88 88
88 88
88 88
8b d8 8b, ,d8 88 88 8b,dPPYba, ,adPPYb,88 ,adPPYba, 8b,dPPYba, ,adPPYb,d8 8b,dPPYba, ,adPPYba, 88 88 8b,dPPYba, ,adPPYb,88
`8b d8' `Y8, ,8P' aaaaaaaa 88 88 88P' `"8a a8" `Y88 a8P_____88 88P' "Y8 a8" `Y88 88P' "Y8 a8" "8a 88 88 88P' `"8a a8" `Y88
`8b d8' )888( """""""" 88 88 88 88 8b 88 8PP""""""" 88 8b 88 88 8b d8 88 88 88 88 8b 88
`8b,d8' ,d8" "8b, "8a, ,a88 88 88 "8a, ,d88 "8b, ,aa 88 "8a, ,d88 88 "8a, ,a8" "8a, ,a88 88 88 "8a, ,d88
"8" 8P' `Y8 `"YbbdP'Y8 88 88 `"8bbdP"Y8 `"Ybbd8"' 88 `"YbbdP"Y8 88 `"YbbdP"' `"YbbdP'Y8 88 88 `"8bbdP"Y8
aa, ,88
"Y8bbdP"
As time goes on we see more and more legitimate questions - how can I get into malware development? Ethics aside, as I'm sure some people will question
whether these individuals are Red Teamers, the mildly curious, or wanna-be Threat Actors, I suppose we should go down the rabbit hole and explain the
path required to learn malware development. Before we begin that, I will explain how I personally got into malware development. I will make it brief.
-------------------------------------------------------------------------------------------------------------------------------
PART ONE
MY STORY: I SUCK AT PROGRAMMING. I'M A SLOW LEARNER. EXPECT FAILURE.
-------------------------------------------------------------------------------------------------------------------------------
Sometime in the early 2000s I was a big fan of video games. I played a video game called Halo 2. In Halo 2 it was common to encounter individuals who
cheated in game by performing DDoS attacks. When I encountered this, I was amazed. I had never considered this a possibility - that someone could
abuse computers for profit or self-gain. I immediately was enticed and began my journey into malware. Unfortunately, being a younger person at the
time I was subjected to frauds or trivial script kiddies. Initially I had no idea what I was doing, and I probably hurt myself more than anything else.
But, I perceived these as growing pains. At this period of time StackOverflow did not exist - I relied on weird forums and IRC to learn information
from strangers on the internet. As I explored more, malware seemed like black magic - something not documented or discussed. This fueled my curiosity.
I eventually got some solid advice from someone on EFNET - I had to learn to code. I ended up getting C Primer Plus (an excellent book) and reading
it cover-to-cover. After reading the book, was I good at coding? No. Did I understand malware? Again, no. I learned the basics of C programming but
my understanding of the language was not sufficient. Individuals informed me I needed to complete some programming projects before I was skilled enough
to traverse into malware development. My first C programs were very boring - calculating various mathematic problems. I eventually expanded into
trying to connect to Dictionary.com and tried to use the C programming language to get definitions on words. I tried other various projects, I
failed miserably, a lot. In fact, I did not learn C programming at a sufficient level for 4 years. I spent a lot of time being distracted by school,
girls, video games. I was a teenager. I was not focused. Malware, and C programming, requires the focus I unfortunately was unable to gather. What
people often do not tell you is that at first programming hurts - it is profoundly boring to learn. But, once you get the hand of things you can
code for hours on end, without noticing time has passed. After 4 years of failing I eventually was good enough to understand malware. I discovered
a website called VxHeaven and Rohitab. These websites accelerated my malware development capabilities and it was a wonderful time in my youth.
Now, lets fast forward a few years... In my early 20s I got a job as a software engineer (despite not having a degree). I was software engineer 1.
After 2 years, or so, I moved to Software Engineer 2 and, once again, after more years, I moved to Senior Software Engineer. I worked at a mid to large
sized company. My experience and expertise lead development, I consulted with the scrum master on sprint topics, I assisted the less experienced
engineers, and many other responsibilities. I got these jobs from learning how to develop malware. Today, as of this writing, I know C, C++, C#, VB.NET,
Microsoft T-SQL, Javascript, Python, AutoIT, x86 ASM. Although I can code in all of these languages, my strengths are C/C++, T-SQL, and C#.NET.
In summary, the entire point of this little autobiography, is everyone has a different malware development journey. Some people learn very quickly,
they excel, and others (such as myself) fail a lot - but persistence is required. If you fail at malware development, if you struggle to learn,
if things do not make sense to you, do not take this to heart. This is a serious subject, an entire career field, and overlaps with software engineering,
reverse engineering, and in some cases network engineering (***depending on what you're trying to do, e.g. FastFLUX and DGAs).
-------------------------------------------------------------------------------------------------------------------------------
PART TWO
LEARN TO CODE. EXPECT FAILURE.
