification/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/binary-metadata-modification/Binary Metadata Modification Binary Metadata Modification - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/binary-properties-icon-metadata/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/binary-properties-icon-metadata/Binary Properties Icon Metadata Binary Properties Icon Metadata - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/block-dll-policy/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/block-dll-policy/Block DLL Policy Block DLL Policy - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/blocking-driver-loading-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/blocking-driver-loading-kernel/Blocking Driver Loading Kernel Blocking Driver Loading Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/bof-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/bof-execution/BOF Execution BOF Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Introduction to BOF LSASS Dump BOF Object File Loader with Module Stomping Threadless Shellcode Injection via HWBPs BOF Writing BOF Fileshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/bring-your-own-file-extension/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/bring-your-own-file-extension/Bring Your Own File Extension Bring Your Own File Extension - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/bring-your-own-protocol-handler/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/bring-your-own-protocol-handler/Bring Your Own Protocol Handler Bring Your Own Protocol Handler - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/bring-your-own-vulnerable-driver-byovd/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/bring-your-own-vulnerable-driver-byovd/Bring Your Own Vulnerable Driver (BYOVD) Bring Your Own Vulnerable Driver (BYOVD) - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/building-a-drm-equipped-malware/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/building-a-drm-equipped-malware/Building a DRM-Equipped Malware Building a DRM-Equipped Malware - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/building-a-loader/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/building-a-loader/Building a Loader Building a Loader - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/building-a-pe-packer/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/building-a-pe-packer/Building a PE Packer Building a PE Packer - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/building-an-evasive-dll-payload-loader/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/building-an-evasive-dll-payload-loader/Building an Evasive DLL Payload Loader Building an Evasive DLL Payload Loader - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/c-programming/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/c-programming/C Programming C Programming - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/C2 and Networking C2 and Networking - command-and-control communication patterns, protocol abuse, and network-based techniques used in post-exploitation operations. Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/c2-communication-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/c2-communication-techniques/C2 Communication Techniques C2 Communication Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/capturing-and-saving-screenshots-into-memory/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/capturing-and-saving-screenshots-into-memory/Capturing and Saving Screenshots into Memory Capturing and Saving Screenshots into Memory - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/check-if-process-is-wow64/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/check-if-process-is-wow64/Check If Process Is WOW64 Check If Process Is WOW64 - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/cleaning-driver-artifacts-from-memory-dumps-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/cleaning-driver-artifacts-from-memory-dumps-kernel/Cleaning Driver Artifacts from Memory Dumps Kernel Cleaning Driver Artifacts from Memory Dumps Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/clipboard-data-theft/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/clipboard-data-theft/Clipboard Data Theft Clipboard Data Theft - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/command-and-control-patterns/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/command-and-control-patterns/Command and Control Patterns Command and Control Patterns - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/command-line-argument-spoofing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/command-line-argument-spoofing/Command Line Argument Spoofing Command Line Argument Spoofing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/compile-time-hash-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/compile-time-hash-obfuscation/Compile-Time Hash Obfuscation Compile-Time Hash Obfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/compile-time-string-encryption/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/compile-time-string-encryption/Compile-Time String Encryption Compile-Time String Encryption - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/controlling-payload-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/controlling-payload-execution/Controlling Payload Execution Controlling Payload Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/create-a-dll-template/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/create-a-dll-template/Create a DLL Template Create a DLL Template - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/Credential Dumping Credential Dumping - techniques for extracting authentication credentials from memory, registry, disk, and browser storage on compromised systems. Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumping Related Links: Beacon Object Files (BOF) C2 and Networking Malware Concepts Payload and PE Persistence Process Injection Sleep Obfuscation Windows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/cross-architecture-injection-x86-to-x64/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/cross-architecture-injection-x86-to-x64/Cross-Architecture Injection x86 to x64 Cross-Architecture Injection x86 to x64 - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/crt-library-removal/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/crt-library-removal/CRT Library Removal CRT Library Removal - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/crt-removal/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/crt-removal/CRT Removal CRT Removal - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/cryptojacking-exploits/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/cryptojacking-exploits/Cryptojacking Exploits Cryptojacking Exploits - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/custom-built-tools-demonstration/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/custom-built-tools-demonstration/Custom Built Tools Demonstration Custom Built Tools Demonstration - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/custom-smb-client/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/custom-smb-client/Custom SMB Client Custom SMB Client - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/custom-winapi-functions/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/custom-winapi-functions/Custom WinAPI Functions Custom WinAPI Functions - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/data-exfiltration-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/data-exfiltration-techniques/Data Exfiltration Techniques Data Exfiltration Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/developing-a-keylogger/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/developing-a-keylogger/Developing a Keylogger Developing a Keylogger - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/disabling-the-debugger-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/disabling-the-debugger-kernel/Disabling the Debugger Kernel Disabling the Debugger Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/dll-injection-via-zwcreatethreadex-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/dll-injection-via-zwcreatethreadex-kernel/DLL Injection via ZwCreateThreadEx Kernel DLL Injection via ZwCreateThreadEx Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/dll-injection-via-zwcreatethreadex-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/dll-injection-via-zwcreatethreadex-kernel-internals/DLL Injection via ZwCreateThreadEx Kernel Internals DLL Injection via ZwCreateThreadEx Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/dll-sideloading-for-edr-evasion/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/dll-sideloading-for-edr-evasion/DLL Sideloading for EDR Evasion DLL Sideloading for EDR Evasion - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/dll-sideloading-overview/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/dll-sideloading-overview/DLL Sideloading Overview DLL Sideloading Overview - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/dll-sideloading-practical-example/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/dll-sideloading-practical-example/DLL Sideloading Practical Example DLL Sideloading Practical Example - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/dll-sideloading-via-at.exe/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/dll-sideloading-via-at.exe/DLL Sideloading via at.exe DLL Sideloading via at.exe - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/domain-generation-algorithms-dga/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/domain-generation-algorithms-dga/Domain Generation Algorithms (DGA) Domain Generation Algorithms (DGA) - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/domain-registration-kill-switch/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/domain-registration-kill-switch/Domain Registration Kill Switch Domain Registration Kill Switch - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/download-and-upload-via-smb/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/download-and-upload-via-smb/Download