This document serves as a list of resources, and other things that aid in malware analysis / dev and exploit dev, which will be updated frequently
Feel free to contribute resources
- OSED
- eCXD
- SLAE x86
- OSEE
- eCMAP
- Sektor 7 Red Team Operator
- Zero2Automated: Ultimate Malware Reverse Engineering
- CREST Certified Malware Reverse Engineer
- SANS FOR610
- SANS FOR500
- FireEye Malware Analysis Master Course
- RingZerø: Windows Kernel Rootkits: Techniques and Analysis
- RingZerø: Windows Internals for Reverse Engineers
- CodeMachine: Windows Kernel Rootkits
Offensive Software Exploitation by Ali Hadi
Course taught at Champlain College by Ali Hadi
Topics:
- PE format
- Bug hunting and fuzzing
- Vanilla BoF
- ROP
- Egghunters
- x64 and x86 assembly
- Reverse engineering
Great introduction to malware analysis and RE Covers setting up your environmemt, and basic static / dynamic analysis
hasherezade Windows malware analysis vol 1
Focus on Windows malware and internals specifically.
Includes intermediate topics, such as hooking, UAC bypass, persistence, and much more
Requires some knowledge beforehand
Inlcudes exercises and slides
This course is my go to for anyone new to exploit dev, it is dead simple, and will teach anyone basic buffer overflows in a couple hours
It goes from teaching basic assembly, to finding a vulnerable function, fuzzing it, and performing a basic buffer overflow to obtain remote RCE
RPI modern binary exploitation
Modern binary exploitation
Topics:
- ASLR
- DEP
- ROP
- Heap exploitation
- Stack cookies
- Basic kernel exploitation
- Reverse engineering
- Shellcoding
CS6038/CS5138 introduction to malware analysis and reverse engineering
Introduction to malware analysis and reverse engineering
Topics cover a wide range of malware analysis topics, a few samples:
- Android static analysis
- Java malware
- Ghidra reverse engineering
- Debugging
- Building malware
- Yara
- Malicious PDF analysis
- Assembly language crash course
- Virtualbox setup
Introduction to x86 32 bit Assembly, covers everything needed to get started with x86 Assembly
- Includes exercises
- Includes Youtube videos, and powerpoint slides
Same as the 32 bit, assumes 32 bit knowledge
Intro to Linux binary exploitation
Covers Linux bin exp from basic assembly to heap exploitation
Nightmare: Binary exploitation and reverse engineering course
Binary exploitation course using CTFs as examples
Max Kersten Zero to hero binary analysis course
Assumes little to no low level knowledge
Requires basic understanding of programming
Content:
- Assembly basics
- Malware analysis
- Script analysis
- Sample collection
Various applications to practice buffer overflows on.
Includes exploit code.
OpenSecurityTraining introduction to Reverse Engineering
Covers the basics and use cases of RE
Goes over IDA and debugger usage
Helps you identify control flows and Win32 API code
Older course, but worth the time
Intermediate Linux Exploitation
Assumes prior knowledge of x86-64 assembly and familiarity with C and Python.
Comfortable with basic binary exploits, like vanilla buffer overflow.
- Windows internals 7th edition, part 1 and 2
- Practical malware analysis
- Windows Kernel Programming by Pavel Yosifovich
- Malware Analysts Cookbook
- The Shellcoders Handbook
- Rootkits: Subverting the Windows Kernel
- Rootkits and Bootkits
- A Guide to Kernel Exploitation
- Windows 10 System Programming, Part 1 (Pavel Yosifovich)
- Windows 10 System Programming, Part 2 (Pavel Yosifovich)
- The IDA Pro book
- The Ghidra book
- Sandworm by Andy Greenberg
- C++ primer 5th edition
- The Art of Assembly Language 2nd edition
- The Antivirus Hackers' Handbook
- The Art of Memory Forensics
- Inside Windows Debugging
- Practical Reverse Engineering
Must read!!
Their Windows exploitation series is gold
Lots of awesome malware related content
Content on Windows internals, malware reversing
Lots of content about exploit development
Shameless self plug - Logicbug
My own blog, mainly content about malware dev
blog with a couple posts about EDR, Windows internals and malware analysis
Kernel Mode Threats and Practical Defenses
Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
The Life & Death of Kernel Object Abuse
Alex Ionescu - Advancing the State of UEFI Bootkits
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)
Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1
Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2
W32.Duqu: The Precursor to the Next Stuxnet
Malware and reverse engineering
Great reverse engineering content
Josh Stroschein intro to Assembly
Intro to Assembly
High quality content with a lot of potential
Reverse engineering Cisco ASA for EXTRABACON offsets
DoublePulsar SMB backdoor analysis
Kaspersky Shamoon and StoneDrill Report
Eset Turla Outlook backdoor report
Introduction Format String exploits
Writing a custom encoder
MinaliC 2.0.0 buffer overflow
BigAnt server 2.52 buffer overflow
Anatomy of an exploit – inside CVE-2013-3893
Understanding type confusion vulnerabilities
Engineering antivirus evasion
Deep dive into IOS exploit chain
Writing IOS kernel exploits
Analysis of Cyber attack on Ukrainian power grid
Analysis of Project Sauron APT
SWEED: Exposing years of Agent Tesla campaigns
WastedLocker analysis
OilRig novel steganography C2
FritzFrog analysis
Rotten Apples: Apple-like domains phishing
Wil it blend? This is the Question, new Macro based Evasions spotted
Lazarus shellcode execution
In-Depth analysis of Racoon stealer
Detailed analysis of Zloader
Interview with LockBit Ransomware operator
BendyBear shellcode malware
Emotet C2 case study
WeSteal Analysis
A Basic Windows DKOM Rootkit
Loading Kernel Shellcode
Windows Kernel Shellcode on Windows 10 – Part 1
Windows Kernel Shellcode on Windows 10 – Part 2
Windows Kernel Shellcode on Windows 10 – Part 3
Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
Introduction to Shellcode Development
Autochk Rootkit Analysis
pierogi backdoor
New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign
Pay2Kitten
STEELCORGI
Lebanese Cedar APT
LazyScripter
Maze deobfuscation
Darkside overview
SunBurst backdoor - FireEye analysis
Code obfuscation techniques
SideCopy APT tooling
Hiding in PEB sight: Custom loader
Zloader: New infection technique
This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines
Rolf Rolles: Statically unpacking / anazlying FinFisher VM part 1
Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 2
Rolf Rolles: Statically unpacking / analyzing FinFisher VM part 3
Operation SpoofedScholars: A Conversation with TA453
Hooking Candiru - Another spyware vendor comes into focus
A tale of EDR bypass methods
Phoenix, succesor to Protostar
Covers various topics, including:
- Network programming
- Stack overflows
- Heap overflows
- Format string exploits
Various exploits to practice on a driver
Network traffic of malware to analyze
NTAPI undocumented functions
x86/x64 Windows syscall table
Malware Windows API Cheatsheet
Malware evasion / protection techniques
Malware analysis awesome list
Linux rootkits awesome list
Common evasions techniques used by malware
Common anti debugging techniques used by malware
Win32 Programming C++ notes
APT mindmap