5pider
@C5pider
Followers
27,054
Following
78
Media
228
Statuses
2,654
Explore trending content on Musk Viewer
jaemin
• 386688 Tweets
Norawit with L'Oreal Paris
• 233469 Tweets
Will Still
• 116792 Tweets
PP is WORTH IT
• 67424 Tweets
プロフェッショナル
• 43245 Tweets
Tina
• 33326 Tweets
SDカード
• 26809 Tweets
YOASOBI
• 25307 Tweets
高利貸し
• 24593 Tweets
GW後半戦
• 24492 Tweets
カメムシ
• 22593 Tweets
金利60
• 21275 Tweets
中条きよし参院議員
• 20704 Tweets
#素のまんま
• 18926 Tweets
出資法違反の疑い
• 18587 Tweets
Princess Charlotte
• 16741 Tweets
物語シリーズ
• 15120 Tweets
ウマチュン
• 14035 Tweets
外国人嫌い
• 14004 Tweets
東京地検特捜部
• 13139 Tweets
#モニタリング
• 12900 Tweets
FORCE LOVE SEALECT
• 11380 Tweets
排外主義的
• 10918 Tweets
#びりーぶ
• 10624 Tweets
Pinned Tweet
The Havoc Framework
58
446
1K
90% of my Twitter DMs are asking me about how to start getting into Malware development. Well, I love answering them but it's easier to write a small thread about it so here we go.
1/12
115
918
3K
Modern implant design: position independent malware development.
A small blog post on how to design "modern" malware with features like global variables, raw strings, and compile-time hashing.
Repo:
28
322
1K
WOMP WOMP HELL YEAH.
Before we wrap up the year, it’s time to get out one last Kali release for 2023.
Announcing Kali 2023.4! for a focus on the addition of Hyper-V support to Vagrant, ARM64 Cloud images, support for the Pi 5, and an update to Gnome 45. Check it out!
29
336
2K
32
109
984
I found a new novel self injection technique that most EDRs are not detecting. go use this technique in your next red team engagement.
The technique is:
VirtualAlloc + CreateThread + ExitProcess
ExitProcess is the most important part here since it hides the process from EDRs
27
117
635
what actually stops you from writing code like this ?
I like to obfuscate my C source code with goto's to confuse blue teamers and malware analysis when they dump my source from memory. With this i am going to protect my malware and bypass all AVs and EDRs.
34
56
579
Wrote my own reflective loader called KaynLdr. It uses RX Memory, direct syscalls (TartarusGate), and it erases the DOS and NT headers to make it look less suspicious in memory. Going to publish it soon.
11
127
562
I reimplemented the Sleep Obfuscate which encrypts the entire Image in memory using ROP Chains + spoofing the thread stack while it sleeps. And everytime it goes to sleep it uses different keys to encrypt/decrypt the image.
10
117
528
Thanks to
@infosecnoodle
Havoc has now new Session target icons that show if a user is elevated or not. Even shows disconnected/dead agents.
11
83
499
LdrLibraryEx.
A small x64 library to load PEs into memory.
12
135
511
I just noticed Havoc reached 5k stars on github.
Thank you everyone for the support. I have a lot of new cool things & features coming in the following weeks🙂
14
25
500
A few weeks ago I started to rewrite the Havoc Framework from scratch for various reasons. Redesigning the server architecture, RESTful API driven, and the client fully scriptable using Python (commands, events, UI).
I wanna fully rewrite everything in the next ~2 months
[1/11]
19
68
452
Ekko
Sleep Obfuscation by using CreateTimerQueueTimer to queue the ROP Chain that performs the sleep obfuscation.
13
138
443
In Havoc 0.6 hardware breakpoints are going to be utilized to patch Amsi/Etw and manipulate the behavior of AmsiScanBuffer/NtTraceEvent.
I wrote an entire Hardware breakpoint engine from scratch (based on
@rad9800
's hwbp4mw engine)
No more memory patching to bypass Amsi/Etw
11
104
444
KaynLdr a Reflective Loader written in C/Asm
9
133
351
I'm glad I'm done with 2023. Surely a shitty year. I dropped out of high school because I was basically failing every single class, I got drafted into the mandatory military service for 6 months (Austria) and just got out today. Let's see how 2024 is going to be.
20
6
350
What an amazing video from
@33y0re
explaining modern Windows Kernel Exploitation. Going to start my journey of learning kernel exploit dev soon and this video explained a lot of things.