and Upload via SMB Download and Upload via SMB - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/download-file-via-bits/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/download-file-via-bits/Download File via BITS Download File via BITS - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/drm-equipped-malware/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/drm-equipped-malware/DRM-Equipped Malware DRM-Equipped Malware - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-browser-cookies-chrome/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-browser-cookies-chrome/Dumping Browser Cookies Chrome Dumping Browser Cookies Chrome - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-browser-cookies-firefox/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-browser-cookies-firefox/Dumping Browser Cookies Firefox Dumping Browser Cookies Firefox - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-saved-logins-chrome/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-saved-logins-chrome/Dumping Saved Logins Chrome Dumping Saved Logins Chrome - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-saved-logins-firefox/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-saved-logins-firefox/Dumping Saved Logins Firefox Dumping Saved Logins Firefox - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-the-sam-database/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-the-sam-database/Dumping the SAM Database Dumping the SAM Database - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-the-sam-from-disk/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-the-sam-from-disk/Dumping the SAM from Disk Dumping the SAM from Disk - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-the-sam-remotely/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/dumping-the-sam-remotely/Dumping the SAM Remotely Dumping the SAM Remotely - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-control-flow-guard/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-control-flow-guard/Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Control Flow Guard - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-restored-file-section-protections/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-restored-file-section-protections/Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with Restored File Section Protections - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-rtlencryptmemory-and-rtldecryptmemory/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-rtlencryptmemory-and-rtldecryptmemory/Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-stack-spoofing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/ekko-sleep-obfuscation-with-stack-spoofing/Ekko Sleep Obfuscation with Stack Spoofing Ekko Sleep Obfuscation with Stack Spoofing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/elevate-process-to-system-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/elevate-process-to-system-kernel/Elevate Process to SYSTEM Kernel Elevate Process to SYSTEM Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/enable-sedebugprivilege/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/enable-sedebugprivilege/Enable SeDebugPrivilege Enable SeDebugPrivilege - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/enable-wdigest/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/enable-wdigest/Enable WDigest Enable WDigest - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/encryption-and-packing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/encryption-and-packing/Encryption and Packing Encryption and Packing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/encryption-and-packing-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/encryption-and-packing-techniques/Encryption and Packing Techniques Encryption and Packing Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/execute-shell-command/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/execute-shell-command/Execute Shell Command Execute Shell Command - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/executing-commands-via-ishelldispatch2-com-interface/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/executing-commands-via-ishelldispatch2-com-interface/Executing Commands via IShellDispatch2 COM Interface Executing Commands via IShellDispatch2 COM Interface - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/executing-files-via-ihxhelppaneserver-com-interface/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/executing-files-via-ihxhelppaneserver-com-interface/Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxHelpPaneServer COM Interface - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/executing-files-via-ihxinteractiveuser-com-interface/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/executing-files-via-ihxinteractiveuser-com-interface/Executing Files via IHxInteractiveUser COM Interface Executing Files via IHxInteractiveUser COM Interface - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/exploiting-edr-for-evasion/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/exploiting-edr-for-evasion/Exploiting EDR for Evasion Exploiting EDR for Evasion - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/extract-wifi-passwords/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/extract-wifi-passwords/Extract WiFi Passwords Extract WiFi Passwords - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-a-pointer-to-peb/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-a-pointer-to-peb/Fetch a Pointer to PEB Fetch a Pointer to PEB - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-a-pointer-to-peb-arm/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-a-pointer-to-peb-arm/Fetch a Pointer to PEB ARM Fetch a Pointer to PEB ARM - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-a-pointer-to-teb/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-a-pointer-to-teb/Fetch a Pointer to TEB Fetch a Pointer to TEB - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-image-dos-header/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-image-dos-header/Fetch Image DOS Header Fetch Image DOS Header - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-image-headers/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-image-headers/Fetch Image Headers Fetch Image Headers - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-image-nt-headers/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/fetch-image-nt-headers/Fetch Image NT Headers Fetch Image NT Headers - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/fetch-payload-via-url/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/fetch-payload-via-url/Fetch Payload via URL Fetch Payload via URL - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/fetch-payload-via-url-using-iwinhttprequest-com-interface/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/fetch-payload-via-url-using-iwinhttprequest-com-interface/Fetch Payload via URL using IWinHttpRequest COM Interface Fetch Payload via URL using IWinHttpRequest COM Interface - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/fetching-lsass-handle-and-bypassing-ppl/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/fetching-lsass-handle-and-bypassing-ppl/Fetching LSASS Handle and Bypassing PPL Fetching LSASS Handle and Bypassing PPL - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/file-entropy-reduction/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/file-entropy-reduction/File Entropy Reduction File Entropy Reduction - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/file-upload-via-smb/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/file-upload-via-smb/File Upload via SMB File Upload via SMB - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/fileless-malware/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/fileless-malware/Fileless Malware Fileless Malware - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/forwarded-functions/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/forwarded-functions/Forwarded Functions Forwarded Functions - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/function-stomping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/function-stomping/Function Stomping Function Stomping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/get-current-token/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/get-current-token/Get Current Token Get Current Token - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/get-ntdll-base-address-from-stack-frame-walk/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/get-ntdll-base-address-from-stack-frame-walk/Get NTDLL Base Address from Stack Frame Walk Get NTDLL Base Address from Stack Frame Walk - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/get-payload-from-url/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/get-payload-from-url/Get Payload from URL Get Payload from URL - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/getmodulehandle-replacement/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/getmodulehandle-replacement/GetModuleHandle Replacement GetModuleHandle Replacement - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/getprocaddress-replacement/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/getprocaddress-replacement/GetProcAddress Replacement GetProcAddress Replacement - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/ghost-process-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/ghost-process-injection/Ghost Process Injection Ghost Process Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/ghostly-hollowing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/ghostly-hollowing/Ghostly Hollowing Ghostly Hollowing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/hardware-breakpoint-hooking-library/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/hardware-breakpoint-hooking-library/Hardware Breakpoint Hooking Library Hardware Breakpoint Hooking Library - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/hardware-breakpoint-threadless-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/hardware-breakpoint-threadless-injection/Hardware