-------------------------------------------------------------------------------------------------------------------------------
First and foremost, it needs to be explicitly stated, programming is an absolute requirement. We see people asking if programming is a requirement. This
question is absurd - it is malicious software (malware...) so programming is a fundamental requirement. Secondly, you must be good, or at least semi-good,
at programming. Indeed, we see a lot of really bad malware, and really bad leaked malware source code, at the end of the day malware development can best
be described as a sort-of alternate form of legitimate low-level Windows software engineering - (***or Linux, or MacOS, or whatever OS of your choosing)
If your goal is to write malware, but you cannot code, it is advised you scrap the entire idea of malware development and go and learn to code. It is advised
you do not waste time choosing between the x1000 different platforms to learn coding, just pick one and jump into it. We see a lot of people asking
"where can I best learn?", but ultimately this reflects cold feet, or procrastination, and this shouldn't even be a real question. Find a book
on the programming language you want to learn, read it cover-to-cover, and get to coding. There is no shortcut, there is no easy path, it is an absolute requirement.
Malware development, as it becomes increasingly more advanced, is software engineering. Large scale Threat Actors will have sprints, known-issues, and
engineering challenges any other software suite may encounter. Hence, in summary, learn to code. Other individuals who claim to code, which we very much doubt,
will ask about malware techniques. Before we go down this sub-rabbit hole, it is important to note that any individual with a sufficient understanding of
low-level programming already understands fundamental malware ideas - the same way a sufficiently talented low-level programmer understands the fundamentals
of exploit development. Of course this does not mean they understand the niches, the nitty gritty internals, but they have a solid introduction.
Why do we say legitimately talented programmers already understand fundaments of malware development? We say this because malware in its simplest form, is
abusing legitimate APIs for malicious purposes. To illustrate this point, we will give a basic example. On the Windows OS there exists a function called
"GetAsyncKeyState". GetAsyncKeyState determines whether a key (on the keyboard) is up or down the time the function is called, and whether the key
was pressed after a previous call to GetAsyncKeyState. This function is used by keyloggers. It has been used for keyloggers for an incredibly long time.
This function allows an individual to determine when a key on the keyboard has been pressed. Why does this function exist if it can be used for keyloggers?
The answer is simple - it can be used for legitimate purposes. Applications may exist that choose to monitor specific shortcut keys. Applications may monitor
for CTRL+C and CTRL+V (copy-paste), or maybe an application may make an internal-specific shortcut (such as Chrome web browser CTRL+T, to make a new tab).
One method to determine if the key combination has been used is using this API call (GetAsyncKeyState). Here are examples from StackOverflow
Person developing a basic video game: https://stackoverflow.com/questions/70164289/is-there-a-way-to-detect-when-a-key-is-pressed-only-once-not-held-down
Basic question on monitoring input: https://stackoverflow.com/questions/41600981/how-do-i-check-if-a-key-is-pressed-on-c
YouTuber using GetAsyncKeyState for video game development: https://www.youtube.com/watch?v=AwD5vmzDDKo
Of course, the examples given above, for determining if a hotkey has been pressed, can be solved in many other ways. This is a simple example on why
APIs exist which are typically used by malware. We could give hundreds... maybe even thousands... of examples where legitimate functionality is
used which also can be used for malware development. tl;dr this is an example on how malware development overlaps with legitimate software engineering.
-------------------------------------------------------------------------------------------------------------------------------
PART THREE
WRITE MALWARE. DO STUFF.
-------------------------------------------------------------------------------------------------------------------------------
Understandably, many new comers reading this may be seeking a solid path to learning malware development. The reality of the matter is everyone
has a different path and different niches. We encourage new comers to explore, and explore A LOT. If you like Python, learn how it works down to the
PVM. If you like C programming on Windows, explore the WINAPI and try doing basic tasks. Explore, learn, and fail. If you're stuck, or don't know
where to begin, EXPLORE MORE. Read malware reseach papers, read the news on malware, read on APTs or ransomware groups. Explore and follow your curiosity.
Do not be afraid to ask dumb questions, do not be afraid of failure.
Resources we like (emphasis on Windows malware):
1. vx-underground - https://vx-underground.org - It is ours. Bias, or something, I dont know.
2. BleepingComputer - https://www.bleepingcomputer.com/ - Stay up to date on news.
3. Mitre Attack for Windows - https://attack.mitre.org/matrices/enterprise/windows/ - Comprehensive list of attack methods. Good for exploring.
4. Vergilius Project - https://www.vergiliusproject.com/ - Good documentation on changes to Windows Internals
5. ReactOS - https://reactos.org/ - Excellent for understanding how Windows internals works
6. The Old New Thing - https://devblogs.microsoft.com/oldnewthing/author/oldnewthing - Unusual Windows Internals, notes, and documentation
7. Windows API Index - https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-api-list - Explore what Windows lets you do.
8. Malpedia - https://malpedia.caad.fkie.fraunhofer.de/ - Resource for identifying malware
9. vx-underground Malware Source Code collection - https://github.com/vxunderground/MalwareSourceCode - Review other peoples malware code
10. UnknownCheats - https://www.unknowncheats.me - Video game cheater forum, excellent and unusual Windows Internals discussions
11. Geoff Chappell - https://www.geoffchappell.com/index.htm - Excellent source of Windows internal explanation
A lot more resources could be listed, but these are good overview websites and can easily lead you down the rabbit hole to learn and explore.
