SEKTOR7 Institute Logo
Login
SEKTOR7 Institute/RED TEAM Operator: Malware Development Intermediate Course
Buy now

For Personal Purchase

For Employees, Contractors or reimbursement, please check our Business Plan

RED TEAM Operator: Malware Development Intermediate

  • $239

RED TEAM Operator: Malware Development Intermediate Course

  • 40 Lessons

More advanced offensive security tools (OST) development techniques in Windows, including: API hooking, 32-/64-bit migrations, reflective binaries and more.
Buy now

Welcome to Malware Development Intermediate course!

In our previous Essentials course we discussed basic steps to create a custom dropper.

This course builds on what you have learned so far by extending your development capabilities with:
  • playing with Process Environment Blocks and implementing our own function address resolution
  • more advanced code injection techniques
  • understanding how reflective binaries work and building custom reflective DLLs, either with source or binary only
  • in-memory hooking, capturing execution flow to block, monitor or evade functions of interest
  • grasping 32- and 64-bit processing and performing migrations between x86 and x64 processes
  • discussing inter process communication and how to control execution of multiple payloads
The course ends with a combined project, where you will create a custom dropper implementing discussed techniques.

You will receive a virtual machine with complete environment for developing and testing your software, and a set of source code templates which will allow you to focus on understanding the essential mechanisms instead of less important technical aspects of implementation.

COURSE IN A NUTSHELL

You Will Learn

  • What is PEB and how function address resolution works
  • What are other code injection techniques
  • How to build custom reflective binary
  • How to hook APIs in memory
  • How to migrate between 32- and 64-bit processes
  • How to use IPC to control your payloads

What Will You Get?

  • Full-blown videos explaining all techniques in detail

  • Transcription with English subtitles

  • Text supplements with additional information (code snippets, structure definitions, technology description and context, etc.)

  • Source code with code templates for rapid development

  • VM image with ready-to-use development environment

  • Life-time access to the content


Requirements

  • Recommended: taking Malware Development Essentials course

  • Understanding of operating system architecture

  • Some experience with Windows OS

  • Computer with Intel-compatible CPU, min. 4 GB of RAM + 30 GB of free disk space

  • VirtualBox 7.0+ installed

  • Strong will to learn and having fun


Target Audience

  • Ethical Hackers
  • Penetration Testers
  • Blue Teamers
  • Threat Hunters
  • All security engineers/professionals wanting to learn advanced offensive tactics

The course is also available in our bundles

  • $299

RTO: Offensive Coding CORE

Offensive coding (aka malware development) tactics and techniques for Windows. From basic PE file structure, to code obfuscation, payload injection, API hooking, reflective binaries and more. This pack combines Malware Development Essentials and Intermediate courses.
View product

  • $398

RTO: Offensive Coding ADVANCED

More advanced offensive coding tactics and techniques for Windows. From userland rootkits, to building COFFs and kernel hacking. This pack combines both Malware Development Advanced vol. 1 and vol. 2 courses.
View product

  • $898

RTO: Offensive Coding + Evasion

The bundle includes all courses from Malware Development series with Windows Evasion course as well. Start learning offensive coding techniques with evasion in mind.
View product

Contents

Intro and Setup

Course Introduction
  • 3 mins
  • 6.26 MB
Preview
Development VM Setup
  • 3 mins
  • 9.89 MB
RTO-MalDev2.ova
    RTO-MDI.zip
    • 769 KB
    RTO-MDI-encrypted.zip
    • 780 KB
    Shellcodes

      PE madness

      Revisiting PE file format
      • 40 mins
      • 168 MB
      Walking through Export Address Table
      • 20 mins
      • 62.8 MB
      Dancing with IAT
      • 19 mins
      • 77.2 MB
      GetProcAddress/GetModuleHandle implementations
      • 31 mins
      • 123 MB
      PE with no imports
      • 8 mins
      • 32.1 MB
      Assignment

        Code Injection

        Classic Injection Variations
        • 7 mins
        • 25.5 MB
        Thread Context
        • 7 mins
        • 21.5 MB
        Sections & Views
        • 8 mins
        • 29.9 MB
        Asynchronous Procedure Calls
        • 8 mins
        • 29.1 MB
        EarlyBird
        • 8 mins
        • 33.5 MB
        Assignment

