Malware-Development-Grimoire is a growing collection of malware development techniques.. It will expand over time as more techniques are added.
This repository is intended for research, education, and controlled lab use only. It is meant for studying implementation details, operating system internals, tradeoffs between different techniques, and how these behaviors may be detected or analyzed. Do not use this code on systems, networks, or processes you do not own or have explicit permission to test.
The table below lists the current techniques included in the codebase.
| Technique | Path | Summary |
|---|---|---|
| Shellcode Execution | Process-Injection/Code-Injection/shellcode_exec |
Open a target process by PID, allocate memory, write shellcode, and execute it with a remote thread. |
| Local Process Injection | Process-Injection/Code-Injection/localprocess_inject |
Allocate memory in the current process, copy shellcode, change memory permissions, and execute locally. |
| Remote Process Injection | Process-Injection/Code-Injection/remoteprocess_inject |
Classic remote process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. |
| Section Mapping Injection | Process-Injection/Code-Injection/section_mapping |
Create a shared section object, map it into the local and target processes, write shellcode through the local view, and execute it from the target mapping. |
| APC Early Bird Injection | Process-Injection/Code-Injection/apc_early_bird_injection |
Spawn a target process suspended, queue an APC on the main thread, and resume before the normal entry point is reached. |
| Classic APC Queue Injection | Process-Injection/Code-Injection/classic_apc_queue_injection |
Enumerate target threads and queue APC callbacks until one enters an alertable state. |
| Thread Hijacking | Process-Injection/Code-Injection/thread_hijacking |
Suspend a target thread, alter its execution context, redirect RIP, and resume execution. |
The current injection examples are organized as standalone Rust crates with their own Cargo.toml and src/main.rs.
The current examples target Windows and are intended to be compiled for a Windows target. From inside a crate directory, a typical build command is:
cargo build --target x86_64-pc-windows-gnu