4
81
343
The Havoc Framework 0.5 Emperor
* socks5
* improved support for redirectors
* 'Health' tab
* add working hours
* updated BOF loader
* add kill date
* add sleep jitter
* add Kerberos native support
* add incognito 'find-tokens'
and so much more.
9
85
335
You wanna learn more about windows API/Syscalls? Just the read source/documentation from
@reactos
. There is a lot of info on how the win API works internally. Wanna learn reverse engineering on the way too then just open ntdll.dll in IDA freeware (comes with a free decompiler).
8
97
331
Forget about the server-side Golang plugin way. I managed to expose the Havoc client qt6 library to Python and now the client UI can be fully scripted using Python and pyside6. It is now possible to create full UI elements/widgets for the Havoc GUI.
Either way, now the listeners are fully external and not a built-in feature. Is going to allow me to add support for more listeners like abusing legit sites and services for agent communication.
[6/11]
2
2
32
9
47
328
The Havoc Framework now has its own website.
All information, documentation, and tutorials are there. It's still under heavy work but I wanted to make it public so people can learn, help and contribute to the project.
6
82
316
Nearly forgot to say that but thank you guys so much for 10k followers !!! 🥳
6
6
311
I have worked on some cool new features in the last few days for Havoc 0.4 Silver Chariot.
- Chunked downloading of files
- Thread inline assembly execution while being able to obfuscate the agent memory at the same time.
- Reverse port forwarding
Release is in around 2 days.
3
62
309
A small video about The Havoc Framework from
@_JohnHammond
. I am super happy to see so much support.
6
48
298
The Havoc Framework 0.6 Hierophant Green
- stack duplication
- refactored/rewrote indirect syscalls
- proxy library loading
- random order module loading.
- x86 demon implants.
- cross process arch injection
- AMSI/ETW patching using Hardware breakpoints
4
83
291
Finally managed to switch from TCP to HTTP/s as my main protocol for my implants. Each HTTPs Listener generates its own TLS/SSL certificate. Even made it malleable for values like UserAgent, Uri, Headers, HTTP Method, etc. Process Injection behavior is malleable too.
9
45
283
Finally implemented the most requested feature which is socks(4a) proxy support. Now the agent should have enough features for practical use as I have planned to not add any further "hard coded" commands and rather try to make the agent more stable and more secure.
5
39
285
Have been writing shellcodes for a while and even wrote a small template project for windows x64/x86. Heavily inspired by
@ilove2pwn_
TitanLdr.
2
87
282
Soon in Havoc 0.3
'jump-exec' is a module to move laterally using psexec, scshell, and more coming soon.
Going to commit those changes tomorrow or in the next few days. psexec and scshell are written as BOFs so no extra code in the demon agent.
7
42
273
The Havoc Framework just hit 3k ★ stars on GitHub🥳
What a Christmas present🎅
6
7
272
First, we gotta learn some fundamentals.
I would highly recommend learning following things:
Win32 API
Networking (Communicate over HTTP/s, DNS, ICMP)
Encryption (basic use of Aes, Xor, Rc4, etc.)
Injection Techniques
Learn how to use Debuggers. trust me you gonna need this
2/12
7
19
267
Finally managed to add encryptions to my implants. It uses AES 256 to encrypt & decrypt its tasks. And without using the Win32 API.
8
34
254
There are a lot of ways of encrypting the image base address besides using SystemFunction032/SystemFunction032. For example SystemFunction040/041 also can be used (aka RtlEncryptMemory/RtlDecryptMemory). Those APIs communicate with a driver to encrypt the specified memory region.
5
46
252
was getting bored out so started working on a silly little rootkit. planned on also working on a bootkit to load my rootkit and disable some kernel security mitigations. process hiding via DKOM so not recommend doing it while PG is enabled lol.
11
18
246
another amazing talk by
@onlymalware
was given in his OnlyMalware () discord server. check it out.
2
60
246
Finally got it to work with nested pivots. The speed ain't the best but hey it's working and there is no new thread created for getting the output from each pivot (the agent is single threaded). The parent and child pivot can use sleep obfuscation while being connected.
10
21
246
My ass explaining to the bad bitch what an interpreter is and how it works.
9
19
238
In the past few months I received a lot of messages from individuals that want to purchase my C2 and at the same time requested that I should not release it for free and make it open source. Well I turned every single one of them down because I'm not doing this for money 1/3
5
10
235
I completely redesigned my website because in a few weeks I'm gonna share some blog posts (more like a series) about malware development and (the most requested one) QT GUI Development.