Breakpoint Threadless Injection Hardware Breakpoint Threadless Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/heap-encryption-with-ekko-sleep-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/heap-encryption-with-ekko-sleep-obfuscation/Heap Encryption with Ekko Sleep Obfuscation Heap Encryption with Ekko Sleep Obfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/hellshall/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/hellshall/Hellshall Hellshall - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/herpaderping-hollowing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/herpaderping-hollowing/Herpaderping Hollowing Herpaderping Hollowing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/herpaderping-process-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/herpaderping-process-injection/Herpaderping Process Injection Herpaderping Process Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/hide-console-window/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/hide-console-window/Hide Console Window Hide Console Window - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/hide-process-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/hide-process-kernel/Hide Process Kernel Hide Process Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-process-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-process-kernel-internals/Hide Process Kernel Internals Hide Process Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/hide-thread-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/hide-thread-kernel/Hide Thread Kernel Hide Thread Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-thread-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-thread-kernel-internals/Hide Thread Kernel Internals Hide Thread Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/iat-api-set-resolution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/iat-api-set-resolution/IAT API Set Resolution IAT API Set Resolution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/impersonate-process-user/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/impersonate-process-user/Impersonate Process User Impersonate Process User - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/indirect-syscalls/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/indirect-syscalls/Indirect Syscalls Indirect Syscalls - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/inserting-a-custom-section-into-a-pe/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/inserting-a-custom-section-into-a-pe/Inserting a Custom Section into a PE Inserting a Custom Section into a PE - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/introduction-to-bof/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/introduction-to-bof/Introduction to BOF Introduction to BOF - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: BOF Execution LSASS Dump BOF Object File Loader with Module Stomping Threadless Shellcode Injection via HWBPs BOF Writing BOF Fileshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-dll-sideloading/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-dll-sideloading/Introduction to DLL Sideloading Introduction to DLL Sideloading - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-edrs/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-edrs/Introduction to EDRs Introduction to EDRs - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/introduction-to-ekko-sleep-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/introduction-to-ekko-sleep-obfuscation/Introduction to Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/introduction-to-foliage-sleep-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/introduction-to-foliage-sleep-obfuscation/Introduction to Foliage Sleep Obfuscation Introduction to Foliage Sleep Obfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/introduction-to-havoc-c2/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/introduction-to-havoc-c2/Introduction to Havoc C2 Introduction to Havoc C2 - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-keylogging/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-keylogging/Introduction to Keylogging Introduction to Keylogging - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/introduction-to-lsass-dumping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/introduction-to-lsass-dumping/Introduction to LSASS Dumping Introduction to LSASS Dumping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-masm-assembly/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-masm-assembly/Introduction to MASM Assembly Introduction to MASM Assembly - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/introduction-to-sleep-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/introduction-to-sleep-obfuscation/Introduction to Sleep Obfuscation Introduction to Sleep Obfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-the-windows-os/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/introduction-to-the-windows-os/Introduction to the Windows OS Introduction to the Windows OS - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/introduction-to-windows-persistence/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/introduction-to-windows-persistence/Introduction to Windows Persistence Introduction to Windows Persistence - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-auxklibquerymoduleinformation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-auxklibquerymoduleinformation/Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via AuxKlibQueryModuleInformation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-psloadedmodulelist/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-psloadedmodulelist/Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via PsLoadedModuleList - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-zwquerysysteminformation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-zwquerysysteminformation/Kernel Modules Enumeration via ZwQuerySystemInformation Kernel Modules Enumeration via ZwQuerySystemInformation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/knowndll-cache-poisoning-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/knowndll-cache-poisoning-injection/KnownDLL Cache Poisoning Injection KnownDLL Cache Poisoning Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/library-proxy-loading/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/library-proxy-loading/Library Proxy Loading Library Proxy Loading - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/list-smb-files/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/list-smb-files/List SMB Files List SMB Files - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-apc-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-apc-injection/Local APC Injection Local APC Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-dll-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-dll-injection/Local DLL Injection Local DLL Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-function-stomping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-function-stomping/Local Function Stomping Local Function Stomping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-mapping-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/local-mapping-injection/Local Mapping Injection Local Mapping Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/local-payload-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/local-payload-execution/Local Payload Execution Local Payload Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/local-pe-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/local-pe-execution/Local PE Execution Local PE Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/local-shellcode-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/local-shellcode-execution/Local Shellcode Execution Local Shellcode Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/lsass-dump-bof/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/lsass-dump-bof/LSASS Dump BOF LSASS Dump BOF - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: BOF Execution Introduction to BOF Object File Loader with Module Stomping Threadless Shellcode Injection via HWBPs BOF Writing BOF Fileshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-handle-duplication/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-handle-duplication/LSASS Dump via Handle Duplication LSASS Dump via Handle Duplication - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-minidumpwritedump/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-minidumpwritedump/LSASS Dump via MiniDumpWriteDump LSASS Dump via MiniDumpWriteDump - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-rtlreportsilentprocessexit/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-rtlreportsilentprocessexit/LSASS Dump via RtlReportSilentProcessExit LSASS Dump via RtlReportSilentProcessExit - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-seclogon-race-condition/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/lsass-dump-via-seclogon-race-condition/LSASS Dump via SecLogon Race Condition LSASS Dump via SecLogon Race Condition - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-binary-signing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-binary-signing/Malware Binary Signing Malware Binary Signing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-compiling/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-compiling/Malware Compiling Malware Compiling - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/Malware Concepts Malware Concepts - foundational knowledge about malware types, behaviors, and development techniques used in offensive security research. Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templates Related Links: Beacon Object Files (BOF) C2 and Networking Credential Dumping Payload and PE Persistence Process Injection Sleep Obfuscation Windows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/Malware Development Malware Development - the study of techniques used to create, deploy, and operate malicious software including loaders, implants, and post-exploitation tools. Beacon Object Files (BOF) C2 and Networking Credential Dumping Malware Concepts Payload and PE Persistence Process Injection Sleep Obfuscation Windows Internals Related Links: Application Security Bash Burp Suite Cryptography Cybersecurity Encryption Firewalls Ghidra Hashing Incident Response and Forensics Information Security Models Linux Operating System Malware Analysis Network Security Nginx Nmap Obfuscation and Detection Evasion Offensive Phishing Operations Ransomware SOC and Detection Engineering Social Engineering Threat Modeling Windows Security and Administration Wiresharkhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-development-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-development-techniques/Malware Development Techniques Malware Development Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-directory-placement/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/malware-directory-placement/Malware Directory Placement Malware Directory Placement - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/malware-kill-date/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/malware-kill-date/Malware Kill Date Malware Kill Date - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/malware-working-hours/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/malware-working-hours/Malware Working Hours Malware Working Hours - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/manually-mapping-api-set-names/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/manually-mapping-api-set-names/Manually Mapping API Set Names Manually Mapping API Set Names - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/metamorphic-malware/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/metamorphic-malware/Metamorphic Malware Metamorphic Malware - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/mmgetsystemroutineaddress-replacement-with-string-hashing-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/mmgetsystemroutineaddress-replacement-with-string-hashing-kernel/Mmgetsystemroutineaddress Replacement with String Hashing Kernel Mmgetsystemroutineaddress Replacement with String Hashing Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/module-overloading/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/module-overloading/Module Overloading Module Overloading - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/module-stomping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/module-stomping/Module Stomping Module Stomping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/monitoring-display-state-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/monitoring-display-state-kernel/Monitoring Display State Kernel Monitoring Display State Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/monitoring-user-presence-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/monitoring-user-presence-kernel/Monitoring User Presence Kernel Monitoring User Presence Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/more-c-fundamentals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/more-c-fundamentals/More C Fundamentals More C Fundamentals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/msgwaitformultipleobjectsex-alertable-function/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/msgwaitformultipleobjectsex-alertable-function/MsgWaitForMultipleObjectsEx Alertable Function MsgWaitForMultipleObjectsEx Alertable Function - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/multiple-alertable-functions/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/multiple-alertable-functions/Multiple Alertable Functions Multiple Alertable Functions - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/multiple-anti-debugging-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/multiple-anti-debugging-techniques/Multiple Anti-Debugging Techniques Multiple Anti-Debugging Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/multiple-payload-execution-control-methods/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/multiple-payload-execution-control-methods/Multiple Payload Execution Control Methods Multiple Payload Execution Control Methods - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/named-pipes/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/named-pipes/Named Pipes Named Pipes - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/net-assemblies-patching-systemenvironment.exit/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/net-assemblies-patching-systemenvironment.exit/NET Assemblies Patching SystemEnvironment.Exit NET Assemblies Patching SystemEnvironment.Exit - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/object-file-loader-with-module-stomping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/object-file-loader-with-module-stomping/Object File Loader with Module Stomping Object File Loader with Module Stomping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: BOF Execution Introduction to BOF LSASS Dump BOF Threadless Shellcode Injection via HWBPs BOF Writing BOF Fileshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/patching-the-.net-exit-routine/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/patching-the-.net-exit-routine/Patching the .NET Exit Routine Patching the .NET Exit Routine - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/patchless-threadless-injection-via-hardware-breakpoints/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/patchless-threadless-injection-via-hardware-breakpoints/Patchless Threadless Injection via Hardware Breakpoints Patchless Threadless Injection via Hardware Breakpoints - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/Payload and PE Payload and PE - techniques for building, loading, and executing shellcode and PE-format payloads in offensive security implants. APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-encryption-variants/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-encryption-variants/Payload Encryption Variants Payload Encryption Variants - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control/Payload Execution Control Payload Execution Control - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control-via-events/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control-via-events/Payload Execution Control via Events Payload Execution Control via Events - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control-via-mutexes/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control-via-mutexes/Payload Execution Control via Mutexes Payload Execution Control via Mutexes - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control-via-semaphores/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-control-via-semaphores/Payload Execution Control via Semaphores Payload Execution Control via Semaphores - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-callbacks/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-callbacks/Payload Execution via Callbacks Payload Execution via Callbacks - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-certenumsystemstore-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-certenumsystemstore-callback/Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStore Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-certenumsystemstorelocation-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-certenumsystemstorelocation-callback/Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CertEnumSystemStoreLocation Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-copyfileexw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-copyfileexw-callback/Payload Execution via CopyFileExW Callback Payload Execution via CopyFileExW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-cryptenumoidinfo-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-cryptenumoidinfo-callback/Payload Execution via CryptEnumOIDInfo Callback Payload Execution via CryptEnumOIDInfo Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumcalendarinfow-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumcalendarinfow-callback/Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumCalendarInfoW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdesktopsw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdesktopsw-callback/Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopsW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdesktopwindows-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdesktopwindows-callback/Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDesktopWindows Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdirtreew-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdirtreew-callback/Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDirTreeW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdisplaymonitors-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumdisplaymonitors-callback/Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumDisplayMonitors Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumerateloadedmodules-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumerateloadedmodules-callback/Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumerateLoadedModules Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumfontfamiliesw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumfontfamiliesw-callback/Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontFamiliesW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumfontsw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumfontsw-callback/Payload Execution via EnumFontsW Callback Payload Execution via EnumFontsW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumlanguagegrouplocalesw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumlanguagegrouplocalesw-callback/Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumLanguageGroupLocalesW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumobjects-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumobjects-callback/Payload Execution via EnumObjects Callback Payload Execution via