REVIEW: RED TEAM Operator: Malware Development Essentials Course by SEKTOR7 Institute

This is my review of the RED TEAM Operator: Malware Development Essentials course offered by SEKTOR7 Institute. As an affiliate, I make money with qualifying purchases.

Overall, I enjoyed this course as well as SEKTOR7 Instutute’s other offerings. When I started this course, I already had experience with C programming on Linux, and limited experience with programming on Windows. I felt that this course was a solid introduction to Windows malware development for someone like me who has limited experience with Windows development.

Here is a video of the course author describing the contents of this course.

If you are interested in a crash course in writing malware for Windows in C, this course offers a fantastic introduction.

This course took me about a week to complete, and a few hours on the weekend to develop the final project. I spent around 16 hours of time total. Additional research done independently as a result of this course provided me with hours of entertainment and learning opportunities. Your mileage may vary depending on how familiar you are with the concepts covered in the course.

Here is a word map derived from the bookmarks I made while working through this course.

What You Will Receive

~3 hours of instruction delivered via a web portal.

Well-commented, easy to understand C source code examples of all of the covered techniques.

A Windows VM with Visual Studio and additional development tools installed.

What is Covered

PE file basics; EXE vs DLLs, tools to examine PE files, structure of PE files, …

Droppers; a few ways to store your payloads inside of an EXE or DLL file

Obfuscation and Encryption; string obfuscation, basic AV evasion, call obfuscation, …

Backdooring PE files.

Basic code injection techniques and tactics.

Final Project

The final project involves developing your own malware dropper program, incorporating the anti-analysis techniques covered in the course.

If this sounds interesting, this course can be purchased here.

If this sounds too basic, there are also other offerings from SEKTOR7 including courses on intermediate malware development, privilege escalation, and my favorite, persistence.

Resources

Here is an alphabetized list of links that I bookmarked which are related to this course.

http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc246.htm
http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc247.htm
http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc267.htm
http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc268.htm
https://arxiv.org/pdf/1802.04466.pdf
https://attack.mitre.org/tactics/TA0003/
https://blog.scrt.ch/2020/07/15/engineering-antivirus-evasion-part-ii/
https://blog.scrt.ch/category/antivirus-bypass/
https://dennisbabkin.com/blog/?t=malware-researchers-beware-of-getprocaddress-spoofing
https://docs.microsoft.com/en-us/cpp/build/exporting-from-a-dll?view=msvc-160
https://docs.microsoft.com/en-us/cpp/build/reference/dumpbin-reference?view=msvc-160
https://docs.microsoft.com/en-us/cpp/preprocessor/comment-c-cpp?view=msvc-160
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/mscs/implementing-dllmain
https://docs.microsoft.com/en-us/windows/console/freeconsole
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadresource
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-lockresource
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-sizeofresource
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32first
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32next
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-findresourcea
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winmain
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptcreatehash
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecrypt
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptderivekey
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashdata
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptstringtobinarya
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox
https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
https://docs.microsoft.com/en-us/windows/win32/devnotes/rtlmovememory
https://docs.microsoft.com/en-us/windows/win32/dlls/dllmain
https://docs.microsoft.com/en-us/windows/win32/dlls/load-time-dynamic-linking
https://docs.microsoft.com/en-us/windows/win32/menurc/resource-compiler
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
https://en.wikipedia.org/wiki/Code_cave
https://en.wikipedia.org/wiki/COFF
https://en.wikipedia.org/wiki/DLL_injection
https://en.wikipedia.org/wiki/Dropper_(malware)
https://en.wikipedia.org/wiki/Dynamic-link_library
https://en.wikipedia.org/wiki/Portable_Executable
https://en.wikipedia.org/wiki/Portable_Executable#/media/File:Portable_Executable_32_bit_Structure_in_SVG_fixed.svg
https://en.wikipedia.org/wiki/Shellcode
https://en.wikipedia.org/wiki/XOR_cipher
https://gist.github.com/caseyscarborough/8467877
https://github.com/biesigrr/pe-loader
https://github.com/corkami/pics
https://github.com/polycone/pe-loader
https://hshrzd.wordpress.com/pe-bear/
https://keystrokes2016.wordpress.com/2016/06/03/pe-file-structure-sections/
https://medium.com/@codingkarma/pe-section-header-injection-using-code-cave-1451912d814c
https://processhacker.sourceforge.io/
https://resources.infosecinstitute.com/topic/2-malware-researchers-handbook-demystifying-pe-file/
https://resources.infosecinstitute.com/topic/using-createremotethread-for-dll-injection-on-windows/
https://visualstudio.microsoft.com/
https://www.codeproject.com/Articles/20240/The-Beginners-Guide-to-Codecaves
https://www.geoffchappell.com/studies/windows/win32/index.htm?tx=49
https://www.geoffchappell.com/studies/windows/win32/kernel32/api/index.htm
https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
https://www.reddit.com/r/Malware/comments/bo68rv/difference_between_a_downloader_malware_and/
https://www.winitor.com/
https://x64dbg.com/#start
http://www.benf.org/other/wumpbin/index.html

One thought on “REVIEW: RED TEAM Operator: Malware Development Essentials Course by SEKTOR7 Institute

  1. Pingback: REVIEW: RED TEAM Operator: Malware Development Intermediate Course by SEKTOR7 Institute – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s