Source Byte

Injecting code into PPL processes without vulnerable drivers on Windows 11 https://blog.slowerzs.net/posts/pplsystem/

Maldev academy [+] Maldev guide [+] Maldev modules with update modules [+] Maldev update 9 [+] Pdf [+] Vm #malware_dev (____Channel____)

🔥List of best security channels on telegram: https://t.me/addlist/RPL2r4B8flEyOTI0

obfuscating c2 during a red-team engagement(harden your C2 server) Jumpsec #c2

Here is some code that was written about a year for a project for vx-underground. However, due to various reasons, the code is being publicly released. tl;dr recursive loader, painful to reverse engineer Explanation of code: The following code is inspired by APT Linux/Kobalos. Kobalos was malware, suspected to be tied to the Chinese government, which was fully recursive. It was novel malware. Following this inspiration, an x64 recursive loader was developed for Windows 10 and Windows 11. When compiled the binary has no entries in the IAT. The binary resolves all APIs via NTDLL. Additional libraries are loaded via LdrLoadDll. The code recursively calls itself to execute functions. It determines which portion of code to execute using a flag (an enum). Each 'function' is encapsulated in a switch statement. All variables are recursively passed using the 'VARIABLE_TABLE' structure. The VARIABLE_TABLE also contains further nested structures for handling API function resolving, initializing COM objects and associated classes, and data structures for some 'switch functions' which may require additional variables for tasks. To avoid the compiler optimizing code and introducing functions into the IAT, some STDIO functionality such as ZeroMemory have been re-written in more unorthodox methods. HTTPS requests are handled by COM via the WinHttpRequest Object. The code basically downloads a binary from vx-underground and executes it. Currently the code will not work because the executable hosted on vx-underground for the proof-of-concept is no longer there – although it was just a copy cmd.exe. Code may have some bugs. It can be improved upon by introducing pseudo-polymorphism by 'scrambling' the order of switch statements and enum values on each build. Code written by smelly You can checkout Win32.RecursiveLoader.b here: https://pastebin.com/HSTS2zwL

🟣 ساخت KeyLogger ویندوزی با استفاده از GetAsyncKeyState یکی از روش های مرسوم و اولیه برای پیاده سازی کیلاگر ها در ویندوز استفاده از تابع GetAsyncKeyState در Windows API است . به وسیله این تابع میتوان چک کرد آیا یک کلید مدنظر روی صفحه کلید در حال حاضر فشرده شده است یا نه . در این ویدیو میبینیم چطور میتونیم به وسیله این تابع یک کیلاگر ویندوزی پیاده سازی کنیم که به صورت مخفی در پس زمینه اجرا شده و کلید های ضبط شده را در یک فایل ذخیره کند . Aparat : https://www.aparat.com/v/h29Cp #توسعه_بدافزار 🆔 : @mrpythonblog

#Course #DWORD 🔥 بروز رسانی ویدیو های ""دوره آموزش مهندسی معکوس نرم افزار | سطح مقدماتی - متوسط"" در این بروز رسانی قفل های نرم افزاری و DRM های مطرح به صورت کامل تحلیل و بررسی خواهند شد. 🔸 تاندر سافت | ThunderSoft DRM 🔸 جیلی سافت | GiliSoft 🔸 پسورد پروتکت ویدیو مستر | PPVM 🔸 دی آر ام سافت | DRMSoft 🔸 آپین سافت | ApinSoft 🔸 وی سافت | VaySoft 🔸 کپی سیف | CopySafe 🔸 سایر DRM ها و قفل های نرم افزاری به صورت موضوعی این بروزرسانی در اختیار تمامی دانشجویان دوره اول تا پنجم مهندسی معکوس نرم افزار قرار خواهد گرفت. 🦅 کانال بایت امن | گروه بایت امن _