15
31
231
The Havoc Framework 0.2 Magician's Red
- added command 'shellcode execute'
- added support for long running jobs/commands/modules.
- UI/UX Fixes
4
34
228
Currently working on Havoc 0.6 Hierophant Green.
New features are going to be added like Sleep stack duplication/obfuscation + a new sleep obfuscation technique called Zilean (using RtlRegisterWait)
13
35
231
Fuck it. Next week Friday is Havoc release.
Its stable enough to be used thanks to the beta testers that tested it and reported major issues.
9
28
228
The Havoc Framework 0.4 Silver Chariot
- Chunked downloading of files
- Threaded inline assembly execution (while sleep obf is still usable)
- reverse port forwarding
- webhooks for discord
- SMB agent fixes
- bug fixes
Happy hacking.
5
60
222
After my malware dev phase I will go for kernel level exploits. My favourite exploits are definitely eternalblue and doublepulsar. Super interesting shit. And EternalBlue was the first exploit i have ever used & was interested in since I got into hacking.
4
16
217
Wrote a Beacon Object Loader. This loader is heavily inspired by the
@TrustedSec
COFFLoader. So credit goes to them for open sourcing such a cool project. Going to make it public after I did some refactoring and cleanup.
5
55
215
Infosec is very disappointing. There is only a handful of people I enjoy talking to. Need to find something else to waste my time on.
38
8
213
Please stop opening issues about how the Havoc demon agent is getting detected by WinDef or XY. It's not designed to be evasive. It is designed to be malleable/modular enough so red team operators can add/remove techniques.
But my next project is going to be evasive by design...
14
10
217
I haven't posted any updates about my Havoc C2 lately. I focused mainly on bug fixes, code refactoring, and making it stable as possible. My agents are now using obfuscated/Indirect syscalls to perform injection and memory allocation instead of using direct syscalls.
6
38
216
Users of the Havoc Framework pushed multiple updates to the Client api which allows anyone to write UI plugins for the Havoc client.
A great example being a UI plugin for the Shhhloader project 👀
Credit goes to to the people who contributed to the project and
@icyguider
.
2
34
215
So alright the first resource I recommend going through is the maelstrom blog post series from
@preemptdev
:
3/12
3
32
210
Thanks for sharing. Basically rewrote a large part of my private agent to adapt this and it works wonderful. No more memory toggling. Every function now takes a KnSelf as a first param which is the instance passed. For function like beacon api can use a macro that gets it.
After reading
@C5pider
's blog I got an idea how to implement global shellcode context without NtProtectVirtualMemory: Add magic header to context struct, place context on stack, append its address to peb.ProcessHeaps and retrieve it from there when needed. No syscalls required.
1
30
178
3
20
204
The Havoc Framework 0.7 Bites The Dust
- added support for the key/value store API
- several fixes (smb agent, port forwarding, ...)
- added callbacks for new demons
- updated python api
- refactor the hwbp engine
- sleep obf with gadgets
and so much more
6
36
209
I have looked a little bit into Export address filtering in the past few days and wrote a more extended version of LdrFunction
(under LdrFunctionEx) which should evade EAF and maybe (haven't tested it) EATGuard by
@33y0re
.
Have a lovely day or whatever.
4
54
204
Great courses I really recommend taking is by
@SEKTOR7net
:
(Beginner)
(Intermediate)
Worth the money
6/12
2
18
201
@vxunderground
Unfortunately, the hacker was able to steal the terabytes of malware that was hoarded on the server by using stack/heap overflow and moving around his mouse cursor.
and I heard from some folks that the hacker was able to crack the password of the zip-protected samples.
5
4
197
beep boop removing and adding protection to any process be it process protection light, full or remove any protection from the process. nothing exciting honestly. just manually getting the offset of EPROCESS process signature/protection and changing the values of them.
6
29
196
Open sourced the "assembly execute" and "powerpick" module/command. Have fun.
3
58
196
Wrote a shitty Lsass memory parser. Always wanted to learn how mimikatz parses the Lsass memory. Harder than expected but got it to work. No code/memory cleanup for now lol.
6
16
193
I am really enjoying writing projects in rust. may write an emulator in rust just for fun.
I need to take a break from only writing malware related projects and reset my brain. let's see how far this goes.
11
6
184
lol.
Great job
@Threatlabz
for the awesome written blog post.
Tbh I am happy to see people writing detailed reports on how to detect Havoc.
