RTO: Malware Development Advanced

RED TEAM Operator: Malware Development Advanced Vol.1

$499

RTO: Malware Development Advanced - Vol.1

50 Lessons
365-day access

Advanced offensive security tool (OST) development topics for Windows user land only, including: hidden data storage, rootkit techniques, finding privileged objects in system memory, detecting new process creation, generating and handling exceptions, building COFFs and custom RPC-like instrumentation, and more.

Buy now

Welcome to Malware Development Advanced (Vol.1) course!

In the previous Intermediate course we covered some of the more advanced offensive security tools (OST) development topics.

This time we will be focusing on extending your payload with additional userland techniques to bury it in the depths of the system. That includes:

ways to hide your payload inside NTFS and registry hive
learning object enumeration alternatives in the system memory
manipulating Process Environment Blocks to hide your module and confuse the potential defender
finding .NET process with RWX memory ready to abuse
detecting new process creation (from userland)
setting up global hooks
learning few userland rootkit techniques to hide your files, registry keys and processes
abusing memory and hardware breakpoints for hooking
hiding payload with Gargoyle and similar techniques
creating custom "RPC" allowing to call any API function with any number of parameters in a remote process
learning COFF objects, how to build, parse, load and execute them in the memory

The course ends with a custom project, employing some of the discussed techniques.

You will receive a virtual machine with complete environment for developing and testing your software, and a set of source code templates which will allow you to focus on understanding the essential mechanisms instead of less important technical aspects of implementation.

COURSE IN A NUTSHELL

You Will Learn How To

Hide payloads in the corners of NTFS and registry
Enumerate processes, modules and handles with alternatives
Find a perfect process for injection
Set up global hooks
Use few userland rootkit techniques
Abuse exception handlers
Hide a payload in a memory
Call any API (with any number of params) in a remote process
Build custom COFF objects

What Will You Get?

Full-blown videos explaining all techniques in detail
Transcription with English subtitles
Text supplements with additional information (code snipets, structure definitions, technology description and context, etc.)
Source code with code templates for rapid development
VM image with ready-to-use development environment

Requirements

Recommended: taking Malware Development Intermediate course
Solid understanding of operating system architecture
Good experience with Windows OS
Computer with Intel-compatible CPU, min. 4 GB of RAM + 30 GB of free disk space
VirtualBox 7.0+ installed
Strong will to learn and having fun

Target Audience

Ethical Hackers
Penetration Testers
Blue Teamers
Threat Hunters
All security engineers/professionals wanting to learn advanced offensive tactics

Intro and Setup

Course Introduction

3 mins
7.08 MB

Preview

Development VM Setup

3 mins
10.9 MB

RTO-MalDev3.ova

MDA.zip

1.93 MB

MDA-encrypted.zip

1.94 MB

Shellcodes

Filesystem corners

Timestomping

9 mins
37.2 MB

Alternate Data Streams - Introduction

4 mins
15.3 MB

Alternate Data Streams - Implementation

7 mins
28.4 MB

Registry Hives - Introduction

3 mins
12.5 MB

Registry Hives - Implementation

5 mins
23.2 MB

EAs - Introduction

7 mins
23.2 MB

EAs - Implementation

14 mins
64.1 MB

Objects Enumeration in Memory

Processes - classic method

4 mins
16.8 MB

Processes - Win API alternatives

6 mins
23.2 MB

Processes - Native API alternatives

7 mins
25.9 MB

Modules - classic method and alternatives

10 mins
41 MB

Handles (tokens, process, thread, etc.)