And finally, as I end this section, we have other Frequently Asked Questions we will address.
Q - "Should I read Windows Internals Volume 1 and 2?".
A - No, don't hurtself. Windows Internals is an amazing book, but it is incredibly technical and difficult to sit down and read. Windows Internals
is best consumed in small chunks or used as a reference guide. For example, if you've ever wondered how the registry works on Windows, reference
Windows Internals. But, if you're skilled in C and the C WINAPI, good portions of Windows Internals can be skipped. If you want to read Windows
Internals it is recommended you become semi-familiar with the Windows API. Otherwise, reading Windows Internals will be profoundly boring and
painful.
Q - "Is Malapi.io a good reference?"
A - No, it is not. While the website is interesting, the problem is that any function on Windows can be used for malicious behavior, and likewise,
most "seemingly malicious" functions can have legitimate usages. MalAPI might as well list every function in the Windows API, because the entire
point of malware is abusing valid functionality. This could be compared to someone assembling a list of items dangerous to human beings - what could
hurt a person? Literally anything if given enough time, effort, or force. You could be stabbed with a spoon, suffocated with a teddy bear, you can
be force fed toilet paper and choke and die.
Q - "Is Sektor7 Institute malware course good or worth it?"
A - It is okay. The last time this was reviewed we would rate this at a 7/10. This is probably good for people who are semi-familiar with malware, but
still lack a lot of base knowledge. The course also focused heavily on payload execution via things such as Process Injection - but they fail to discuss
the other parts of malware ... like... the actual payload itself. However, as stated previously, this course was reviewed over 1 year ago. tl;dr
for its price, it is OK.
-------------------------------------------------------------------------------------------------------------------------------
PART FOUR
THE SKILL LEVEL PYRAMID
-------------------------------------------------------------------------------------------------------------------------------
I like to classify different skill levels of malware development. Genuinely talented malware writers, probably in the top 5% are extremely rare. Hence,
top 5%. Above that, as I would classify as a VXer, is the best of the best.
.
/=\\
/VX \ \
/=====\' \
/TOP 5% \'' \
/=========\ ' '\
/ SKILLED \'' \
/ \ ' ' \
/===============\ '' \
/ SEMI SKILLED \' ' ' ' \
/ \' ' ' ' \
/=====================\' ' ' ' \
/ BEGINNERS \ ' ' /
/ \ ' /
/ \' /
/=============================\/
BEGINNERS - They can code, they're currently studying, or understanding, various malware TTPs. They will often write articles on known or well established
malware techniques. This makes up a large majority of malware developers. Many people here lose interest, or move onto another subject, or
do not require (or want) to extend this skillset.
SEMI-SKILLED - These individuals can code, and can probably code well. These people understand various malware TTPs but have yet to find their niche.
Malware development has many different topics and sub-topics. As briefly mentioned in part 2 of this paper, is that malware can be written
in many different languages, on different platforms. Some individuals become talented with Linux malware, with an emphasis on the ELF file
format. Some individuals focus on cross-plaform languages, such as Java, Ruby, or Perl, and use their unusual characters for abuse or polymorphism.
SKILLED - This is a person who is well versed in various malware TTPs on the niche of their choice. They spend more time reading documentation, than
actually coding. It is rare someone ascends to this skill-set. At this point it becomes increasingly difficult to find malware techniques they have
not heard of (on their sub-topic or niche of choice).
TOP 5% - These people are now performing novel research. They are hyper-aware of existing, and potentially existing malware techniques, and actively persue
new malware methods and ideas.
VXER - TOP 1%. These are people who have been around for a long, long, long time. They have published numerous novel-research papers under their belt.
They could best be described as a Subject Matters Expert. This is not achieved with skill, or intelligence, but with time. These individuals also are
extremely niche and their work may not be malware in the traditional sense. It may software engineering, reverse engineering, etc. Personally, the
very few to achieve this level would be people such as Grzegorz Tworek, Hexacorn, Alex Ionescu, qKumba, 29a/z0mbie, James Forshaw, gerhart_x, Jon Skeet,
and JonasLyk. Please know this is not a comprehensive list, and is an opinion only. This individuals have released amazing research and their work
continues to inspire people of all skill levels.
Grzegorz Tworek - Unusual system components reverse engineering and abuse
Hexacorn - Unusual system components reverse engineering and abuse
Alex Ionescu - Mastery of Windows Internals
qKumba - 30+ years of malware reverse engineering
29a/z0mbie - Powerful understanding on malware metamorphism and polymorphism
James Forshaw - Powerful understanding on exploit development and research
gerhart_x - Powerful understanding of Hyper-V and OS internals
Jon Skeet - Mastery of C# and .NET framework
JonasLyk - Powerful understanding of Windows Internals and unusual system components reverse engineering and abuse
-------------------------------------------------------------------------------------------------------------------------------
PART FIVE
SUMMARY
-------------------------------------------------------------------------------------------------------------------------------
Learn to code. Google a lot. Fail a lot. Read a bunch of stuff.
-smelly__vx, December 4th, 2022