RED TEAM Operator: Malware Development Advanced - Vol.1
Buy now
Learn more
Intro and Setup
Course Introduction
Development VM Setup
RTO-MalDev3.ova
MDA.zip
Filesystem corners
Timestomping
Alternate Data Streams - Introduction
Alternate Data Streams - Implementation
Registry Hives - Introduction
Registry Hives - Implementation
EAs - Introduction
EAs - Implementation
Objects Enumeration in Memory
Processes - classic method
Processes - Win API alternatives
Processes - Native API alternatives
Modules - classic method and alternatives
Handles (tokens, process, thread, etc.)
Finding .NET
Global Hooks
WMI Monitor - Introduction
WMI Monitor - Implementation
SetWindowsHookEx - Introduction
SetWindowsHookEx - Implementation
AppInit Infrastructure - Introduction
AppInit Infrastructure - Implementation
Userland Rootkit Tech
Introduction and Demo
Implementation
Process Environment Block Manipulations
Parameters
Module Lists
No-patch Hooking
Guard Pages - Introduction
Guard Pages - Implementation
Hardware Breakpoints - Introduction
Hardware Breakpoints - Implementation
Process Memory Hiding
Gargoyle and family
Ekko
NinjaGuard - Ninjasploit behind Guard Pages
NinjaGuard - Implementation
MapBlinker
HWBlinker - Ninjasploit+MapBlinker+HWBP offspring
Custom "RPC"
RtlRemoteCall - Introduction
RtlRemoteCall - Demo
ApiReeKall - calling any API in remote process
Common Object File Format
CaFeBiBa - COFF object parser
Mokosh - MSVC COFF object loader
Building custom COFF objects
Custom Project
Objectives and Design
Delegating OpenProcess() via ApiReeKall
Mokosh-compatibile COFF
Summary
Closing words
Products
Course
Section
Userland Rootkit Tech
Userland Rootkit Tech
RED TEAM Operator: Malware Development Advanced - Vol.1
Buy now
Learn more
Intro and Setup
Course Introduction
Development VM Setup
RTO-MalDev3.ova
MDA.zip
Filesystem corners
Timestomping
Alternate Data Streams - Introduction
Alternate Data Streams - Implementation
Registry Hives - Introduction
Registry Hives - Implementation
EAs - Introduction
EAs - Implementation
Objects Enumeration in Memory
Processes - classic method
Processes - Win API alternatives
Processes - Native API alternatives
Modules - classic method and alternatives
Handles (tokens, process, thread, etc.)
Finding .NET
Global Hooks
WMI Monitor - Introduction
WMI Monitor - Implementation
SetWindowsHookEx - Introduction
SetWindowsHookEx - Implementation
AppInit Infrastructure - Introduction
AppInit Infrastructure - Implementation
Userland Rootkit Tech
Introduction and Demo
Implementation
Process Environment Block Manipulations
Parameters
Module Lists
No-patch Hooking
Guard Pages - Introduction
Guard Pages - Implementation
Hardware Breakpoints - Introduction
Hardware Breakpoints - Implementation
Process Memory Hiding
Gargoyle and family
Ekko
NinjaGuard - Ninjasploit behind Guard Pages
NinjaGuard - Implementation
MapBlinker
HWBlinker - Ninjasploit+MapBlinker+HWBP offspring
Custom "RPC"
RtlRemoteCall - Introduction
RtlRemoteCall - Demo
ApiReeKall - calling any API in remote process
Common Object File Format
CaFeBiBa - COFF object parser
Mokosh - MSVC COFF object loader
Building custom COFF objects
Custom Project
Objectives and Design
Delegating OpenProcess() via ApiReeKall
Mokosh-compatibile COFF
Summary
Closing words
2 Lessons
Introduction and Demo
Implementation