Malware Development

for Dummies
Cas van Cooten

Hack in Paris
30-06-2022 | 01-07-2022
00 | About
[cas@maldev ~]$ whoami

• Offensive Security Enthusiast, Red Team Operator,

and hobbyist Malware Developer
• Likes building malware in Nim Cas van Cooten
• Author of tools such as Nimplant (coming soon™),
Nimpackt, and BugBountyScanner casvancooten.com

• Semi-pro shitposter on Twitter @chvancooten

chvancooten
/in/chvancooten
00 | About
About today’s workshop

• First we will go over some theory, then it’s hands-on time

• Exercises will be tough at first (sorry not sorry)
• We will not have enough time to complete all exercises
today! You are encouraged to keep practicing afterwards
• We will be targeting Microsoft Windows
• Slides, guidance on setting up a dev VM, exercises and
solutions are available at on Github:

https://github.com/chvancooten/maldev-for-dummies
01 | Malware Development
Why would a good guy do it?

• “Malicious Software”
• To defend against the bad guys, we should think
like the bad guys (insert Sun Tzu quote here)
• Defenses are maturing, so we are forced to keep up
• In practice, malware can help us throughout
various stages of the kill chain
01 | Malware Development
Digital linguistics – choosing the right language for you

• Many programming languages can be used,

each with benefits and drawbacks
• Considerations:
• High or low level
• Interpreted or compiled
• Developer experience (including docs)
• Prevalence
• Support is provided for C# or Nim, but feel free
to choose whatever you are comfortable with
01 | Malware Development
The MalDev Mindset

• Humble beginnings can be daunting

• Luckily, there is a great community of
malware developers Some great resources:

• There are many excellent resources available OffensiveNim

that you can use as inspiration, cheat sheet, OffensiveCSharp
or even “borrow” some code from! SharpSploit
OSEP-Code-Snippets
• Note: Never blindly copy-paste! Open sources
Dinjector
are likely fingerprinted by defensive tools
02 | Delivery
Getting your payload executed

• Payload delivery is critical for success

• For initial access, the payload type must
be aligned with your pretext
• Every file type has opsec considerations
• Some examples:

Binary Dynamic link Office files Office add-ins Shortcut files

executables libraries .xlsm, .doc, ... .xll, .wll, ... .lnk
.exe .dll
02 | Delivery
Getting your payload executed

• Your choice of file type may impact your

code (e.g. library versus binary versus script)
• Tools can be used to convert your malware
to certain formats:
• MacroPack
• Donut
• sRDI
• ...
• To keep things straightforward, we will stick
with basic binaries (.exe) today
02 | Delivery
We have execution! Now what?

• There are various execution techniques,

each with their own behaviors:
• Native functionality
• Local shellcode execution
• Remote shellcode injection
• DLL sideloading
• DLL injection
• ...
• For the exercises, we will be focusing on
shellcode execution and injection only
03 | Shellcode Execution
Virtual-what now? Meet the Windows API

• The Windows API is used to interface

with lower-level aspects of the OS
• Many functions available, can be used
for all offensive use cases (enumeration
to execution and lateral movement)
• (Mostly) documented on MSDN
• We will use it to load our shellcode 👀
03 | Shellcode Execution
Windows API versus native API

• There are various “levels” of API calls that

you will encounter
• They do the same thing!
• Windows API calls (such as VirtualAlloc())
are often just a wrapper for native API calls
(such as NtAllocateVirtualMemory())
• The windows API is easier to understand,
but knowing the native API functions and
their structure will help when looking at
EDR evasion later on

Source: MSDN
 03 | Shellcode Execution
Shellcode execution techniques

Allocate executable Copy our shellcode Execute our shellcode

memory into memory

EITHER
OR

Make memory
executable
 03 | Shellcode Execution
Shellcode execution techniques

Allocate executable Copy our shellcode Execute our shellcode

memory into memory

VirtualAlloc()
NtAllocateVirtualMemory()
EITHER
OR

RtlMoveMemory() Make memory

Or use native functionality
executable
exposed by a language, such as:
Marshal.Copy (C#) VirtualProtect() CreateThread()
copyMem (Nim) NtProtectVirtualMemory()
 Exercise _
Build a basic shellcode runner
00 | Set up a dev VM with tools for your chosen language
01 | Use msfvenom to generate some shellcode, and write a
basic loader that executes it in the current process
B01 | Modify your loader so that it executes shellcode without
calling CreateThread()