EnumObjects Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumpagefilesw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumpagefilesw-callback/Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPageFilesW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumpropsw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumpropsw-callback/Payload Execution via EnumPropsW Callback Payload Execution via EnumPropsW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumpwrschemes-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumpwrschemes-callback/Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumPwrSchemes Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumresourcetypesw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumresourcetypesw-callback/Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumResourceTypesW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumsystemlocalesex-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumsystemlocalesex-callback/Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumSystemLocalesEx Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumthreadwindows-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumthreadwindows-callback/Payload Execution via EnumThreadWindows Callback Payload Execution via EnumThreadWindows Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumtimeformatsex-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumtimeformatsex-callback/Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumTimeFormatsEx Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumwindows-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumwindows-callback/Payload Execution via EnumWindows Callback Payload Execution via EnumWindows Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumwindowstationsw-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-enumwindowstationsw-callback/Payload Execution via EnumWindowStationsW Callback Payload Execution via EnumWindowStationsW Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-fibers/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-fibers/Payload Execution via Fibers Payload Execution via Fibers - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-flsalloc-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-flsalloc-callback/Payload Execution via FlsAlloc Callback Payload Execution via FlsAlloc Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-imagegetdigeststream-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-imagegetdigeststream-callback/Payload Execution via ImageGetDigestStream Callback Payload Execution via ImageGetDigestStream Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-immenuminputcontext-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-immenuminputcontext-callback/Payload Execution via ImmEnumInputContext Callback Payload Execution via ImmEnumInputContext Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-initonceexecuteonce-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-initonceexecuteonce-callback/Payload Execution via InitOnceExecuteOnce Callback Payload Execution via InitOnceExecuteOnce Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-symenumprocesses-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-symenumprocesses-callback/Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumProcesses Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-symenumsourcefiles-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-symenumsourcefiles-callback/Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymEnumSourceFiles Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-symfindfileinpath-callback/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/payload-execution-via-symfindfileinpath-callback/Payload Execution via SymFindFileInPath Callback Payload Execution via SymFindFileInPath Callback - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-injection/Payload Injection Payload Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-obfuscation-and-deobfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-obfuscation-and-deobfuscation/Payload Obfuscation and Deobfuscation Payload Obfuscation and Deobfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-obfuscation-variants/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-obfuscation-variants/Payload Obfuscation Variants Payload Obfuscation Variants - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-placement/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-placement/Payload Placement Payload Placement - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-placement-variants/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-placement-variants/Payload Placement Variants Payload Placement Variants - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-staging/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-staging/Payload Staging Payload Staging - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-staging-via-registry-and-web/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/payload-staging-via-registry-and-web/Payload Staging via Registry and Web Payload Staging via Registry and Web - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/peb-ldr-data-iterator/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/peb-ldr-data-iterator/PEB LDR Data Iterator PEB LDR Data Iterator - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/pefluctuation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/pefluctuation/PEfluctuation PEfluctuation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation Zilean Sleep Obfuscation with Stack Duplicationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/Persistence Persistence - techniques used by malware to maintain access to a compromised system across reboots, logoffs, and security tool detections. Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Tasks Related Links: Beacon Object Files (BOF) C2 and Networking Credential Dumping Malware Concepts Payload and PE Process Injection Sleep Obfuscation Windows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/persistence-techniques-overview/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/persistence-techniques-overview/Persistence Techniques Overview Persistence Techniques Overview - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-com-object-hijacking/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-com-object-hijacking/Persistence via COM Object Hijacking Persistence via COM Object Hijacking - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-electron-applications/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-electron-applications/Persistence via Electron Applications Persistence via Electron Applications - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-file-system/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-file-system/Persistence via File System Persistence via File System - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-startup-folder/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-startup-folder/Persistence via Startup Folder Persistence via Startup Folder - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Windows Registry Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-windows-registry/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-windows-registry/Persistence via Windows Registry Persistence via Windows Registry - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Services Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-windows-services/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-windows-services/Persistence via Windows Services Persistence via Windows Services - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Taskshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-windows-tasks/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/persistence/persistence-via-windows-tasks/Persistence via Windows Tasks Persistence via Windows Tasks - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Abusing WMI for Persistence Introduction to Windows Persistence Persistence via COM Object Hijacking Persistence via Electron Applications Persistence via File System Persistence via Startup Folder Persistence via Windows Registry Persistence via Windows Serviceshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/polymorphic-and-metamorphic-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/polymorphic-and-metamorphic-techniques/Polymorphic and Metamorphic Techniques Polymorphic and Metamorphic Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/polymorphic-malware/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/polymorphic-malware/Polymorphic Malware Polymorphic Malware - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/portable-pe-headers-retrieval/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/portable-pe-headers-retrieval/Portable PE Headers Retrieval Portable PE Headers Retrieval - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/powershell-execution-via-.net-hosting-api/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/powershell-execution-via-.net-hosting-api/PowerShell Execution via .NET Hosting API PowerShell Execution via .NET Hosting API - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes Proxy Execute NtAllocateVirtualMemory with Timer APIs Proxy Execute NtAllocateVirtualMemory with Work Item APIs Proxy Execute NtCreateThreadEx with Work Item APIs Reverse Shell Reverse Shells Overview Running JScript Code in Memory Send Keystrokes to Remote Server Shell Execution SignalObjectAndWait Alertable Function SleepEx Alertable Function Upload File via SMB User Shared Data Delay WaitForMultipleObjectsEx Alertable Function WaitForSingleObjectEx Alertable Function WMI Queryhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/ppid-spoofing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/ppid-spoofing/PPID Spoofing PPID Spoofing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/print-a-hexadecimal-array/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/print-a-hexadecimal-array/Print a Hexadecimal Array Print a Hexadecimal Array - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/print-os-version/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/print-os-version/Print