Malware Adventurez

Me writing crappy malware and archiving it for future reference.

DISCLAIMER: A lot of this stuff doesnt work, is copied or badly written. This is my archive so I can refer to this when I need code snippets.

|Name|Description|Language| |---|---|---| |Keylogger|Basic Keylogger|C++| |ClipboardStealer|Basic Clipboard Stealer|C++| |Nimject|My stupid first syscall packer|Nim| |Dynamic Resolving Shellcode Runner|Shellcode Runner that resolves functions dynamically, resulting in a PE with an empty IAT|C++| |Process Hollowing XOR|ProcessHollowing injector with XOR encrypted Payload|C#| |Process Hollowing AES|ProcessHollowing injector with AES encrypted Payload|C++| |ProcHollowDinvoke|ProcessHollowing injector using DInvoke|C#| |InvokeAsAdmin|Kindly Ask for Admin Permissions before invoking Shellcode|C#| |APC-Q_Unhooking|Overwrite hooked ntdll with a fresh copy to avoid EDR hooks and invoke Shellcode via APC-Queuing.|C++| |Parallel Syscalls Technique|Read syscall numbers from ntdll for selected syscalls from LdrpThunkSignature and use these syscalls to read a fresh unhooked ntdll from disc.|C++| |PPID Spoofing|Spoof Parent Process ID by using NtCreateUserProcess|C++| |Reflective PE Injection|Reflective PE Injection|C++| |Shellcode String Encoder|Use strings from a binary to encode shellcode in order to reduce entropy|C++| |AmsiPatch|Start a powershell and patch AmsiScanBuffer|C++| |ThreadContextInject|Inject shellcode using SetThreadContext|C++| |MapViewInjection|Inject code in a remote process using a mapped section view|C++| |Hardware Breakpoint Remote Process AMSI Bypass|Hardware Breakpoint AMSI Bypass for Remote Process. Doesnt work|C++| |Reflective DLL Injection|Reimplementing Reflective DLL Injection (WIP)|C++| |SyscallSorting|Syscall Sorting|C++| |RdpCredThief|Hook CredUnPackAuthenticationBufferW to yoink creds from mstsc.exe (or other applications)|C++| |AmsiProviderEnum|Enumerate AMSI providers and the respective DLLs|C#|