back to List back

on this page

Windows Malware Techniques

price $4,800
T. Roy
5 Days
Malware, Defense
Wed 9 Nov - Mon 14 Nov
  • Stages of attack
  • Payload staging
  • Implant design
  • Event logging
  • Platform mitigations
  • Shellcode generation
  • Shellcode dependencies
  • Function calls and stack layout
  • Compiler generated shellcode
  • Compiler Intrinsics 
  • Module lists 
  • PE header parsing
  • Export table 
  • Import hashing
  • Dynamic exception handlers 
  • Token impersonation
  • UAC bypasses
  • Auto elevation
  • Protected locations
  • Path hijacks 
  • System execution vectors
  • DLL hijacks 
  • DLL shimming
  • COM object hijacks
  • Service hijacks 
  • Execution vectors
  • Injection techniques
  • Reflective loaders
  • WoW64 process injection
  • Evading kernel callbacks 
  • Code caves 
  • Prolog and epilog hooking
  • Import hooking
  • Windows hooks
  • Vectored exception handler hooks
  • C2 communications
  • Network enumeration
  • Attacker infrastructure
  • Redirectors and proxy servers 
  • Beacons and tasking 
  • Protocol tunneling 
  • Self-defense
  • Hostile environment detection
  • Event logging bypass
  • System defenses
  • Security product detection
  • Evasion techniques 

This training teaches the development and detection of Windows post-exploitation techniques at every stage of their execution through a mix of theory, code walkthroughs, instructor led demos and lab exercises.

Hands-on labs are performed on 64-bit Windows 11 so attendees can observe the impact of the latest defenses built into the system and learn how to evade them. In hands-on labs, attendees develop offensive tooling, study their runtime behavior, and observe their forensic footprint in WinDBG, Process Hacker, Windows Event Logs, Sysmon and other SysInternals Tools. Attendees implement working modules using Win32 and native APIs in C/C++ with a dash of 64-bit assembler, to achieve the following capabilities: 

  • Stager shellcode in C/C++ with nifty compiler and linker tricks. 
  • Escalate privilege to migrate to privileged processes.
  • Perform code injection and execution across process boundaries.
  • Remove forensic identifiers from PE files.
  • Code flow subversion through various forms of hooking.
  • Log keystrokes using multiple mechanisms.
  • Persistence and auto-execution vectors that are undetected by AutoRuns.
  • Enumerate networked systems and file shares.
  • Hide C2 infrastructure using redirectors and proxies.
  • Beacon out and receive tasking orders from C2 infrastructure.
  • Exfiltrate data using protocol tunneling.
  • Detect the presence of hostile environment (debugger, sandbox etc.).
  • Subvert Windows event logging.
  • Detect and bypass anti-malware hooks.

This is an intermediate level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of Windows internals and Win32 APIs and be able to use the Windows debugger (WinDBG) to debug Windows user mode modules.

Students should bring laptop with the below requirements: 

  • Virtualization capable CPU(s) 
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 100 GB free disk space
  • Working Wireless LAN

Software Requirements:

  • Host OS Windows 10 or Windows 11 64-bit
  • Visual Studio (Community+) and SDK OR Enterprise Windows WDK (EWDK)
  • WinDBG Preview
  • SysInternals Tools
  • VMware Workstation Player 16 [Pre-configured VM will be provided]
  • Guest OS Windows 11 64-bit (will be provided)
  • All other software and tools will be provided by the instructor.

What Students Will Be Provided With

  • A printed copy of course material and lab manual.
  • WinDBG malware analysis cheat sheet.
  • Tons of modular and well-commented source code for building offensive tools.
  • Detailed solutions and explanations for all hands-on labs.
  • Pre-configured VMware VM running Windows 11 64-bit
Who Should Take This Course:
  • Security Researchers
  • Red/Blue/Purple Teamers
  • Penetration Testers
  • Malware Analysts
  • Threat Hunters
  • Anyone responsible for developing offensive tooling or defending against modern Windows malware and post exploitation techniques.