Malware On Steroids
Slots Available for this year:
| 31st March 2025 - 3rd April 2025 - 7 AM UK | 4 days | 6-7 hours per day (Interactive/Online) | 2500 US$ |
What To Expect
The Malware On Steroids is the first course which is dedicated to building your own C2 Infrastructure and Payload. There are a lot of courses which focus on exploitation, reversing and other offensive stuff, but none of them focus on how you can build your own Command & Control Infra. This course focuses on a brief introduction towards Windows Internals followed by a full hands-on course on building a Command & Control architecture with different types of Initial Access payloads.
During the course, you will learn the core fundamentals of a Malware Lifecycle such as initial access, in-memory evasions, different types of payload injections including but not limited to reflective DLLs, shellcode injection, COFF injections and more. You will learn to build different types of remote access tools running over different protocols which we will later convert to in-memory modules that can be injected to any process. We will also write dropper and stagers in x64 Assembly, C and different LOLbins which will connect back to our CnC to extract the second stage and load it into memory for execution.
The below figure highlights a brief overview on the focus area of the training session.
Training Content
The total course duration are 4 days Online Interactive training sessions over Google Meet. Virtual environments such as Active Directory Lab/C2 access/Domain access will be provided where necessary. A detailed information on the training content can be found below:
----------------------------------------
> DAY I
----------------------------------------
Day 1
▪ Workshop Overview
▪ Development Environment Setup
- Introduction to compilers and Mingw GCC
- Introduction to NASM (Netwide Assembler)
- GCC flag optimization, makefiles and automation
- Visual Code configuration
▪ Windows Internals
- Process and thread internals
◦ Thread environment block
◦ Process environment block
◦ Windows loader structure
- EPROCESS and KPROCESS blocks
- LDR Table and doubly linked lists
◦ Debugging process internals with windbg
- Introduction to windbg commands
- Configuring symbols with windbg
- Debugging windows internals structure
◦ Windows memory analysis
- System programming
◦ An overview of windows PE structure
◦ Introduction to winapi
◦ Windows access tokens
◦ System enumeration, user and token enumeration with winapi
◦ Enumerating processes and process information
- Debugging with x64dbg
◦ x64dbg symbols for system dlls
◦ Introduction to x64 intel assembly
◦ Volatile v/s non-volatile registers
◦ Understanding the stack frame
◦ Fastcalls in x64 assembly
◦ Tracing and reversing WinAPI calls
- Command and control architecture
◦ Malware lifecycle
◦ Staging architecture
◦ Windows socket programming
- TCP reverse shell pivoting
- TCP bind shell pivoting
◦ SMB reverse shell pivoting
- Buffer redirection with anonymous pipes
- Named pipe lateral movement
◦ Custom fully working Opsec PsExec
----------------------------------------
> DAY II
----------------------------------------
▪ Process Injection Techniques
- Local and remote shellcode injection
- Asynchronous procedure calls
- Callback and fiber injections
- Thread address spoofing
- ROP Injection
▪ Intricacies Of PE & DLL Structures
- Static v/s dynamic DLL linking
- Analyzing PE structures
◦ PE/COFF header
◦ Exploring PE internals with various tools
◦ Analyzing EAT and IAT
◦ Analyzing other PE sections
◦ Stephen Fewer's reflective DLL limitations
◦ Evading userland and PEB hooks
- PE injection techniques
◦ Reflective PE (exe) injection
◦ Hooking command-line arguments for PE injection
◦ Reflective DLL injection
◦ String hashing algorithms
◦ Reflective DLL limitations
◦ Exploring VA, RVA and File Offsets
◦ Static v/s Dynamic Addresses
- Building an evasive reflective loader
◦ Section remapping
◦ DLL spoofing
◦ Hiding threads for evasion
◦ Thread spoofing techniques
----------------------------------------
> DAY III
----------------------------------------
▪ NTAPI v/s Syscalls
▪ Windows System Calls
- Direct system calls (syscalls)
- Finding syscalls dynamically
- Indirect syscalls
- Stack detection and evasion for syscalls
- Syscall detection and evasions
◦ Rop gadgets and clean stack
◦ Dealing with CFG/Control Flow Guard
◦ Function callbacks and clean stack
▪ Windows API Hooks For Detection and Evasion
- Userland DLL callbacks
- Syscall hooks
- IAT hooks
- Trampoline hooks
- Vectored exception handling hooks
- Hardware breakpoints hooks
- Reversing and weaponizing edr userland hooks
- Other evasive techniques for evading userland hooks
▪ Upadting Reflective Loader For Evasion
----------------------------------------
> DAY IV
----------------------------------------
▪ Writing X64 Position Independent Shellcodes
- Walking the PEB structure
- Writing position independent code
- Dynamic resolutions for shellcode
- Accessing global variables in shellcode
- Shellcode stack analysis
- Fastcalling your shellcode
▪ Building Stage Zero
- Writing a position independent stage zero shellcode loader
- Writing staging server in python3
- Environmental keying, evasion and malleability
▪ Return Address Spoofing
▪ Manual Thread Stack Frame Building
▪ OpSec Considerations
Certification
Dark Vortex provides Certificate Of Completion for every completed course. This certificate may be verified by contacting paranoidninja@0xdarkvortex.dev using the enrolment ID from the given certificate.
Prerequisites
The course is highly practical in nature and involves a lot of programming in C/C++ and Python3, reverse engineering in windbg/x64dbg. Its important to have a good grasp of the below fundamentals before approaching the course.
- Basic Understanding of operating system architecture
- Fundamental knowledge of programming with C/C++/Python3
- Familiarity with programming concepts (pointers, referenceses, addresses, data structures, threads, processes)
- Strong will to learn and creative mindset.
System Requirements
During the course, we will be working with different virtual machines which will involve cloning, creating, and snapshots and several other hands-on exercises. A properly configured system is extremely important to fully utilize the benefits of the training session. We strongly request you to have fully configured system which meets the below requirements for the course. All the requirements mentioned below are either freely available or open source.
- Windows 10 (Virtual Machine)
- A laptop with atleast 16GB RAM to support 2 VMs running at the same time.
- VMware/VirtualBox installed
- Good Internet Connectivity
- Visual Studio with C/C++/C# packages installed
- Visual Code/Editor of your choice
- x64dbg
- CFF Explorer
- Sysinternals Tookit
- Process Hacker
- MS Office (Trial version is enough)
- Kali Linux/Ubuntu 20.04 (Virtual Machine)
- VS Code
- Mingw-w64
- Python3
- Nasm
- Wireshark
NOTE: Make sure you have a snapshot of each virtual machine before you start the class, just in case you have to revert everything back to stock if your Virtual Machine crashes during the training.
Course Fees
Malware On Steroids | 4 days (Interactive/Online)
At the end of the course, you will receive a Completion of Certificate and all the training materials including course PDFs/slides, content materials, source code for payloads and a python3 C2 built during your training program.
$2500 USD
*Inclusive of taxes and certification
We conduct live training sessions which are conducted remotely and do not contain pre-recorded videos. For enquiries on training programs or other services, reach us at paranoidninja@0xdarkvortex.dev