For premium & lifetime users
Ghost process injection | Herpaderping process injection | Transacted hollowing | Ghostly hollowing |
Herpaderply hollowing |
For premium & lifetime users
Threadless injection | Module stomping | Module overloading | Process hollowing |
For premium & lifetime users
TLS callbacks for anti-debugging | Utilizing fibers for payload execution | Malware directory placement |
For premium & lifetime users
Local PE Execution | Reflective DLL Injection | PeFluctuation | Building a PE Packer |
For premium & lifetime users
Introduction to Havoc C&C | Building an evasive DLL payload loader | Introduction to DLL sideloading | Practical DLL sideloading example |
DLL sideloading for EDR evasion | Bring your own vulnerable driver (BYOVD) |
For premium & lifetime users
Introduction to AMSI | AMSI Bypass - Byte patching | Patchless AMSI bypass via hardware breakpoints | Building a DRM-equipped malware |
For premium & lifetime users
Introduction to ETW | ETW - Discovering ETW tools | ETW Bypass - Byte patching | ETW Bypass - Improved patching |
Patchless ETW bypass via hardware breakpoints | ETW provider session hijacking |
For premium & lifetime users
Utilizing hardware breakpoints for hooking (1) | Utilizing hardware breakpoints for hooking (2) | Utilizing hardware breakpoints for credential dumping | Evasion with file bloating |
Bring your own protocol handler | Bring your own file extension |
For premium & lifetime users
Exploiting EDR for evasion | Thread enumeration via syscall | Custom WinAPI functions | Introduction to MASM assembly |
Binary metadata modification | More C fundamentals |
The main course syllabus is shown below
Introduction to the Windows OS | WinAPIs & PE File Format (x7) | AV Detection mechanisms | Brute forcing key decryption |
Payload placement (x3) | Payload encryption (x3) | Payload obfuscation (x4) | Custom-built tools demonstration |
Local payload execution | Remote payload execution | Payload staging | Utilizing NtCreateUserProcess |
Malware binary signing | Process enumeration (x2) | Thread hijacking (x4) | Block DLL policy |
Local APC injection | Remote APC injection | Payload execution via callbacks | Indirect syscalls |
Local mapping injection | Remote mapping injection | Local function stomping | Introduction to EDRs |
Remote function stomping | Controlling payload execution | PPID spoofing | Hell's Gate Update |
Command line argument spoofing (x2) | Remote payload execution | Payload staging | Hell's Gate |
Parsing PE headers | String hashing & obfuscation | IAT obfuscation (x4) | NTDLL unhooking (x5) |
API hooking (x5) | Syscalls (x4) | Reimplementing injection via syscalls (x3) | Building a loader |
Anti-debugging methods (x2) | Anti-virtualization methods (x3) | File entropy reduction | CRT library removal |
Malware compiling |