hasherezade/module_overloading

Stars
318
Rank 131,872 (Top 3 %)
Language
C
Created about 5 years ago
Updated over 1 year ago

hasherezade/module_overloading

hasherezade

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A more stealthy variant of "DLL hollowing"

Module Overloading

A PoC based on the ideas of thewover (twitter @TheRealWover): https://twitter.com/TheRealWover/status/1193284444687392768?s=20 + my own experiments

Using: libpeconv.

Characteristics:

Payload mapped as MEM_IMAGE, impersonating a legitimate DLL (image linked to a file on the disk)
Sections mapped with original access rights (no RWX)
Not connected* to the list of modules (invisible for Module32First/Module32Next)
- may be connected if the 'classic DLL hollowing' was selected
Only self-injection supported

Demo:

Clone:

Use recursive clone to get the repo together with all the submodules:

git clone --recursive https://github.com/hasherezade/module_overloading.git

pe-bear

Portable Executable reversing tool with a friendly GUI

pe_to_shellcode

Converts PE into a shellcode

malware_training_vol1

Materials for Windows Malware Analysis training (volume 1)

hollows_hunter

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

libpeconv

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl

tiny_tracer

A Pin Tool for tracing API calls etc

demos

Demos of various injection techniques found in malware

pe-bear-releases

PE-bear (builds only)

dll_to_exe

Converts a DLL into EXE

exe_to_dll

Converts a EXE into DLL

bearparser

Portable Executable parsing library (from PE-bear)

process_ghosting

Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

mal_unpack

Dynamic unpacker based on PE-sieve

process_doppelganging

My implementation of enSilo's Process Doppelganging (PE injection technique)

transacted_hollowing

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

malware_analysis

Various snippets created during malware analysis

ida_ifl

IFL - Interactive Functions List (plugin for IDA Pro)

process_overwriting

Yet another variant of Process Hollowing

IAT_patcher

Persistent IAT hooking application - based on bearparser

persistence_demos

Demos of various (also non standard) persistence methods used by malware

chimera_pe

ChimeraPE (a PE injector type - alternative to: RunPE, ReflectiveLoader, etc) - a template for manual loading of EXE, loading imports payload-side

shellconv

Small tool for disassembling shellcode (using objdump)

masm_shc

A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints.

antianalysis_demos

Set of antianalysis techniques found in malware

password_scrambler

Password scrambler - a deterministic password re-generator (alternative to a password manager)

dll_injector

A simple commandline injector using classic DLL injection

funky_malware_formats

Parsers for custom malware formats ("Funky malware formats")

process_chameleon

A process overwriting its own PEB to make an illusion that it has been loaded from a different path.

mal_unpack_drv

MalUnpack companion driver

crypto_utils

Set of my small utils related to cryptography, encoding, decoding etc

ViDi

ViDi Visual Disassembler (experimental)

pe2pic

Small visualizator for PE files

pin_n_sieve

An experimental dynamic malware unpacker based on Intel Pin and PE-sieve

paramkit

A small library helping to parse commandline parameters (for C/C++)

petya_recovery

Application for cracking Red Petya key based on genetic algorithms.

petya_key

A decoder for Petya victim keys, using the Janus' masterkey.

libpeconv_tpl

A ready-made template for a project based on libpeconv.

pe_unmapper

Small tool to convert beteween the PE alignments (raw and virtual).

flareon2019

Flare-On solutions

mal_sort

Various scripts helpful in sorting collections of malware samples.

pesieve-go

Golang bindings for PE-sieve

IAT_patcher_samples

Sample libraries to be used with IAT Patcher

pe_utils

A set of small utilities, helpers for PIN tracers

hidden_bee_tools

Parser for a custom executable format from Hidden Bee malware (first stage)

mal_unpack_py

Python wrappers for mal_unpack

decryptors_archive

Archive of ransomware decryptors

flareon2022

asm16_projects

My small projects writen in 16 bit asm (NOTE: those are my practice projects that I wrote when I was 15, I give no warranty for this code!)

tag_converter

petya_green

Application for random attack on Green Petya's key

bootldr_demo

Demo bootloaders - created just for fun

metasploit_modules

My metasploit modules

loaderine

A demo implementation of a well-known technique used by some malware to evade userland hooking, using my library: libpeconv.

jpassword_scrambler

Small utility to generate complicated passwords - version with GUI

bunitu_tests

Scripts for communication with Bunitu Trojan C&Cs

7ev3n_decoders

Decoders for 7ev3n ransomware

libpeconv_and_detours_tpl

A template for projects using both libPeConv and MS Detours

sig_finder

Signature finder (from PE-bear)

detours_cmake_tpl

A CMake template for projects using MS Detours

passcrambler

https://hasherezade.github.io/passcrambler/

challs

My solutions for random crackmes and other challenges

wke_exercises

My solutions for HackSys Extreme Vulnerable Driver

drawings

Some of my drawings

pe_recovery_tools

A placeholder repository

hasherezade.github.io

My projects' homepage

mastercoder2014

libpeconv_demo

Demo projects and utilities made with the help of libPeConv

bearparser_tests

External tests for bearparser

libpeconv_wrappers

A ready-made template for a new project based on libPeConv library

hasherezade

paramkit_tpl

A template for a project using ParamKit

pesieve_tests

External tests for PE-sieve