This will be slightly shorter review compared to my others mainly due to the fact that this course doesn’t come with an exam which actually made for a welcome change.

This course will teach you how to develop your own custom offensive security tools for Windows 10. And by custom they mean building a dropper for any payload you want (Metasploit meterpreter, Empire, Cobalt Strike beacons etc.), injecting your shellcodes into remote processes, creating trojan horses and bypassing Windows Defender AV. From the course itself here is the list of topics:

• What is malware development
• What is PE file structure
• Where to store your payload inside PE
• How to encode and encrypt payloads
• How and why obfuscate function calls
• How to backdoor programs
• How to inject your code into remote processes

You are provided with a Virtual Box Windows 10 VM with all the tools pre-installed which is really useful. The other thing to note is that you carry out all your compiling on the command line so you don’t use an IDE. When you have the correct commands built up in history this makes the compilation process very quick and something I enjoyed when I got used to it.

You are also provided code templates for each of the chapters that you can adapt to suit your needs and to add payloads into rather than writing them from scratch each time.

A typical bat file used on the course to compile code contained in implant.cpp which would output the executable to implant.exe would look like this:

@ECHO OFF
cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tcimplant.cpp /link /OUT:Z:\implant.exe /SUBSYSTEM:WINDOWS /MACHINE:x64

You are also provided with Python on the Windows VM to call some python based encryption scripts such as ones to encrypt binary data format using AES or XOR. The way this is achieved is by running it as follows on the command line:

c:\Python27\python.exe .\aesencrypt.py msf.bin
c:\Python27\python.exe -i .\xorencrypt.py msf.bin

Another key aspect of the course is obfuscating the use of variable names that AV would normally focus on (pVirtualProtect, VirtualAlloc etc) as being malware so we also encrypt those and then decrypt them at the moment they are being called which is quite clever.

There were also other jewels of wisdom in the course like hiding the pop up screen that may occur when the executable runs by setting this in the bat file “/SUBSYSTEM:Windows” instead of “/SUBSYSTEM:CONSOLE” which was really handy to know too.

I realise this was just a quick whistle stop tour of the course but I can’t emphasise enough how great the course is.

It helps you build from the ground up useable droppers by hand and including how to hide the various strings caught by AV which is invaluable.

I highly recommend this course as an introduction into the world of Malware Dev for any Offensive Security professionals.