Getting Started With Malware Development
March 27th, 2023
Last updated
March 27th, 2023
Last updated
I'm creating a series for malware development on my YouTube channel. You can find the first video in the series embedded below. The series will contain all the subjects covered in the malware development section of my blog and more. In the first video, we take a look at the fundamentals of malware development, including things like processes, threads, and handles; before using some basic Win32 API functions.
Now, in the video, if you stayed until the end, you'll have heard that I assigned you some homework. I wasn't kidding. Here's your homework. I want you to, using some of the Win32 API functions covered in the video, develop a program that will do the following:
Startup a process of your choosing, and print out some values like the PID, TID
and Handles
for the subsequent processes/threads. Then, have it wait for the process or thread to finish using an API like WaitForSingleObject()
before closing the handles to your thread and process, using an API like CloseHandle()
.
For those struggling, or if you've created your implementation and would like to see how I approached this, you can find the source code of the above program attached below. However, I'd highly recommend not resorting to this without genuinely trying to implement it by yourself first!
Recently, I’ve been attempting to get into Malware Development. As someone who’s spent a considerable amount of time (~2 years) "hacking", I’m sort of ashamed of myself for not really trying to understand how to develop the one thing all of us hackers use - perhaps even on a daily basis; malware. I mean obviously, I’ve gotten shells with shellcode generated by msfvenom
, I’ve even dabbled with obfuscation a couple of times, sprinkling in an AMSI bypass here and there, but that's about the current extent of "maldev" "knowledge." I plan on remedying that here in this series. There’s something… different and refreshing about the art of creating malware and not just generating it.
Obviously, as we're going to be developing malware, you should take extra precautions with the programs we end up building and the techniques we end up learning. Although I'll try to use simple calc.exe
proof-of-concept shellcode, it's still extremely important to exercise extreme caution and to NEVER run any of these programs, techniques, tools, etc. against someone or something to which you do not have explicit permission to do so.
Now, by malware development, what do I mean? Honestly, I don’t really know. I’m a complete beginner at this. However, I do know that the most common techniques in malware development - more specifically, process injections, are something like the ones below:
There are so many more, and probably even more than what I think is out there, when it comes to the different techniques as it pertains to process injection. Attached below is an excellent resource describing the various common process injection techniques:
This is such a huge field and without the plethora of incredible free resources out there, the Twitter maldev community, and these people who I'm insanely lucky to call my friends: @x0reaxeax, @lavender, @5pider, @bakki, @aqua, @rektsu, and many more that I'd love to mention, to draw inspiration from, I’d surely be way more lost than I already am. So, If any of them are reading this, thank you so much! 😄
I just need to make this abundantly clear. I'm not some sort of expert on malware development, C, C++, or whatever. Not even close. I'd never ever claim to be either. I'm simply making this blog, and the videos, to consolidate my own learning. The hope is that putting what I learn into a blog post or video, will further lock in that knowledge. Since the best way to learn something, is to teach it to someone else.
So, long story short, don't come into this expecting the world's most sleek code, a universal exploit that'll work for everyone on their respective machines or something along those lines.
Let’s continue. So, what do we need in order to start malware development? Patience, probably. People get too caught up in what languages to use for x, y, or z. Your programming language is just a tool. As long as you know the underlying idea of what it is that you're trying to accomplish, the tool you use is up to your discretion and shouldn't be too much of a factor. With that being said, the typical languages you may see in malware development are (but are not limited to): C, C++, C#, Assembly, Golang, Rust, Nim, etc.
What you need is something you have to consider on a per-project basis. I'm mainly going to be implementing all of these techniques in C/C++
. However, there will probably come a time when we might have to explore some ASM
, C#
, or a plethora of others, who knows? Remember, I have no idea what I’m doing. I'm learning, just like all of you are (or were at one point).
This blog is just to document my learning process so that the people who are starting out on their own journey, will have someone they can struggle with; and for your attendance here, I welcome and thank you.
Another thing I’m embarrassed to admit is that, at the time of writing this (March 27th, 2023), I don’t really know how to program C
or C++
. You give me some source code, I can generally maybe sometimes understand it; most of the time only enough to know the gist of the program’s purpose. I know the common vulnerabilities that lead to buffer overflows; stack-based, format strings, etc.
However, if you plop me in front of a computer with an IDE opened, PC fans humming, the light from the monitor(s) flickering, and tell me to program something in those two languages, I’d be shitting bricks bigger than some of the allocated buffer sizes I’ve seen on some stack-based buffer overflow challenges. So, instead of shitting bricks, I’m going to link some resources down below which I’m currently using to learn C/C++
and once I’m comfortable, the Win32 API
.
C++ Primer Fifth Edition
These are what I’m going to use in order to get familiar with the arcane arts of process injection techniques. Once I’ve gotten a little bit comfortable with the languages and APIs, I’ll come back and we can do our first injection! Thank you so much for reading and I’ll catch you next time!
My GitHub used to be a blog/source code haven for all of these techniques that I was learning. Depending on when you're reading this, it might now just solely be a container for my code.