MALWARE ON

STEROIDS
Malware and C2 Development
Training Program for Windows

A 4-Day Workshop by Chetan Nayak

(@ninjaparanoid)

1
Table Of Contents

Day 1
• Course Overview
• Development VM Setup
◦ Mingw GCC
◦ Netwide Assembler for x64 Assembly (NASM)
◦ Makefiles and Automation
• Command and Control Architecture
◦ Malware Lifecycle
◦ Payload Handler
◦ Staging Architecture
• Windows Internals
◦ Windows OS architecture
◦ Process & Thread Internals
◦ Debugging with Windbg
▪ Thread Environment Block
▪ Process Environment Block
▪ Windows Loader Structure
▪ Introduction and Crash Course to WinDbg
• Windows Memory Protections
• Windows System Programming
• Debugging with x64Dbg
◦ Introduction to x64Dbg
◦ Introduction to x64 Intel Assembly
◦ Understanding x64 Registers and Stack

2
 ◦ Function calls in x86 vs x64 Assembly
◦ Hooking and Reversing WinAPIs/NTAPI with
x64dbg
◦ Trampoline v/s IAT Hooks
◦ Reversing EDR Trampoline Hooks
◦ Weaponizing Reversed Hooks
◦ Rewriting EDR Hooks

Day 2
• PE & DLL Structure
◦ Building Static and Dynamic DLLs
◦ COFF header
▪ Analyzing PE Structures
• Explorer Suite/CFF Explorer
• Process Hacker
◦ Stephen Fewer’s Reflective DLL Limitations
◦ Building a Custom Reflective DLL Loader
◦ String Hashing Algorithms
◦ Building a Custom Injector for Reflective
DLL
◦ Modifying Reflective DLL’s PE Sections in
Memory
◦ Allocations to avoid EDR Detections
◦ Hiding Memory Allocations with DLL/PE Image
Spoofing
◦ Hiding Thread Creation with Instruction
Pointer Spoofing

3
 ◦ Using NTAPIs for Reflection Reallocations
◦ Using Syscalls for Reflection Reallocations

Day 3
• Windows Socket Programming
◦ Reverse Shells in C
◦ Bind Shells in C
• Buffer Redirection with Anonymous Pipes
• Named Pipe Lateral Movement
• Windows Access Tokens
• SpyC2 – Building your own CnC in python3, C
and x64 Shellcode
• C2 Weaponization
◦ Building A Persistent Synchronous TCP C2
◦ Building an Asynchronous C2 with HTTP
Callbacks
◦ Building Proxy-Aware Payloads
◦ Evading Network Detection & Response Tools
for your CnC
◦ C2 Authentication
◦ Comm Encryption
◦ Sleep & Jitter
◦ C2 Round Robins
◦ URI Handling
◦ Payload Logging
◦ CnC Server OpSec Considerations

4
 • Writing Function Pointer Arrays for Dynamic
Command Execution in your C2 Payload
◦ Malware Functions
◦ Enumerating and Searching Process
◦ Orthodox Memory Dumping Techniques
▪ MiniDumpWriteDump
▪ PssCreateSnapshot
◦ User Privilege Enumeration
◦ Host Enumeration
◦ Building Pluggable Modules for your Command
& Control Server
• Building Reflective Staged Payloads
• Building Reflection Features Inside your
Payloads to Load Existing Reflective DLLs as
modules.

Day 4
• Basic Process Injections
◦ Shellcode Injection
◦ Remote Threads
◦ In-Memory File and Section mapping
◦ Asynchronous Procedure Calls
◦ PE/DLL Stomping
• X64 Position Independent Shellcoding
◦ Walking PEB and hunting kernel32.dll,
ntdll.dll, kernelbase.dll
◦ Position Independent Code in C

5
 ◦ Shellcode Stack alignment
◦ Writing a custom GetProcAddress in C
◦ Finding Syscalls Dynamically (on-the-fly)
◦ Extracting Shellcode from PIC
◦ Passing arguments to your shellcode
◦ In-Memory Object File Execution
◦ Thread Stack Spoofing
◦ Thread Start Address Spoofing
◦ Writing Stage Zero x64 Shellcode
◦ Writing Stage Server in Python3
• Process Heap Encryption
• Shellcode Encryption with RC4
• OpSec Considerations

6
Target Audience
• Red Team members
• Penetration Testers
• Blue Teamers
• Threat Hunters

This intense four-day workshop is designed for security

professionals who want to enhance their skills by digging more
deeper than the usual Red Team. This course will give you brief
introduction towards the Windows Internals and how to manipulate
them for offensive tasks. You will learn to build your own Command
and Control Centre and different types of payloads which support
code injections, dropper and stagers in ASM and C.

Requirements
• A laptop with 16GB RAM to support 2 VMs running at the same
time.
• Basic Understanding of operating system architecture
• Basic understanding of programming concepts
• Experience with or knowledge of pointers, addresses in C and
multi-threading/processing in Python3
• Strong will to learn and creative mindset.

What all do you get in the end

• 4 days of rigorous workshop
• Course PDF and content materials
• Source code for payloads and a python3 C2 built during the
workshop

For any queries, contact paranoidninja@0xdarkvortex.dev