About maldev-for-dummies

With the increasing maturity of antivirus (AV) and enterprise detection and response (EDR) tools, the red team is forced to stay ahead. The era of executing assembly and placing unmodified Payloads on the disk has come to an end. If you want your task to last more than a week, you must speed up the creation of Payloads and the development of malware. However, starting in this field may be daunting, and finding appropriate resources is not easy.

This tool is mainly aimed at beginners in the field of malware research, but security experts are also welcome to use it to enhance their technical level.

Tool Preparation

Before we begin, we need a dedicated development device and should not install or run any security protection tools. We recommend using the Windows system for development, but Linux or macOS can also be used. Next, install the familiar IDE (recommended: Visual Studio). Finally, install the toolchain required for maldev-for-dummies:

1. .NET packages required for C# development;

2. Nim-lang: Installation can be completed using Choosenim;

3. Golang;

4. Rust: Rustup can be used to install Rust and the related toolchain;

5. Disable Windows Defender or add appropriate exclusions;

Tool Dependencies

Nim

Most Nim programs require a library named 'Winim' to interact with Windows API, and we can use the Nimble package manager to install the Winim library:

nimble install winim

Golang

The source code of this tool also uses some other dependent components, which can be installed using the following commands:

go mod tidy

Tool Download

Researchers can use the following command to clone the project source code locally:

git clone https://github.com/chvancooten/maldev-for-dummies.git

Tool Compilation

C# and Nim are both compiled languages, which means we need a compiler to compile the source code into an executable program.

C#

C# code (.cs files) can be compiled directly using the csc tool or compiled through Visual Studio:

csc filename.exe /unsafe

Nim

Nim code (.nim files) need to be compiled using the 'nim c' command, and we can use the following command to build the project source code:

nim c filename.nim

If you want to optimize the size of the compiled program and filter out debug information, you can add the following command parameters:

nim c -d:release -d:strip --opt:size filename.nim

Golang

Golang code (.go files) need to be compiled using the 'go build' command, and we can use the following command to build the project source code:

GOOS=windows go build

If you want to optimize the size of the compiled program and filter out debug information, you can add the following command parameters:

GOOS=windows go build -ldflags "-s -w"

Project Address

maldev-for-dummies：【GitHub Gateway】

Reference materials

https://code.visualstudio.com/

https://visualstudio.microsoft.com/vs/community/

https://dotnet.microsoft.com/en-us/download/dotnet-framework

https://nim-lang.org/install.html

https://github.com/dom*96/choosenim

https://go.dev/doc/install

https://www.rust-lang.org/tools/install

https://github.com/chvancooten/maldev-for-dummies/blob/main/Exercises/BONUS%20Exercise%203%20-%20Basic%20EDR%20Evasion/solutions/csharp