# Getting Started With Malware Development
Table of Contents
* [Foreword](#foreword)
* [Homework](#homework)
* [Starting Malware Development](#starting-malware-development)
* [Resources](#resources)
* [Repository](#repository)
## Foreword
*I'm creating a series for malware development on my YouTube channel.* You can find the first video in the series embedded below. The series will contain all the subjects covered in the malware development section of my blog and more. In the first video, we take a look at the fundamentals of malware development, including things like processes, threads, and handles; before using some basic Win32 API functions.
{% embed url="" %}
Malware Development: Processes, Threads, and Handles
{% endembed %}
### Homework
Now, in the video, if you stayed until the end, you'll have heard that I assigned you some homework. ***I wasn't kidding***. Here's your homework. I want you to, using some of the Win32 API functions covered in the video, develop a program that will do the following:
Startup a process of your choosing, and print out some values like the `PID, TID` and `Handles` for the subsequent processes/threads. Then, have it wait for the process or thread to finish using an API like [`WaitForSingleObject()`](https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject) before closing the handles to your thread and process, using an API like [`CloseHandle()`](https://learn.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-closehandle).
Expected Output
{% hint style="warning" %}
For those struggling, or if you've created your implementation and would like to see how I approached this, you can find the source code of the above program attached below. However, I'd highly recommend **not** resorting to this without genuinely trying to implement it by yourself first!
{% endhint %}
{% file src="/files/aE98ytPndO3lC2r8vnth" %}
Source code for program above
{% endfile %}
## Starting Malware Development
Recently, I’ve been attempting to get into Malware Development. As someone who’s spent a considerable amount of time (\~2 years) "hacking", I’m sort of *ashamed* of myself for not really trying to understand how to develop the one thing all of us hackers use - perhaps even on a daily basis; malware. I mean obviously, I’ve gotten shells with shellcode generated by `msfvenom`, I’ve even dabbled with obfuscation a couple of times, sprinkling in an AMSI bypass here and there, but that's about the current *extent* of "maldev" "knowledge." I plan on remedying that here in this series. There’s something… *different* and *refreshing* about the art of *creating* malware and not just *generating* it.
{% hint style="danger" %}
Obviously, as we're going to be developing malware, you should take extra precautions with the programs we end up building and the techniques we end up learning. Although I'll try to use simple `calc.exe` proof-of-concept shellcode, it's still extremely important to exercise extreme caution and to NEVER run any of these programs, techniques, tools, etc. against someone or something to which you do not have explicit permission to do so.
{% endhint %}
Now, by malware development, what do I mean? Honestly, *I don’t really know*. I’m a *complete beginner* at this. However, I do know that the most common techniques in malware development - more specifically, process injections, are something like the ones below:
* [x] [Shellcode Injection](/nest/mal/dev/inject/shellcode-injection.md)
* [x] [DLL Injection](/nest/mal/dev/inject/dll-injection.md)
* [x] [Using NTDLL/NTAPI](/nest/mal/dev/inject/ntapi-injection.md)
* [x] [Full NTDLL/NTAPI Implementation](/nest/mal/dev/inject/ntapi-injection/complete-ntapi-implementation.md)
* [x] [Using Direct System Calls](/nest/mal/dev/inject/syscalls/direct-syscalls.md)
* [x] [Using Indirect System Calls](https://www.crow.rip/crows-nest/mal/dev/inject/syscalls/indirect-syscalls)
* [ ] Reflective DLL Injection
* [ ] Process Hollowing
* [ ] Phantom Hollowing
* [ ] Hook Injection
* [ ] APC Injection, etc.