Below is an example of how you can use the Windows API in C++ to create a communication channel with http.sys. This example demonstrates how to set up a simple HTTP server using the HTTP Server API: #include <windows.h> #include <http.h> #pragma comment(lib, "httpapi.lib") int main() { ULONG retCode = NO_ERROR; HTTPAPI_VERSION HttpApiVersion = HTTPAPI_VERSION_2; HTTP_SERVER_SESSION_ID sessId = NULL; HTTP_URL_GROUP_ID groupId = NULL; HTTP_REQUEST_ID requestId = NULL; HTTP_SERVER_CONTEXT context = 0; // Initialize HTTP Server APIs retCode = HttpInitialize(HttpApiVersion, HTTP_INITIALIZE_SERVER, NULL); if (retCode != NO_ERROR) return retCode; // Create a server session retCode = HttpCreateServerSession(HttpApiVersion, &sessId, 0); if (retCode != NO_ERROR) goto cleanup; // Create a URL group retCode = HttpCreateUrlGroup(sessId, &groupId, 0); if (retCode != NO_ERROR) goto cleanup; // Add a URL to the URL group PCWSTR pFullyQualifiedUrl = L"http://localhost:8080/"; retCode = HttpAddUrlToUrlGroup(groupId, pFullyQualifiedUrl, context, 0); if (retCode != NO_ERROR) goto cleanup; // Your code to handle requests here // ... cleanup: // Clean up in case of failure or after serving requests if (groupId != NULL) { HttpRemoveUrlFromUrlGroup(groupId, pFullyQualifiedUrl, 0); HttpCloseUrlGroup(groupId); } if (sessId != NULL) { HttpCloseServerSession(sessId); } HttpTerminate(HTTP_INITIALIZE_SERVER, NULL); return retCode; } This code initializes the HTTP service, creates a server session, sets up a URL group, and adds a URL to the group. You would need to add your own code to handle the HTTP requests. Please note that this is a simplified example and does not include error handling or request processing logic. For a complete implementation, you would need to handle incoming HTTP requests and send appropriate responses. You can find more detailed information and examples in the [Microsoft documentation](^2^). Remember to run your application with administrative privileges, as setting up an HTTP server requires elevated permissions. Using the WinHTTP C/C++ API - Win32 apps | Microsoft Learn. c++ - HTTP client example on win32 - Stack Overflow. c++ - Communication between two windows created using TCP Sockets .... https://github.com/pedro-vicente/lib_netsockets.

VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL

Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations.

(Checkpoint Report) Research @source_byte #apt #TI

VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL

Void Manticore is an Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS). They carry out destructive wiping attacks combined with influence operations.

(Checkpoint Report) Research

no-defender A slightly more fun way to disable windows defender. (through the WSC api)

🍏 macOS Red Teaming. • Gathering System Information Using IOPlatformExpertDevice; • Targeting Browser and Diagnostic Logs; • Manipulating the TCC Database Using PackageKit; • Leveraging Application Bundles and User-Specific Data; • Taking Over Electron App TCC Permissions with electroniz3r; • Exploiting Keychain Access; • Signing Your Payload; • Exploiting Installer Packages; • Exploiting DMG Files for Distribution; • Leveraging HealthInspector Utility; • Generating Shared Secrets and Accessing Computer$ Password; • Over-Pass-The-Hash; • Kerberoasting; • User Level Persistence with Launch Agents; • User Level Persistence with Login Items; • Folder Action Scripts; • Dylib Insertion/Hijack; • Evasion Techniques with XPC on macOS; • Process Injection on macOS; • In-Memory Loading on macOS.

We have many people asking us how to begin their journey into malware development. Here is a step by step guide to get started! 1. Stop asking how to get started 2. Learn to code (NOT PYTHON) 3. Do something 4. Expect failure Have a nice day.

Writing an Independent Malware There’s no greater feeling when the malware (or any project/tool) you’re developing works as expected. Until suddenly you realized it only works on your dev machine but not on any other machine.

🦀 | RustRedOps is a repository dedicated to gathering and sharing advanced techniques and offensive malware for Red Team, with a specific focus on the Rust programming language.

Malware for education Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing