Table of Contents
Day 1
• Course Overview
• Development VM Setup
• Command and Control Architecture
• Malware Lifecycle
• Payload Handling and Stage Architecture
• Windows Internals
• Windows OS architecture
• Process & Thread Internals
• Debugging with Windbg
▪ Process Environment Block
▪ Thread Environment Block
▪ Windows Loader Structure
▪ Introduction and Crash Course to WinDbg
• Windows Memory Protections
• Windows System Programming
• Windows Access Security Tokens
▪ Enumerating Privileges from Tokens
▪ Special Token Privileges
• PE & DLL Structure
• COFF header
• Stephen Fewer’s Reflective DLL Limitations
• Building a Reflective DLL Loader from Scratch
• Building a Custom Injector for Reflective DLL injections from Scratch
• Modifying Reflective DLL’s PE Sections and Memory Allocations to avoid EDR Detections
• Hiding Memory Allocations with DLL/PE Image Spoofing
• Hiding Thread Creation with Instruction Pointer Spoofing
Day 2
• Windows Socket Programming
• Reverse Shells in C
• Bind Shells in C
• Buffer Redirection with Anonymous Pipes
• Named Pipe Lateral Movement
• SpyC2 – Building your own CnC in python3, C and x64 Shellcode
• Adding Features to your C2
• Building A Persistent Synchronous TCP C2
• Building an Asynchronous C2 with HTTP Callbacks
• Building Proxy-Aware Payloads
• Evading Network Detection & Response Tools for your CnC
• C2 Authentication
• Comm Encryption
• Sleep & Jitter
• C2 Round Robins
• URI Handling
• SMB Pivoting
• Payload Logging
• Spoofing Frontend for your CnC Server
• Writing Function Pointer Arrays for Dynamic Command Execution in your C2 Payload
• Malware Functions
• Enumerating Process
• Memory Dumping Techniques
▪ MiniDumpWriteDump
▪ PssCreateSnapshot
• Privilege Enumeration
• Host Enumeration
• Building Pluggable Modules for your Command & Control Server
• Building Reflective Staged Payloads
• Building Reflection Features Inside your Payloads to Load Existing Reflective DLLs as modules.
• Process Injections
• Reflective DLL Injection
• Shellcode Injection
• Remote Threads
• In-Memory File and Section mapping
• Asynchronous Procedure Calls
• Injection Evasion Tactics
• Hiding Memory Artefacts
Day 3
• X64 Shellcoding
• Introduction to x64 Intel Assembly
• Walking PEB and hunting kernel32.dll
• Position Independent Code in C
• Extracting Shellcode from PIC
• In-Memory Object File Execution
• Writing Stage Zero x64 Shellcode and HTTP Stage-Server for Serving Initial Access Payloads
• Writing Excel 4 Macros for Initial Foothold
• Droppers and Stagers
• Initial Access with LOLBins
• MS Build, MWC Executions
• Bit-flipping Signed Executables to Evade Generic EDR detections
• Unhooking and Patching EDR Instructions in Memory with Syscalls to avoid Detections
• Sandbox Evasion & Anti-debugging Techniques
• Code Obfuscation
• Dynamic Library Calls
• Obfuscation shellcode and DLL calls
• Encrypting Your Payloads with RC4 Encryption
• AMSI Evasion
• Named Pipe Executions
• Building your own PS Exec in C
• OPSEC Considerations
