MDLC & Tools

Low-level programming languages have been the preferred choice in malware development, especially when

targeting Windows machines, since they provide a way to interact with the operating system at an intimate level

and provides the developer more freedom when interacting with the system.

The MDLC (Malware Development Life Cycle) consists of 5 main stages:

1. Development

2. Testing - Perform tests to uncover hidden bugs.

3. Offline AV/EDR Testing - Run the developed malware against as many security products as possible. It's important that the testing is conducted offline to ensure no samples are sent to the security vendors. Using Microsoft Defender, this is

achieved by disabling the automated sample submissions & cloud-delivered protection option.

4. Online AV/EDR Testing - Run the developed malware against the security products with internet connectivity. Cloud engines are often key components in AVs/EDRs and therefore testing your malware against these components is crucial to gain

more accurate results. Be cautious as this step may result in samples being sent to the security solution's cloud engine.

5. IoC (Indicators of Compromise) Analysis - Analyze the malware and pull out IoCs that can potentially be used to detect or signature the malware.

6. Return to step 1.

- Visual Studio

https://visualstudio.microsoft.com/es/

This is the development environment where the coding & compiling process will occur. Install the C/C++ Runtime.

To use use C instead of C++, we change the file.cpp file to file.c .

- x64dbg

https://x64dbg.com/

Open-source debugging utility for x64 and x86 Windows binaries. It is used to analyze and debug user-mode applications and kernel-mode drivers. With x64dbg, users can set breakpoints, view stack and heap data, step through code, and read and write memory values.

We will use it to get an internal understanding of the developed malware.

CPU tab:

1. Disassembly (Top-left): This window displays the assembly instructions being executed by the application.

2. Dump (Bottom-left): This window displays the memory contents of the application being debugged.

3. Registers (Top-right): This window displays the values of the CPU registers.

4. Stack (Bottom-right): This window displays the contents of the stack.

- PE-Bear

https://github.com/hasherezade/pe-bear

PE-bear is a multiplatform reversing tool for Portable Executable (PE) files. It will also be used to assess the developed malware and look for suspicious indicators.

It helps to analyze and visualize the structure of the PE file, view the imports and exports of each module, and perform static analysis to detect anomalies and possible malicious code. PE-bear also includes features such as PE header and section validation, as well as a hex editor.

- Process Hacker 2

https://processhacker.sourceforge.io/downloads.php

Process Hacker is a powerful, multi-purpose tool that helps monitor system resources, debug software and detect malware.

It is similar to Task Manager but provides more information and advanced features. It can be used to terminate processes and services, view detailed process information and statistics, set process priorities and more. Process Hacker is useful for analyzing running processes to view items such as loaded DLLs and memory regions.

- Msfvenom

Msfvenom is a command line interface tool that is used to create, manipulate, and output payloads.

Last updated