          Reflective DLLs

          Reflective Injection Explained
          • 4 mins
          • 7.08 MB
          Preview
          ReflectiveLoader source review
          • 24 mins
          • 87.5 MB
          Implanting RDI in source code
          • 21 mins
          • 94.4 MB
          Shellcode RDI
          • 15 mins
          • 64.4 MB
          Assignment

            x86 vs x64

            WoW64 and Heaven's Gate
            • 17 mins
            • 66.1 MB
            Migrating between 32-bit & 64-bit processes
            • 24 mins
            • 83.6 MB

            Hooking

            API Hooking intro
            • 4 mins
            • 20.2 MB
            Hooking with Detours
            • 21 mins
            • 84.8 MB
            IAT hooks
            • 10 mins
            • 42.6 MB
            In-line patching
            • 15 mins
            • 64.6 MB
            Assignment

              Payload Control via IPC

              MultiPayload Control
              • 6 mins
              • 23.3 MB

              Combined Project

              Project Design
              • 4 mins
              • 9.13 MB
              Preview
              VCsniff
              • 39 mins
              • 154 MB
              VCmigrate
              • 26 mins
              • 113 MB
              VCpersist
              • 13 mins
              • 57.5 MB
              Assignment #1
                Assignment #2
                  Assignment #3

                    Summary

                    Your Feedback
                      Closing words
                      • 4 mins
                      • 8.24 MB

                      Instructor: reenz0h

                      Chief Research Officer at SEKTOR7. In the industry for over 20 years. Worked in global Red Team for almost a decade. Simulated threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) around the world. Speaker at HackCon, PWNing, WTH@ck, Sec-T, T2, DeepSec. Gave guest lectures at several military and civil academies and universities.

                      Founder of x33fcon security conference
                      and SEKTOR7 offensive research company
                      XYoutubeWebsite

                      FAQs

                      Why malware development?

                      So-called malware development in the context of legal security testing is also known as offensive security tool (OST) development or Offensive Coding. The goal is to teach all cybersecurity professionals, both red and blue teams, to use this knowledge to better understand how real threat actors operate and use different techniques (TTP). This approach should significantly improve the skillset of offensive and defensive teams in testing and securing the production environments of their customers and employers in the long run.

                      How long is the course?

                      All videos are about 6.5h long.

                      What language is used in the course?

                      All videos, text and materials are in English.

                      Is it on-line course only?

                      The course is composed of 2 types of materials. Videos, which are available on-line only, and virtual machine with source code templates, which can be downloaded and stored on your computer, so you can access it later off-line.
                      In case of video download attempts, access to the content will be revoked.

                      How long is the course available after purchase?

                      After you purchase the course as an individual (not team/business), you have access to all the videos and materials for life-time. You can learn whenever you want, the content will always await for you.
                      Moreover, any updates to the course materials (ie. new modules, new videos, new files, etc.) will also be available for anyone who purchased the course without any extra charge.

                      Do I have to be an expert in C language or Intel assembly?

                      No. Although some level of experience in C programming and Intel assembly reading is required, you don't have to be an expert in this field. Basic knowledge about the syntax, data structures and function calling convention is enough during the course.
                      For refresher check these resources: 

                      How can I get an invoice?

                      You can get an invoice after you purchase the course.
                      After logging into your account, first go to Settings and edit Address (including business details like company name and tax ID). Then save and go to Billing and just download the invoice.

                      How to change VAT rate?

                      When you are registering in the course, you can choose VAT rate appropriate for your country (if you are from EU). After you supply your email, the system will present you a price with suggested VAT rate, and, if a tax rate is inappropriate or you do not qualify for VAT because of your tax residence, adjust the rate by clicking on update and chose your country of residence.

                      Can I get a Certificate of Completion?

                      When the course is finished, Certificate of Completion will be generated automatically. The notification email will be send with CoC access details.
                      To include your name on the certificate, please provide your first and last name in your profile Settings.

                      Can I share my account with others?

                      Unfortunately, we consider this unfair and therefore it is prohibited. We try to keep our prices affordable so that the course can reach as many students as possible.

                      Legal Disclaimer

                      All the materials are for educational and research purposes only.
                       
                      Do not attempt to violate the law with anything contained in materials produced by SEKTOR7. Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

                      By using institute.sektor7.net and its contents, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests for your customers and clients.

                      Do not abuse this material. Be responsible.