MD MZ: Malware Development Book

Why is the book called that? MD - means Malware Development, The MZ signature is a signature used by the MS-DOS relocatable 16-bit EXE format and its still present in today’s PE files for backwards compatibility., also MD MZ means My Daughter Munira Zhassulankyzy. I will be very happy if this book helps at least one person to gain knowledge and learn the science of cybersecurity. The book is mostly practice oriented. I wanted to supplement the book with new articles from my blog. As a result, this new edition of this book now contains almost 1000 pages. The new version of this book is divided into five (4 + 1 bonus) chapters: - Malware development tricks and techniques. - AV evasion tricks. - Persistence techniques. - Malware, Cryptography, Research. - Intro to linux malware development. 1. intro 2. what is malware development? 3. reverse shells what is reverse shell? listener run reverse shell (examples) create reverse shell in C mitigation 4. classic code injection into the process. simple C++ malware 5. classic DLL injection into the process. Simple C++ malware. 6. DLL hijacking in Windows. Simple C example. Step 1. Find process with missing DLLs Step 2. Check folder permissions Step 3. DLL hijacking Remediation Privilege escalation Conclusion 7. find process ID by name and inject to it. Simple C++ example. 8. linux shellcoding. Examples shellcode testing shellcode disable ASLR some assembly nullbytes example1. normal exit example2. spawning a linux shell. 9. linux shellcoding. Reverse TCP shellcode testing shellcode reverse TCP shell assembly preparation create socket connect to a specified IP and port redirect stdin, stdout and stderr via dup2 launch the shell with execve final complete shellcode testing configurable IP and port 10. windows shellcoding - part 1. Simple example testing shellcode first example. run calc.exe finding function's addresses assembly time 11. windows shellcoding - part 2. Find kernel32 address TEB and PEB structures 12. windows shellcoding - part 3. PE file format PE file DOS header DOS stub PE header Section Table Sections Import Address Table Conclusion 13. APC injection technique. Simple C++ malware. 14. APC injection via NtTestAlert. Simple C++ malware. NtTestAlert example APC injection via alertable threads. Simple C++ malware. example 16. code injection via thread hijacking. Simple C++ malware. what does it mean? example 17. classic DLL injection via SetWindowsHookEx. Simple C++ malware. SetWindowsHookEx malicious DLL example. simple malware. Conclusion 18. code injection via windows Fibers. Simple C++ malware. example 19. windows API hooking. Simple C++ example. what is API hooking? example 1 example 2 20. run shellcode via inline ASM. Simple C++ example. 21. DLL injection via undocumented NtCreateThreadEx. Simple C++ example. 22. code injection via undocumented NtAllocateVirtualMemory. Simple C++ example. 23. code injection via undocumented Native API functions. Simple C++ example. 24. code injection via memory sections. Simple C++ example. what is section? practical example. demo 25. code injection via ZwCreateSection. Simple C++ malware example. Zw prefix? practical example. C++ malware. demo 26. code injection via memory sections and ZwQueueApcThread. Simple C++ malware example. ZwQueueApcThread ZwSetInformationThread practical example demo 27. process injection via KernelCallbackTable. Simple C++ malware example. KernelCallbackTable practical example demo 28. process injection via RWX-memory hunting. Simple C++ example. RWX-memory hunting practical example demo 29. windows API hooking part 2. Simple C++ example. what is API hooking? example 1 30. process injection via FindWindow. Simple C++ example. practical example Demo anti-VM 31. malware development tricks. Find kernel32.dll base: asm style. C++ example. assembly way :) practical example demo 32. malware development tricks. Download and inject logic. C++ example. download and execute practical example demo 33. malware development tricks. Run shellcode via EnumDesktopsA. C++ example. EnumDesktopsA practical example demo 34. malware development tricks. Run shellcode via EnumChildWindows. C++ example. EnumChildWindows practical example demo 35. malware development tricks. run shellcode like a Lazarus Group. C++ example. UuidFromStringA practical example demo 36. malware development tricks: parent PID spoofing. Simple C++ example parent PID spoofing practical example demo 37. malware development tricks. Listplanting. C++ example. practical example demo 38. malware development tricks. EnumerateLoadedModules. C++ example. listing the loaded modules practical example 1. print modules demo 1 practical example 2. inject dll demo 2 practical example 3. shellcode running via callback function. demo 3 39. malware development tricks. Mutex. C++ example. mutex practical example demo 40. malware development trick. WinAPI LoadLibrary implementation. Simple C++ example. LoadLibrary practical example demo 41. malware development trick. Dump lsass.exe. Simple C++ example. practical example demo 42. malware development trick. Store binary data in registry. Simple C++ example practical example 1 demo 1 practical example 2 demo 2 43. malware development trick. Find PID via NtGetNextProcess. Simple C++ example what's the trick? practical example demo practical example 2. find and inject demo 2 44. malware development trick. Run shellcode via SetTimer. Simple C++ example. SetTimer practical example demo 45. malware development trick. Find PID via WTSEnumerateProcesses. Simple C++ example. WTSEnumerateProcessesA win api practical example demo practical example 2. find and inject ``malware'' demo 46. malware development trick. Store payload in alternate data streams. Simple C++ example. alternate data streams practical example demo 47. malware development trick. Enumerate process modules. Simple C++ example. practical example demo 48. malware development trick. Enumerate process modules via VirtualQueryEx. Simple C++ example. practical example demo 49. malware development trick. Hunting RWX - part 2. Target process investigation tricks. Simple C/C++ example. practical example demo practical example 2 demo 2 practical example 3 demo 3 50. malware development trick. Run payload via EnumDesktopsA. Simple Nim example. practical example demo 51. malware development trick. Stealing data via legit Telegram API. Simple C example. practical example demo 52. Malware development trick. Stealing data via legit VirusTotal API. Simple C example. pracical example demo 53. malware development trick. Stealing data via legit Discord Bot API. Simple C example. practical example demo 54. AV engines evasion for C++ simple malware. AV engines evasion for C++ simple malware - part 2 56. AV engines evasion techniques - part 3. Simple C++ example. 