malware | offensive tools | Hacking library

I have a small warp server project on Windows that listen to a particular port and do something whenever I send a command to it by REST (for example: POST http://10.10.10.1:5000/print). It's a small client for printing PDF / receipt directly from another computer.

It works. But my problem is when I had to package the whole project, the Rust compiler give me an executable file (.exe). The application displays a terminal window when I run it. I want this terminal to be hidden somehow.

I try to run the program as a windows service (by using NSSM). It doesn't work for me since I had to access the printer. Windows doesn't allow my app to access any devices or any other executable as a windows service. (The reasons are explained here: How can I run an EXE program from a Windows Service using C#?)

So I plan to run my app as a tray-icon application so user can control or close the app. (https://github.com/olback/tray-item-rs) Unfortunately, I still cannot hide the app's terminal window.

Another solution that I found is hstart (https://www.ntwind.com/software/hstart.html). But I would like to use this as "the last resort" solution since many antivirus/windows defender mark it as a malware.

Do anyone know how to hide or get rid of it ?

Not sure how to put this into words, but how can I make a new DataFrame column like Subject? I just need Subject to be like an index for each Group.

Can we use AWS Device Farm to test anti-virus application by installing real malware on rented devices?

I am following a malware analysis course. And I came across this code which I found confusing. The first two sections make sense but the part where the if statement starts is very difficult for me to understand. This "if" statement is supposed to resolve function names by ordinals. I have put my questions in the comments.

I'm currently working on a little malware analysis project and am trying to implement a string decryptor that I wrote using Unicorn. In order to condense things and make the code easier to review, I made a smaller example below from my larger codebase.

What I'm doing is extracting snippets of x86 that represent small string decryption routines. There are a series of mov instructions that are eventually xor'd resulting in a plaintext string. I've commented out what string values should result in. In the following example, the uncommented X86_CODE64 instructions are emulated but only result in hpe.com when I read from the stack address. (Hint: To view output, run strings on asdf.txt) I would expect to see apple.com and hpe.com

Based on the code below, is there something I'm doing incorrectly / not doing at all that would result in the following code snippets to not decrypt the strings appropriately?

Disclaimer: This is my first time using Unicorn, so if I'm not articulating clearly or having some trouble explaining, I apologize in advance!

According to https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services- "any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate."

What are the conditions for a DLL to be considered "non-Windows"? In other words, what is a "Windows" dll.

I know for a fact that msmpeng.exe, an AM-PPL process will load C:\Windows\System32\slc.dll, an unsigned dll. Why is that permitted?

Any information is appreciated.

Thanks!

Working on a script to get the status of Windows Defender components. Running into a challenge looping through the results from Get-MpComputerStatus as I'm wanting to write out which components are enabled and disabled.

The issue that I'm running into is I'm not able to get the specific value from the PSOBJECT and only get everything.

I am tring to upgrade mongodb driver used in an UWP C# application (completly writen in C#, build for x86, x64, arm and arm64). The last driver version that worked was 2.10.4. Any driver version above that compiled and was running just fine, but failed WACK ( Windows App Certification Kit). If i upload the updated app package to Windows Store, it fails certification with the same problems as WACK. I need to upgrade the driver because, from februrary 2022, all shared mongodb instances will be upgraded to 5.0. Mongo driver 2.10.4 only supports up to 4.4. The certification problems i am getting are:

In light of recent malware in existing npm packages, I would like to have a mechanism that lets me do some basic checks before installing new packages or updating existing ones. My main issue are both the packages I install directly, and also the ones I install indirectly.

In general I want to get a list of package-version that npm would install before installing it. More specifically I want the age of the packages that would be installed, so I can generate a warning if any of them is less than a day old.

If I could do that directly with npm, that would be neat, but I'm afraid I need to do some scripting around it.

specific use case:

If I executed npm install react-native-gesture-handler on 2021-10-22 it would have executed the post-install hook of a malicious version of ua-parser and my computer would have been compromised, which is something I would like to avoid.

When I enter npm install react-native-gesture-handler --dry-run, it only tells me which version of react-native-gesture-handler it would have installed, but it would not tell me that it would install a version of ua-parser that was released on that day.

additional notes:

• I know that npm i --dry-run exists, but it shows only the direct packages.
• I know that npm list exists, but it only shows packages after installing (and thus after install-hooks have already done their harm)
• both only show packages version and not their age
• I do not know how I would get a list of packages that would come with a install-hook before installing them
• pointers to alternative ways to deal with malicious npm packages are welcome.
• so far my best solution would be to do "--ignore-scripts" but that would come with it's own set of problems