Unfortunately I hate to see Havoc being used by Threat Actors.
9
20
183
Damn i nearly forgot to mention that my implants can execute a Executable file in memory and fetch the output from it.
12
25
184
The source code of meterpreter is a goldmine for malware developers. I always enjoy reading it. It gives me a lot of ideas and help me improve my current knowledge about programming in c and malware development.
0
23
179
The Havoc Framework 0.3 Hermit Purple
* added new session icons
* lateral movement command 'jump-exec psexec'
* lateral movement command 'jump-exec scshell'
* new payload type: service executable
4
17
182
CoffeeLdr
A Beacon Object File Loader
4
66
183
KaynStrike
A User Defined Reflective Loader for Cobalt Strike Beacon. Frees Itself after the entrypointer was executed and spoofes the thread start address.
2
76
181
In not even 2 weeks The Havoc Framework already hit 2k stars. Thank you so much for your support. 🥳
Expect some amazing new features/commands in the following days/weeks.
8
6
179
Sometimes I regret open-sourcing most of what I wrote.
At least I got to know some cool folks.
19
5
179
The Havoc Framework 0.4.1 The Fool
- Socks4a Proxy
- bug fixes
- Vuln fix in the service API
Happy hacking.
0
35
178
I added kernel callbacks listing to my small kernel driver. it isn't using any offsets or hardcoded signatures to get the callback notify array/lists.
honestly might not be the best code but it works lol.
7
29
181
Well, I started to learn and implement stack obfuscation/duplication for my agent while it sleeps (+ obf the memory).
This is a completely new agent I am currently working on. Completely PIC, small (~21k), and modular. This feature won't be available to the public agent (demon).
7
17
178
My Agents are now more configurable/malleable at runtime. For example the default fork&run target process is configurable, memory allocation/execution (win32 API, NT API, direct or obfuscated/indirect syscalls), and later much more.
6
19
177
this account turned into a shitpost account lol.
I am tired and dont have any energy left to write on any new projects.
hopefully changes soon or later. have a lovely day.
15
1
174
highly recommend it to people who wanna start in Maldev to follow
@cr0ww_
. He puts a lot of work into his videos and explains how things work.
🎉 NEW VIDEO OUT! In it, we take a look at some anti-debugging techniques and implement self-deletion in our malware! A HUGE thank you to
@MalDevAcademy
for sponsoring this video.
SAVE 10% OFF your order with code “CROW10” for a limited time! ❤️
12
104
364
6
32
170
Another feature imma include in Havoc 0.6 is
proxy module/library loading.
It loads the specified module using LoadLibraryW and one of the 3 APIs (RtlRegisterWait/RtlCreateTimer/RtlQueueWorkItem) to have a clean call stack while loading a library.
2
32
169
It finally arrived. Can't wait to play around this this amazing toy and can't wait to write some modules/plugins for this 👀👀
Such a cool project
@flipper_zero
10
7
167
"Dear diary, today I learned how to steal tokens from remote processes and save them to a vault"
7
10
165
I made a new repo where I put all of my small code snippets there. For example, a more improved version of Ekko eliminates a race condition by using start/end events.
4
38
161
I haven't worked on Havoc for quite some time because I am for personal reasons on a break.
Luckily
@s4ntiago_p
has been contributing to the Havoc C2 by fixing a lot of bugs and adding features and commands (Killdate, Sleep Jitter, RemoteOps, 30+ Situational Awareness commands)
2
19
164
My student license for the
@jetbrains
IDEs ran out a few weeks ago so I applied for an OSS license so I can continue with the development of the Havoc Framework. Got it and now back to the grind :P
9
3
160
In the past few weeks, I converted KaynLdr to Cobalt strike as a User Defined Reflective Loader and added a lot of "OpSec" features. I also implemented this amazing idea from
@ilove2pwn_
to use my own APIs that the BOF Loader can utilize by hooking LoadLibraryA & GetProcAddress.
3
33
157
Added new modules from CS-Situational-Awareness-BOF. Check it out at
1
25
155
A little bit of info about the Havoc Framework. The planned release date is 31. August - 14. September depending on my current progress since there or still some features and bugs I gotta work on. So the initial release is going to be a beta. 1/3
14
25
156
Worked on a User Defined Reflective Loader for Cobalt Strike. It Spoofes the Thread Start Address and Frees the Reflective loader after the entry point was executed by using ROP Chains. Going to publish this after some code cleanup.
8
40
154
