RED TEAM Operator: Malware Development Advanced - Vol.1
- Buy now
- Learn more
Intro and Setup

Course Introduction
Development VM Setup
RTO-MalDev3.ova
MDA.zip
Filesystem corners

Timestomping
Alternate Data Streams - Introduction
Alternate Data Streams - Implementation
Registry Hives - Introduction
Registry Hives - Implementation
EAs - Introduction
EAs - Implementation
Objects Enumeration in Memory

Processes - classic method
Processes - Win API alternatives
Processes - Native API alternatives
Modules - classic method and alternatives
Handles (tokens, process, thread, etc.)
Finding .NET
Global Hooks

WMI Monitor - Introduction
WMI Monitor - Implementation
SetWindowsHookEx - Introduction
SetWindowsHookEx - Implementation
AppInit Infrastructure - Introduction
AppInit Infrastructure - Implementation
Userland Rootkit Tech

Introduction and Demo
Implementation
Process Environment Block Manipulations

Parameters
Module Lists
No-patch Hooking

Guard Pages - Introduction
Guard Pages - Implementation
Hardware Breakpoints - Introduction
Hardware Breakpoints - Implementation
Process Memory Hiding

Gargoyle and family
Ekko
NinjaGuard - Ninjasploit behind Guard Pages
NinjaGuard - Implementation
MapBlinker
HWBlinker - Ninjasploit+MapBlinker+HWBP offspring
Custom "RPC"

RtlRemoteCall - Introduction
RtlRemoteCall - Demo
ApiReeKall - calling any API in remote process
Common Object File Format

CaFeBiBa - COFF object parser
Mokosh - MSVC COFF object loader
Building custom COFF objects
Custom Project

Objectives and Design
Delegating OpenProcess() via ApiReeKall
Mokosh-compatibile COFF
Summary

Closing words

RED TEAM Operator: Malware Development Advanced - Vol.1

Advanced offensive security tool (OST) development topics for Windows user land only, including: hidden data storage, rootkit techniques, finding privileged objects in system memory, detecting new process creation, generating and handling exceptions, building COFFs and custom RPC-like instrumentation, and more.