22 mins
142 MB

Finding .NET

8 mins
29.7 MB

Global Hooks

WMI Monitor - Introduction

6 mins
19.9 MB

WMI Monitor - Implementation

10 mins
32.6 MB

SetWindowsHookEx - Introduction

6 mins
17.3 MB

SetWindowsHookEx - Implementation

11 mins
35 MB

AppInit Infrastructure - Introduction

9 mins
44.4 MB

AppInit Infrastructure - Implementation

6 mins
22.6 MB

Userland Rootkit Tech

Introduction and Demo

8 mins
30.9 MB

Implementation

10 mins
38 MB

Process Environment Block Manipulations

Parameters

10 mins
50.7 MB

Module Lists

13 mins
64.4 MB

No-patch Hooking

Guard Pages - Introduction

8 mins
33.7 MB

Guard Pages - Implementation

8 mins
31.2 MB

Hardware Breakpoints - Introduction

9 mins
30.6 MB

Hardware Breakpoints - Implementation

9 mins
31.9 MB

Process Memory Hiding

Gargoyle and family

22 mins
88.7 MB

Ekko

11 mins
40.6 MB

NinjaGuard - Ninjasploit behind Guard Pages

4 mins
12.7 MB

NinjaGuard - Implementation

7 mins
27.8 MB

MapBlinker

4 mins
13.6 MB

HWBlinker - Ninjasploit+MapBlinker+HWBP offspring

10 mins
37.3 MB

Custom "RPC"

RtlRemoteCall - Introduction

4 mins
9.67 MB

RtlRemoteCall - Demo

7 mins
29.6 MB

ApiReeKall - calling any API in remote process

18 mins
74.3 MB

Common Object File Format

CaFeBiBa - COFF object parser

21 mins
91.5 MB

Mokosh - MSVC COFF object loader

23 mins
111 MB

Building custom COFF objects

11 mins
42.6 MB

Custom Project

Objectives and Design

2 mins
4.26 MB

Delegating OpenProcess() via ApiReeKall

43 mins
193 MB

Mokosh-compatibile COFF

16 mins
89.8 MB

Summary

Your Feedback

Closing words

2 mins
4.05 MB

Instructor: reenz0h

Chief Research Officer at SEKTOR7. In the industry for over 20 years. Worked in global Red Team for almost a decade. Simulated threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) around the world. Speaker at HackCon, PWNing, WTH@ck, Sec-T, T2, DeepSec. Gave guest lectures at several military and civil academies and universities.

Founder of x33fcon security conference
and SEKTOR7 offensive research company

X Youtube Website

FAQs

Why malware development?

So-called malware development in the context of legal security testing is also known as offensive security tool (OST) development or Offensive Coding. The goal is to teach all cybersecurity professionals, both red and blue teams, to use this knowledge to better understand how real threat actors operate and use different techniques (TTP). This approach should significantly improve the skillset of offensive and defensive teams in testing and securing the production environments of their customers and employers in the long run.

How long is the course?

All videos are about 7h long.

What language is used in the course?

All videos, text and materials are in English.

Is it on-line course only?

The course is composed of 2 types of materials. Videos, which are available on-line only, and virtual machine with source code templates, which can be downloaded and stored on your computer, so you can access it later off-line.
In case of video download attempts, access to the content will be revoked.

How long is the course available after purchase?

After you purchase the course, you have access to all the videos and materials for 365 days. You can learn whenever you want, the content will always await for you within that time frame.
Moreover, any updates to the course materials (ie. new modules, new videos, new files, etc.) will also be available for anyone who purchased the course without any extra charge.

Do I have to be an expert in C language or Intel assembly?

No. Although some level of experience in C programming and Intel assembly reading is required, you don't have to be an expert in this field. Basic knowledge about the syntax, data structures and function calling convention is enough during the course.
For refresher check these resources:

How can I get an invoice?

You can get an invoice after you purchase the course.

After logging into your account, first go to Settings and edit Address (including business details like company name and tax ID). Then save and go to Billing and just download the invoice.

How to change VAT rate?

When you are registering in the course, you can choose VAT rate appropriate for your country (if you are from EU). After you supply your email, the system will present you a price with suggested VAT rate, and, if a tax rate is inappropriate or you do not qualify for VAT because of your tax residence, adjust the rate by clicking on update and chose your country of residence.

Can I get a Certificate of Completion?

When the course is finished, Certificate of Completion will be generated automatically. The notification email will be send with CoC access details.
To include your name on the certificate, please provide your first and last name in your profile Settings.

Can I share my account with others?

Unfortunately, we consider this unfair and therefore it is prohibited. We try to keep our prices affordable so that the course can reach as many students as possible.

Legal Disclaimer

All the materials are for educational and research purposes only.

Do not attempt to violate the law with anything contained in materials produced by SEKTOR7. Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

By using institute.sektor7.net and its contents, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests for your customers and clients.

Do not abuse this material. Be responsible.