Malware Appendix

The material in this page is out of scope (not discussed in the course) but may be interesting.

Evasion

Evading Anti Virus Focused on metasploit and msfvenom, but very interesting and relatively easy to understand.
Avoiding Detection with Shellcode Mutator A tool that mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
List of techniques for bypassing AV and EDR, with a nice graphic.
Let's create an EDR and bypass it.
Meterpreter vs Modern EDR(s) describes experiments for injecting payloads with Meterpreter while bypassing EDR (Endpoint Detection and Response: the modern term for indicating an "Antivirus"). Section "Meterpreter Reference Dropper" contains an example of usage of msfvenom.

Examples

Slides:

Advisory on New Endpoint Detection and Response (EDR) Killer Tool Used by Multiple Ransomware Groups Computer Security Agency, Singapore (August 2025)
Should Security Solutions Be Secure? Maybe We're All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256)

Other examples:

Interesting Technique to Launch a Shellcode Basically, the CallWindowProc API function accepts any function pointer and blindly executes it, without creating any new thread. Many EDRs monitor CreateThread/NtCreateThreadEx but not this function (August 2025).
RealBlindingEDR Tool That Permanently Turns Off AV/EDR Using Kernel Callbacks (October 2025).
EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State (September 2025)
Ransomware crews don't care about your endpoint security – they've already killed it. RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products, and Crypto24's custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors. These include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix. (August 2025)
Break The Protective Shell Of Windows Defender With The Folder Redirect Technique I will demonstrate the technique of breaking into the protected folder that contains the executable files of Windows Defender. From there, we can manipulate Defender at will, such as side-loading DLLs, destroying executable files to prevent the service from running, and more. (September 2025)
Silent Harvest: Extracting Windows Secrets Under the Radar I’ll share a new, simple approach I developed that successfully bypasses almost all EDRs I’ve tested...I’ll reveal the method I discovered to evade EDR detection and how it can enhance red team operations. In practice, calling RegQueryMultipleValuesW (even repeatedly against highly sensitive values in SAM or SECURITY) triggered zero alerts on every EDR platform I tested. My working hypothesis is that vendors concentrated on the far more common single-value APIs (RegQueryValueExW, NtQueryValueKey, etc.) and simply never added this rarer interface to their hook lists.(August 2025)

Notes on Malware

Windows Executables

Windows executables are called PE files and their format conforms to PE/COFF (Portable Executables / Common Object File Format).

They start with bytes 4D 5A and consist of a series of structures containing the information required by the O.S. for loading the executable data in memory, including:

Content of code and data section;
Position in virtual memory where each section should be placed;
List of required libraries (Import table);
List of exported functions (Export table);
Address of entry point.

Several tools exist for analyzing an executable, i.e., for translating the PE information in human-readable way:

CFFExplorer, pestudio, PPEE, PE Internals, PEBrowse.

Static Analysis

File hashing

Computing hash values of files:

Linux md5sum, sha256sum, sha1sum
Windows HashMyFiles
Windows pestudio, PPEE also query VirusTotal by uploading only the hash.

File similarity

Methods for detecting files that are a "small variation" of each other (they will have entirely different hashes):

Fuzzy hashing is an efficient method for similarity comparison (files that differ only for a few bytes will be detected as highly similar). Tool: ssdeep.
Import hashing computes hashes based on the import tables. Malware samples developed by the same actor and compiled in the same way tend to have similar import tables. Tool: python pefile.
Section hashing computes hashes of each section separately. Tool: pestudio.

Extracting strings from executables

Strings stored in an executable can give clues about its functionality. If a malware creates a file (contacts a domain) then the filename (domain name) is likely stored in the executable.

It is useful to extract both ASCII strings and UNICODE strings.

Linux strings
Windows pestudio

Obfuscated strings can be extracted with FLOSS (FireEye Labs Obfuscated String Solver).

Malware Obfuscation

Obfuscation of an executable is not necessarily an indicator of malicious activity. In practice it is a very useful indicator, though.

Hints of obfuscation:

Executable with very few imports.
Uncommon section names.
Sections with virtual-size much greater than raw-size.

Main techniques:

Packer. The executable consists of an uncompressing routine (entry point) and of a compressed malware. The malware is reconstructed in memory at runtime.
- UPX is a popular packer for Windows/Linux/MacOS.
- ExeinfoPE is a packer detector for Windows, often able to unpack automatically. It uses thousands of signatures.
- Cryptor. Like packing, except that the malware is encrypted.

Dynamic analysis

Monitoring of:

Process activity
File system
Registry
Network

Tools: Process Hacker, Process Monitor, Noriben (Python script that filters output of Process Monitor), Wireshark.

INetSim, FakeNet-NG emulate services for attempting to impersonate C&C servers.

Process Hacker Examine what is going on (processes and other o.s. activity)