OS Version Print OS Version - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/privilege-query/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/privilege-query/Privilege Query Privilege Query - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/process-creation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/process-creation/Process Creation Process Creation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/process-enumeration-via-zwquerysysteminformation-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/process-enumeration-via-zwquerysysteminformation-kernel/Process Enumeration via ZwQuerySystemInformation Kernel Process Enumeration via ZwQuerySystemInformation Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/process-hollowing/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/process-hollowing/Process Hollowing Process Hollowing - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/process-hypnosis/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/process-hypnosis/Process Hypnosis Process Hypnosis - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/Process Injection Process Injection - techniques for executing arbitrary code inside the address space of a legitimate process to evade detection and gain privileges. API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Execution Related Links: Beacon Object Files (BOF) C2 and Networking Credential Dumping Malware Concepts Payload and PE Persistence Sleep Obfuscation Windows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/proxy-execute-ntallocatevirtualmemory-with-timer-apis/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/proxy-execute-ntallocatevirtualmemory-with-timer-apis/Proxy Execute NtAllocateVirtualMemory with Timer APIs Proxy Execute NtAllocateVirtualMemory with Timer APIs - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/proxy-execute-ntallocatevirtualmemory-with-timer-apis-c/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/proxy-execute-ntallocatevirtualmemory-with-timer-apis-c/Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Timer APIs C - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/proxy-execute-ntallocatevirtualmemory-with-work-item-apis/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/proxy-execute-ntallocatevirtualmemory-with-work-item-apis/Proxy Execute NtAllocateVirtualMemory with Work Item APIs Proxy Execute NtAllocateVirtualMemory with Work Item APIs - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/proxy-execute-ntallocatevirtualmemory-with-work-item-apis-c/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/proxy-execute-ntallocatevirtualmemory-with-work-item-apis-c/Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/proxy-execute-ntcreatethreadex-with-work-item-apis/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/proxy-execute-ntcreatethreadex-with-work-item-apis/Proxy Execute NtCreateThreadEx with Work Item APIs Proxy Execute NtCreateThreadEx with Work Item APIs - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/proxy-execute-ntcreatethreadex-with-work-item-apis-c/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/proxy-execute-ntcreatethreadex-with-work-item-apis-c/Proxy Execute NtCreateThreadEx with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/python-for-malware-development/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/python-for-malware-development/Python for Malware Development Python for Malware Development - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/read-clipboard-data/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/read-clipboard-data/Read Clipboard Data Read Clipboard Data - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/reading-a-file-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/reading-a-file-kernel/Reading a File Kernel Reading a File Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/reflective-dll-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/reflective-dll-injection/Reflective DLL Injection Reflective DLL Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/reimplementing-injection-via-syscalls/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/reimplementing-injection-via-syscalls/Reimplementing Injection via Syscalls Reimplementing Injection via Syscalls - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-apc-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-apc-injection/Remote APC Injection Remote APC Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-dll-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-dll-injection/Remote DLL Injection Remote DLL Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-function-stomping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-function-stomping/Remote Function Stomping Remote Function Stomping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-mapping-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-mapping-injection/Remote Mapping Injection Remote Mapping Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-module-stomping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-module-stomping/Remote Module Stomping Remote Module Stomping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/remote-payload-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/remote-payload-execution/Remote Payload Execution Remote Payload Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-payload-execution-via-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/remote-payload-execution-via-injection/Remote Payload Execution via Injection Remote Payload Execution via Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-kernel-version/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-kernel-version/Retrieving Kernel Version Retrieving Kernel Version - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-identifier-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-identifier-kernel/Retrieving Process Identifier Kernel Retrieving Process Identifier Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-image-base-address-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-image-base-address-kernel/Retrieving Process Image Base Address Kernel Retrieving Process Image Base Address Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-name-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-name-kernel/Retrieving Process Name Kernel Retrieving Process Name Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-parent-id-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-parent-id-kernel/Retrieving Process Parent ID Kernel Retrieving Process Parent ID Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-session-id-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-session-id-kernel/Retrieving Process Session ID Kernel Retrieving Process Session ID Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-the-address-of-an-unexported-zw-api-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-the-address-of-an-unexported-zw-api-kernel/Retrieving the Address of an Unexported ZW API Kernel Retrieving the Address of an Unexported ZW API Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/reverse-shell/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/reverse-shell/Reverse Shell Reverse Shell - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/reverse-shells-overview/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/reverse-shells-overview/Reverse Shells Overview Reverse Shells Overview - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/rootkits/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/rootkits/Rootkits Rootkits - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/rootkits-and-bootkits/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/rootkits-and-bootkits/Rootkits and Bootkits Rootkits and Bootkits - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/rop-hellshall/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/rop-hellshall/ROP Hellshall ROP Hellshall - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/running-jscript-code-in-memory/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/running-jscript-code-in-memory/Running JScript Code in Memory Running JScript Code in Memory - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/runpe/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/runpe/RunPE RunPE - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/screen-capture-to-bmp/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/screen-capture-to-bmp/Screen Capture to BMP Screen Capture to BMP - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Windows DLL Template Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/send-keystrokes-to-remote-server/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/send-keystrokes-to-remote-server/Send Keystrokes to Remote Server Send Keystrokes to Remote Server - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/set-privilege-via-adjusttokenprivileges/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/set-privilege-via-adjusttokenprivileges/Set Privilege via AdjustTokenPrivileges Set Privilege via AdjustTokenPrivileges - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/set-privilege-via-rtladjustprivilege/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/set-privilege-via-rtladjustprivilege/Set Privilege via RtlAdjustPrivilege Set Privilege via RtlAdjustPrivilege - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges SMB Pass the Hash Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/shell-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/shell-execution/Shell Execution Shell Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/shellcode-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/shellcode-injection/Shellcode Injection Shellcode Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/shellcode-injection-via-zwcreatethreadex-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/shellcode-injection-via-zwcreatethreadex-kernel/Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Injection via ZwCreateThreadEx Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/shellcode-injection-via-zwcreatethreadex-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/shellcode-injection-via-zwcreatethreadex-kernel-internals/Shellcode Injection via ZwCreateThreadEx Kernel Internals Shellcode Injection via ZwCreateThreadEx Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcode-reflective-dll-injection-srdi/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcode-reflective-dll-injection-srdi/Shellcode Reflective DLL Injection (sRDI) Shellcode Reflective DLL Injection (sRDI) - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/shellcode-reflective-dll-injection-srdi-technique/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/shellcode-reflective-dll-injection-srdi-technique/Shellcode Reflective DLL Injection (sRDI) Technique Shellcode Reflective DLL Injection (sRDI) Technique - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Thread Hijacking Kernel Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcoding-a-reverse-shell/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcoding-a-reverse-shell/Shellcoding a Reverse Shell Shellcoding a Reverse Shell - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcoding-stager-local-inject/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcoding-stager-local-inject/Shellcoding Stager Local Inject Shellcoding Stager Local Inject - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcoding-stager-remote-inject/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/shellcoding-stager-remote-inject/Shellcoding Stager Remote Inject Shellcoding Stager Remote Inject - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/signalobjectandwait-alertable-function/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/signalobjectandwait-alertable-function/SignalObjectAndWait Alertable Function SignalObjectAndWait Alertable Function - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/Sleep Obfuscation Sleep Obfuscation - techniques that encrypt or hide implant code in memory during beacon sleep intervals to evade memory scanning. Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation Zilean Sleep Obfuscation with Stack Duplication Related Links: Beacon Object Files (BOF) C2 and Networking Credential Dumping Malware Concepts Payload and PE Persistence Process Injection Windows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/sleepex-alertable-function/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/sleepex-alertable-function/SleepEx Alertable Function SleepEx Alertable Function - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/smb-pass-the-hash/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/smb-pass-the-hash/SMB Pass the Hash SMB Pass the Hash - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege Token Impersonation Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/stage-early-bird-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/stage-early-bird-injection/Stage Early Bird Injection Stage Early Bird Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/steganography-shellcode-loader/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/steganography-shellcode-loader/Steganography Shellcode Loader Steganography Shellcode Loader - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/string-hashing-obfuscation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/string-hashing-obfuscation/String Hashing Obfuscation String Hashing Obfuscation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-gadget-pattern-scan/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-gadget-pattern-scan/Syscall Gadget Pattern Scan Syscall Gadget Pattern Scan - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-number-retrieval-from-ntdll-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-number-retrieval-from-ntdll-kernel/Syscall Number Retrieval from NTDLL Kernel Syscall Number Retrieval from NTDLL Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/syscalls/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/syscalls/Syscalls Syscalls - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscalls-tampering/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscalls-tampering/Syscalls Tampering Syscalls Tampering - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/tampered-syscalls-via-hardware-breakpoints/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/tampered-syscalls-via-hardware-breakpoints/Tampered Syscalls via Hardware Breakpoints Tampered Syscalls via Hardware Breakpoints - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/terminating-a-process-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/terminating-a-process-kernel/Terminating a Process Kernel Terminating a Process Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-techniques/Thread Enumeration Techniques Thread Enumeration Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-procfs/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-procfs/Thread Enumeration via ProcFS Thread Enumeration via ProcFS - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-syscall/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-syscall/Thread Enumeration via Syscall Thread Enumeration via Syscall - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/thread-hijacking-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/thread-hijacking-kernel/Thread Hijacking Kernel Thread Hijacking Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Threadless Injection VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-hijacking-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-hijacking-kernel-internals/Thread Hijacking Kernel Internals Thread Hijacking Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/threadless-injection/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/threadless-injection/Threadless Injection Threadless Injection - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel VEH Manipulation for Local Code Executionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/threadless-shellcode-injection-via-hwbps-bof/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/threadless-shellcode-injection-via-hwbps-bof/Threadless Shellcode Injection via HWBPs BOF Threadless Shellcode Injection via HWBPs BOF - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: BOF Execution Introduction to BOF LSASS Dump BOF Object File Loader with Module Stomping Writing BOF Fileshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/token-impersonation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/token-impersonation/Token Impersonation Token Impersonation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Manipulation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/token-manipulation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/token-manipulation/Token Manipulation Token Manipulation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Querying Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/token-querying/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/token-querying/Token Querying Token Querying - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Utilizing Hardware Breakpoints for Credential Dumpinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/upload-file-via-smb/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/upload-file-via-smb/Upload File via SMB Upload File via SMB - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-function-lookup-in-process-modules-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-function-lookup-in-process-modules-kernel/User Mode Function Lookup in Process Modules Kernel User Mode Function Lookup in Process Modules Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-process-modules-enumeration-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-process-modules-enumeration-kernel/User Mode Process Modules Enumeration Kernel User Mode Process Modules Enumeration Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel Using Class in C Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/user-shared-data-delay/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/user-shared-data-delay/User Shared Data Delay User Shared Data Delay - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/using-class-in-c-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/using-class-in-c-kernel/Using Class in C Kernel Using Class in C Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel WinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/utilizing-hardware-breakpoints-for-credential-dumping/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/credential-dumping/utilizing-hardware-breakpoints-for-credential-dumping/Utilizing Hardware Breakpoints for Credential Dumping Utilizing Hardware Breakpoints for Credential Dumping - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Clipboard Data Theft Dumping Browser Cookies Chrome Dumping Browser Cookies Firefox Dumping Saved Logins Chrome Dumping Saved Logins Firefox Dumping the SAM Database Dumping the SAM from Disk Dumping the SAM Remotely Enable WDigest Extract WiFi Passwords Fetching LSASS Handle and Bypassing PPL Get Current Token Impersonate Process User Introduction to LSASS Dumping LSASS Dump via Handle Duplication LSASS Dump via MiniDumpWriteDump LSASS Dump via RtlReportSilentProcessExit LSASS Dump via SecLogon Race Condition Privilege Query Read Clipboard Data Set Privilege via AdjustTokenPrivileges Set Privilege via RtlAdjustPrivilege SMB Pass the Hash Token Impersonation Token Manipulation Token Queryinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/utilizing-ntcreateuserprocess/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/utilizing-ntcreateuserprocess/Utilizing NtCreateUserProcess Utilizing NtCreateUserProcess - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.exe Executing Commands via IShellDispatch2 COM Interface Executing Files via IHxHelpPaneServer COM Interface Executing Files via IHxInteractiveUser COM Interface Fetch a Pointer to PEB Fetch a Pointer to PEB ARM Fetch a Pointer to TEB Fetch Image DOS Header Fetch Image Headers Fetch Image NT Headers File Entropy Reduction Forwarded Functions Get NTDLL Base Address from Stack Frame Walk GetModuleHandle Replacement GetProcAddress Replacement IAT API Set Resolution Inserting a Custom Section into a PE Local Payload Execution Local PE Execution Local Shellcode Execution Manually Mapping API Set Names NET Assemblies Patching SystemEnvironment.