Guidance on GitHub
04 | Shellcode Injection
Execution in a remote process, don’t mind if I do

• Shellcode execution in another process

• Injection is opsec-expensive, but malware running in the
context of an existing process can have great benefits!
• We need a handle to operate in another process
• We can only get a handle on processes we have
permissions for (typically current user context)
• If we’re not sure a process exists, why not spawn it?
04 | Shellcode Injection
New API calls for injection

• We can use a similar allocate-write-execute approach

• Getting a handle:
• OpenProcess() or NtOpenProcess()
• Afterwards, clean up with CloseHandle() or NtClose()
• Allocation:
• VirtualAllocEx() or the same NtAllocateVirtualMemory()
• Copying:
• We need to use the Windows API this time, since we’re dealing
with handles
• WriteProcessMemory() or NtWriteVirtualMemory()
• Execution:
• CreateRemoteThread() or NtCreateThreadEx()
 Exercise _
Build a basic shellcode injector
02 | Create a new project that injects your shellcode in a remote
process, such as explorer.exe
B02 | Make the target process configurable, and spawn the
process if it does not exist already

Guidance on GitHub
05 | Defense Evasion
Bypassing defenses like the big boys

In a real scenario, you are up against many layers of defenses

Antivirus (AV) Enterprise Detection The Blue Team ... many others
and Response (EDR)

• The most basic defense, • AV on steroids • One alert can be enough to • Threat hunters
but not to be • Usually uses advanced ruin your operation • Other endpoint-based
underestimated behavioral detections • May dissect your malware controls
• Mostly looks at files • ‘Hooks’ APIs and scans to find out more about you • Network-based controls
statically memory for indicators • Will ruin your day • Behavioral analytics
• Sometimes uses a • Does not always block, may • ...
sandbox to inspect basic ‘only’ alert!
behavior
• Blocks shady stuff
05 | Defense Evasion
AV evasion

• AV evasion is relatively simple, getting rid of

“known bad” indicators is usually enough You can test your evasions
using something like
• Obfuscation can help get rid of suspicious ThreatCheck
indicators Be very careful with the
submission of payloads to
• Strings, shellcode, and function calls can all be VirusTotal, as defenders
obfuscated (automatically) automatically ingest and
analyze these payloads
• Encryption or encoding (even just XOR or ROT) of
Antiscan promises to not
shellcode is a bare minimum do this, but there are no
guarantees...
• Too much obfuscation is an indicator in itself 👀
05 | Defense Evasion
More AV evasion

• Logic bypasses
• AV takes shortcuts to minimize resource use, Some inspiration:
we can abuse these!
Evasions
• Sandbox evasion
CheckPlease
• Perform benign calculations for 30-60s
KeyRing
• Check for devices, resolution, user input, etc.
DripLoader
• Payload keying
• Ensuring payload will only fire in target ConfuserEx
environment Denim
• Often by using target environment (e.g. domain
name) as encryption key
05 | Defense Evasion
EDR evasion

• EDR uses a variety of telemetry sources

(API hooks, kernel callbacks, ETW, ...)
• Focus on behavior first, blinding EDR second Further reading:
• Some popular bypass methods: “Blinding EDR on
• “Refreshing” DLLs Windows”
• API unhooking “A tale of EDR bypass
• Direct syscalls methods”
• In-memory masking “Let’s create an EDR...
And bypass it!”
• EDR evasion is tough, don’t expect to nail it first try
• Remember: No block != no alert
 Exercise _
Make your malware evasive
03 | Implement one or more of the described evasion techniques in
your shellcode loader / injector and test it against AV
B03 | Implement one or more of the mentioned EDR evasion
techniques (test it against EDR if you are able)

Guidance on GitHub