ＨｉｄｅＺｅｒｏＯｎｅ

The RED TEAM Operator: Malware Development Advanced – Vol. 2 is an in-depth, hands-on course focused on advanced Windows kernel malware development techniques, expanding on the concepts from Vol. 1. Over 42 video lessons, learners explore topics such as direct kernel object manipulation (DKOM), privilege escalation via token manipulation, kernel-level process protection, ETW tampering, and removing kernel callbacks, as well as identifying and bypassing vulnerable driver blocklists. The program includes a ready-to-use VM image, complete source code templates, transcripts, and supplementary materials, all accessible for 365 days. Designed for skilled C/C++ programmers with solid Windows and OS architecture knowledge, this course is ideal for ethical hackers, red and blue team professionals, and security researchers aiming to master advanced offensive techniques at the kernel level.

This course is designed to provide a comprehensive foundation for anyone interested in learning malware development. The primary objective is clear yet impactful: bypassing Windows Defender by creating a fully functional shellcode loader using the Go programming language. By the end of this course, you will have the essential knowledge and skills to build on, setting the stage for further exploration into offensive security and advanced malware techniques.

We begin by exploring the Windows API, a critical toolkit for low-level interaction with the Windows operating system. You’ll learn how to use these APIs to execute shellcode, allocate memory, and create loaders. Each step is broken down into practical, hands-on lessons that demonstrate how simple Go code can evolve into a powerful executable capable of manipulating and navigating the Windows environment.

User mode malware on Windows is ubiquitous and custom user mode implants are used regularly in red-team engagements. Knowledge of the latest malware techniques helps red teamers improve their custom tooling, malware analysts in taking apart malware, and anti-malware solution developers in designing behavioral solutions to detect malicious activity. The common theme amongst all Windows malware and implants is that they abuse the facilities provided by the Windows platform to achieve their objectives. Knowledge of the rich set of Windows APIs, understanding their usage in various stages of an implant, and leveraging them to detect and bypass various defenses in the system is essential for red and blue teamers. This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by PE file-based implants at every stage of their execution. Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training will help attendees with real-world red teaming engagements and in defending against both custom advanced persistent threat (APT) tooling and common-off-the-shelf (COTS) malware. Attendees will learn about how malware and implants interact with the latest version of Windows and how the different stages of malware abuse and exploit various components of Windows OS to achieve their goals and evade defenses.

Advanced offensive security tool (OST) development topics for Windows user land only, including: hidden data storage, rootkit techniques, finding privileged objects in system memory, detecting new process creation, generating and handling exceptions, building COFFs and custom RPC-like instrumentation, and more.

• playing with Process Environment Blocks and implementing our own function address resolution
• more advanced code injection techniques
• understanding how reflective binaries work and building custom reflective DLLs, either with source or binary only
• in-memory hooking, capturing execution flow to block, monitor or evade functions of interest
• grasping 32- and 64-bit processing and performing migrations between x86 and x64 processes
• discussing inter process communication and how to control execution of multiple payloads

Are you a pen tester having some experience with Metasploit or Empire frameworks? Or maybe you take your first steps as an ethical hacker and you want to know more about how all these offensive tools work? Or you are a blue teamer or threat hunter who needs to better understand the internal workings of malware? This course will provide you the answers you’re looking for. It will teach you how to develop your own custom offensive security tool (OST) for latest Microsoft Windows 10. And by custom OTA we mean building a dropper for any payload you want (Metasploit meterpreter, Empire or Cobalt Strike beacons, etc.), injecting your shellcodes into remote processes, creating trojan horses (backdooring existing software) and bypassing Windows Defender AV. You will receive a virtual machine with complete environment for developing and testing your software, and a set of source code templates which will allow you to focus on understanding the essential mechanisms instead of less important technical aspects of implementation.