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/veh-manipulation-for-local-code-execution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/process-injection/veh-manipulation-for-local-code-execution/VEH Manipulation for Local Code Execution VEH Manipulation for Local Code Execution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Hooking Cross-Architecture Injection x86 to x64 DLL Injection via ZwCreateThreadEx Kernel Function Stomping Ghost Process Injection Ghostly Hollowing Hardware Breakpoint Hooking Library Hardware Breakpoint Threadless Injection Hellshall Herpaderping Hollowing Herpaderping Process Injection KnownDLL Cache Poisoning Injection Library Proxy Loading Local APC Injection Local DLL Injection Local Function Stomping Local Mapping Injection Module Overloading Module Stomping Multiple Anti-Debugging Techniques Multiple Payload Execution Control Methods Patchless Threadless Injection via Hardware Breakpoints Payload Execution Control Payload Execution Control via Events Payload Execution Control via Mutexes Payload Execution Control via Semaphores Payload Execution via Callbacks Payload Execution via CertEnumSystemStore Callback Payload Execution via CertEnumSystemStoreLocation Callback Payload Execution via CopyFileExW Callback Payload Execution via CryptEnumOIDInfo Callback Payload Execution via EnumCalendarInfoW Callback Payload Execution via EnumDesktopsW Callback Payload Execution via EnumDesktopWindows Callback Payload Execution via EnumDirTreeW Callback Payload Execution via EnumDisplayMonitors Callback Payload Execution via EnumerateLoadedModules Callback Payload Execution via EnumFontFamiliesW Callback Payload Execution via EnumFontsW Callback Payload Execution via EnumLanguageGroupLocalesW Callback Payload Execution via EnumObjects Callback Payload Execution via EnumPageFilesW Callback Payload Execution via EnumPropsW Callback Payload Execution via EnumPwrSchemes Callback Payload Execution via EnumResourceTypesW Callback Payload Execution via EnumSystemLocalesEx Callback Payload Execution via EnumThreadWindows Callback Payload Execution via EnumTimeFormatsEx Callback Payload Execution via EnumWindows Callback Payload Execution via EnumWindowStationsW Callback Payload Execution via Fibers Payload Execution via FlsAlloc Callback Payload Execution via ImageGetDigestStream Callback Payload Execution via ImmEnumInputContext Callback Payload Execution via InitOnceExecuteOnce Callback Payload Execution via SymEnumProcesses Callback Payload Execution via SymEnumSourceFiles Callback Payload Execution via SymFindFileInPath Callback Process Hollowing Process Hypnosis Proxy Execute NtAllocateVirtualMemory with Timer APIs C Proxy Execute NtAllocateVirtualMemory with Work Item APIs C Proxy Execute NtCreateThreadEx with Work Item APIs C Reflective DLL Injection Reimplementing Injection via Syscalls Remote APC Injection Remote DLL Injection Remote Function Stomping Remote Mapping Injection Remote Module Stomping Remote Payload Execution via Injection ROP Hellshall RunPE Shellcode Injection Shellcode Injection via ZwCreateThreadEx Kernel Shellcode Reflective DLL Injection (sRDI) Technique Thread Hijacking Kernel Threadless Injectionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/waitformultipleobjectsex-alertable-function/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/waitformultipleobjectsex-alertable-function/WaitForMultipleObjectsEx Alertable Function WaitForMultipleObjectsEx Alertable Function - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/waitforsingleobjectex-alertable-function/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/waitforsingleobjectex-alertable-function/WaitForSingleObjectEx Alertable Function WaitForSingleObjectEx Alertable Function - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/winapis-and-pe-file-format/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/winapis-and-pe-file-format/WinAPIs and PE File Format WinAPIs and PE File Format - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/winapis-pe-file-format-overview/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/winapis-pe-file-format-overview/WinAPIs PE File Format Overview WinAPIs PE File Format Overview - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/windows-dll-template/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/windows-dll-template/Windows DLL Template Windows DLL Template - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Worm-Like Propagation XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/Windows Internals Windows Internals - foundational knowledge of Windows architecture, kernel structures, API resolution, and PE file format for malware development. API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overview Related Links: Beacon Object Files (BOF) C2 and Networking Credential Dumping Malware Concepts Payload and PE Persistence Process Injection Sleep Obfuscationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/wmi-query/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/c2-and-networking/wmi-query/WMI Query WMI Query - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Alertable Functions APC Queues Automated C2 Infrastructure Setup C2 Communication Techniques Command and Control Patterns Custom SMB Client Data Exfiltration Techniques Domain Generation Algorithms (DGA) Domain Registration Kill Switch Download and Upload via SMB Download File via BITS Execute Shell Command Fetch Payload via URL Fetch Payload via URL using IWinHttpRequest COM Interface File Upload via SMB Get Payload from URL Introduction to Havoc C2 List SMB Files Malware Kill Date Malware Working Hours MsgWaitForMultipleObjectsEx Alertable Function Multiple Alertable Functions Named Pipes PowerShell Execution via .https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/worm-like-propagation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/worm-like-propagation/Worm-Like Propagation Worm-Like Propagation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template XLL Templateshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/writing-bof-files/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/beacon-object-files-bof/writing-bof-files/Writing BOF Files Writing BOF Files - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: BOF Execution Introduction to BOF LSASS Dump BOF Object File Loader with Module Stomping Threadless Shellcode Injection via HWBPs BOFhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/writing-custom-shellcode/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/writing-custom-shellcode/Writing Custom Shellcode Writing Custom Shellcode - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/writing-to-process-memory-via-apcs/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/payload-and-pe/writing-to-process-memory-via-apcs/Writing to Process Memory via APCs Writing to Process Memory via APCs - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: APC Injection via Write to Process Memory Automated Payload Generation Techniques Building a Loader Building a PE Packer Building an Evasive DLL Payload Loader Command Line Argument Spoofing Compile-Time Hash Obfuscation Compile-Time String Encryption Controlling Payload Execution CRT Library Removal CRT Removal Custom WinAPI Functions DLL Sideloading via at.https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/xll-templates/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/malware-concepts/xll-templates/XLL Templates XLL Templates - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Add Binary Icon AI-Generated Malware Assembly Automated Botnet Development Automated Cryptojacking Malware Development Automated Fileless Malware Development Automated Malware Delivery Techniques Automated Malware Distribution Techniques Automated Payload Generation Automated Polymorphic and Metamorphic Malware Development AV Detection Mechanisms Binary Metadata Modification Binary Properties Icon Metadata Block DLL Policy Bring Your Own File Extension Bring Your Own Protocol Handler Bring Your Own Vulnerable Driver (BYOVD) Building a DRM-Equipped Malware C Programming Capturing and Saving Screenshots into Memory Create a DLL Template Cryptojacking Exploits Custom Built Tools Demonstration Developing a Keylogger DLL Sideloading for EDR Evasion DLL Sideloading Overview DLL Sideloading Practical Example DRM-Equipped Malware Encryption and Packing Encryption and Packing Techniques Exploiting EDR for Evasion Fileless Malware Hide Console Window Hide Process Kernel Hide Thread Kernel Introduction to DLL Sideloading Introduction to EDRs Introduction to Keylogging Introduction to MASM Assembly Introduction to the Windows OS Malware Binary Signing Malware Compiling Malware Development Techniques Malware Directory Placement Metamorphic Malware Monitoring Display State Kernel Monitoring User Presence Kernel More C Fundamentals Persistence Techniques Overview Polymorphic and Metamorphic Techniques Polymorphic Malware Print a Hexadecimal Array Print OS Version Process Creation Python for Malware Development Rootkits Rootkits and Bootkits Screen Capture to BMP Windows DLL Template Worm-Like Propagationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/zilean-sleep-obfuscation-with-stack-duplication/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/sleep-obfuscation/zilean-sleep-obfuscation-with-stack-duplication/Zilean Sleep Obfuscation with Stack Duplication Zilean Sleep Obfuscation with Stack Duplication - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Ekko Sleep Obfuscation with Control Flow Guard Ekko Sleep Obfuscation with Restored File Section Protections Ekko Sleep Obfuscation with RtlEncryptMemory and RtlDecryptMemory Ekko Sleep Obfuscation with Stack Spoofing Heap Encryption with Ekko Sleep Obfuscation Introduction to Ekko Sleep Obfuscation Introduction to Foliage Sleep Obfuscation Introduction to Sleep Obfuscation PEfluctuation