57. AV engines evasion techniques - part 4. Simple C++ example. what is ordinals? practical example. demo 58. AV engines evasion techniques - part 5. Simple C++ example. hashing function names standard calling hashing practical example demo 59. AV/VM engines evasion techniques - part 6. Simple C++ example. registry keys 1. check if specified registry paths exist 2. check if specified registry key contain value practical example demo 60. malware AV evasion: part 7. Disable Windows Defender. Simple C++ example. windows defender practical example demo 61. Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++ example. Z85 practical example demo 62. malware av evasion - part 9. Encrypt base64 encoded payload via RC4. C++ example. RC4 practical example demo 63. Malware AV/VM evasion - part 10: anti-debugging. NtGlobalFlag. Simple C++ example. NtGlobalFlag practical example demo 64. malware AV/VM evasion - part 11 (part 15 on blog): WinAPI GetModuleHandle implementation. Simple C++ example. GetModuleHandle practical example. custom implementation of GetModuleHandle AV evasion example demo 65. malware AV/VM evasion - part 12 (part 16 on blog): WinAPI GetProcAddress implementation. Simple C++ example. GetProcAddress practical example. custom implementation of GetProcAddress AV evasion ``malware'' demo 66. malware AV/VM evasion - part 13 (part 17 on blog): bypass UAC via fodhelper.exe. Simple C++ example. registry modification fodhelper.exe practical example demo 67. malware development: persistence - part 1. Registry run keys. C++ example. run keys practical example demo windows 11 conclusion 68. malware development: persistence - part 2. Screensaver hijack. C++ example. screensavers practical example demo conclusion 69. malware development: persistence - part 3. COM DLL hijack. Simple C++ example. Component Object Model how to discover COM keys for hijacking attack process demo update: programmer way conclusion 70. malware development: persistence - part 4. Windows services. Simple C++ example. windows services practical example demo conclusion AppInit DLLs practical example demo second example: 72. malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example. netsh practical example 73. malware development: persistence - part 7. Winlogon. Simple C++ example. winlogon practical example demo 74. malware development: persistence - part 8. Port monitors. Simple C++ example. port monitors adding monitor demo for add ``monitor'' registry persistence 75. malware development: persistence - part 9. Default file extension hijacking. Simple C++ example. default file association practical example demo 76. malware development: persistence - part 10. Using Image File Execution Options. Simple C++ example. Image File Execution Options practical example demo IFEO debugger type 77. malware development: persistence - part 11. Powershell profile. Simple C++ example. powershell profile practical example demo mitigations 78. malware development: persistence - part 12. Accessibility Features. Simple C++ example. practical example. sethc.exe demo conclusion 79. malware development: persistence - part 13. Hijacking uninstall logic for application. Simple C++ example. uninstallation process practical example demo conclusion 80. malware development: persistence - part 14. Event Viewer help link. Simple C++ example. event viewer help link practical example demo 81. malware development: persistence - part 15. Internet Explorer. Simple C++ example. internet explorer practical example demo conclusion 82. malware development: persistence - part 16. Cryptography Registry Keys. Simple C++ example. practical example demo 83. malware development: persistence - part 17 - APT techniques: Token theft via UpdateProcThreadAttribute. Simple C++ example. UpdateProcThreadAttribute technique. practical example demo 84. malware development: persistence - part 18. Windows Error Reporting. Simple C++ example. WerFault.exe practical example demo 85. malware development: persistence - part 19. Disk Cleanup Utility. Simple C++ example. disk cleanup practical example demo 86. malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example. UserInitMprLogonScript practical example demo 87. malware development: persistence - part 21. Recycle Bin, My Documents COM extension handler. Simple C++ example. CLSID list practical example demo what about another CLSID from the list? 88. malware development: persistence - part 22. Windows Setup. Simple C++ example. setup script practical example demo practical example 2. persistence script demo 2 conclusion 89. malware development: persistence - part 23. LNK files. Simple Powershell example. LNK practical example demo 90. malware development: persistence - part 24. StartupApproved. Simple C example. StartupApproved practical example demo 91. malware development: persistence - part 25. Create symlink from legit to evil. Simple C example. create symboliclink. accessibility features practical example demo 92. malware and cryptography research - part 1 (29): LOKI payload encryption. Simple C example. LOKI practical example demo 93. Malware and cryptography research - part 2 (30): Khufu payload encryption. Simple C example. Khufu practical example demo 94. malware and cryptography research - part 3 (31): CAST-128 payload encryption. Simple C example. CAST-128 practical example demo practical example 2 demo 2 practical example 3 demo 3 95. malware and cryptography research - part 4 (32): encrypt payload via FEAL-8 algorithm. Simple C example. FEAL practical example demo cryptoanalysis 96. malware and cryptography research - part 5 (33): encrypt payload via Lucifer algorithm. Simple C example. Feistel networks Lucifer practical example 1 demo 1 practical example 2 demo 2 cryptoanalysis 97. malware and cryptography research - part 6 (34): encrypt payload via DFC algorithm. Simple C example. DFC practical example demo cryptoanalysis 98. linux malware development 1: Intro to kernel hacking. Simple C example. practical example demo 99. linux malware development 2: find process ID by name. Simple C example. practical example demo practical example 2 demo 2 100. linux malware development 3: linux process injection with ptrace. Simple C example. ptrace practical example demo final words 101. final