{% embed url="" %}
Find the entire list here
{% endembed %}
There are so many more, and probably even more than what I think is out there, when it comes to the different techniques as it pertains to process injection. Attached below is an excellent resource describing the various common process injection techniques:
{% embed url="" %}
10 Process Injection Techniques - Elastic Blog
{% endembed %}
This is such a huge field and without the plethora of *incredible* free resources out there, the Twitter maldev community, and *these* people who I'm *insanely lucky* to call my friends: @[x0reaxeax](http://x0reaxe.ax/), @[lavender](https://github.com/Lavender-exe), @[5pider](https://twitter.com/C5pider), @[bakki](https://twitter.com/shubakki), @aqua, @[rektsu](https://twitter.com/rektsu1337), and many more that I'd love to mention, to draw inspiration from, I’d surely be way more lost than I already am. So, If any of them are reading this, thank you so much! 😄
{% hint style="danger" %}
I just need to make this abundantly clear. I'm **not** some sort of expert on malware development, C, C++, or whatever. Not even close. **I'd never ever claim to be either**. I'm simply making this blog, and the videos, to consolidate my own learning. The hope is that putting what I learn into a blog post or video, will further lock in that knowledge. Since the best way to learn something, is to teach it to someone else.
So, long story short, don't come into this expecting the world's most sleek code, a universal exploit that'll work for everyone on their respective machines or something along those lines.
{% endhint %}
Let’s continue. So, what do we need in order to start malware development? Patience, probably. People get too caught up in what languages to use for x, y, or z. Your programming language is just a tool. As long as you know the underlying idea of what it is that you're trying to accomplish, the tool you use is up to your discretion and shouldn't be too much of a factor. With that being said, the typical languages you may see in malware development are (*but are not limited to*): `C, C++, C#, Assembly, Golang, Rust, Nim, etc.`
What you need is something you have to consider on a *per-project* basis. I'm mainly going to be implementing all of these techniques in `C/C++`. However, there will probably come a time when we might have to explore some `ASM`, `C#`, or a plethora of others, who knows? *Remember, I have no idea what I’m doing. I'm learning, just like all of you are (or were at one point).*
{% hint style="info" %}
This blog is just to document my learning process so that the people who are starting out on their own journey, will have someone they can struggle with; and for your attendance here, I welcome and thank you.
{% endhint %}
Another thing I’m embarrassed to admit is that, at the time of writing this (*March 27th, 2023*), I don’t *really* know how to program `C` or `C++`. You give me some source code, I can generally *maybe sometimes* understand it; most of the time only enough to know the gist of the program’s purpose. I know the common vulnerabilities that lead to buffer overflows; stack-based, format strings, etc.
However, if you plop me in front of a computer with an IDE opened, PC fans humming, the light from the monitor(s) flickering, and tell me to program something in those two languages, I’d be shitting bricks bigger than some of the allocated buffer sizes I’ve seen on some stack-based buffer overflow challenges. So, instead of shitting bricks, I’m going to link some resources down below which I’m currently using to learn `C/C++` and once I’m comfortable, the `Win32 API`.
## Resources
{% tabs %}
{% tab title="C/C++" %}
* C++ Primer Fifth Edition
* [Code Academy C++](https://www.codecademy.com/learn/learn-c-plus-plus)
* [C++ Programming Exercises](https://research.ncl.ac.uk/game/mastersdegree/programmingforgames/cexercises/C++%20Programming%20Exercises.pdf)
* [Standard C++ Library Reference](https://cplusplus.com/reference/)
{% endtab %}
{% tab title="Win32 API" %}
* [MalAPI.io](https://malapi.io/)
* [Windows API MSDN](https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-api-list)
* [theForger’s Win32 API Tutorial](http://slav0nic.org.ua/static/books/C_Cpp/theForger's_Win32APITutorial.pdf)
{% endtab %}
{% endtabs %}
These are what I’m going to use in order to get familiar with the arcane arts of process injection techniques. Once I’ve gotten a little bit comfortable with the languages and APIs, I’ll come back and we can do our first injection! Thank you so much for reading and I’ll catch you next time!
## Repository
{% hint style="success" %}
My GitHub used to be a blog/source code haven for all of these techniques that I was learning. Depending on when you're reading this, it might now just solely be a container for my code.
{% endhint %}
{% embed url="" %}
The repository that'll house all of my malware development growth.
{% endembed %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.crow.rip/nest/mal/dev/getting-started.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.