REVIEW: RED TEAM Operator: Malware Development Intermediate Course by SEKTOR7 Institute

This is my review of the RED TEAM Operator: Malware Development Intermediate Course offered by SEKTOR7 InstituteAs an affiliate, I make money with qualifying purchases.

Malware Development Intermediate provides a continuation of the material learned in RED TEAM Operator: Malware Development Essentials.

You will learn about:

  • Variations of code injection techniques learned in the Essentials course
  • How to implement GetProcAddress and GetModuleHandle to evade antivirus and EDR heuristics.
  • How to hide suspicious imports
  • Reflective DLL Injection
  • Heaven’s Gate
  • Various methods to hook API calls
  • How to utilize IPC to ensure only one copy of your malware is running at a host at any given time

Although this is not an all-encompassing, definitive course on this subject, you will be provided with a solid foundational knowledge of how malware is implemented on Windows systems.

Going into this course, I already knew of most of these techniques, but haven’t explored them in depth. Most of my experience is from working on *nix systems. I felt that the courses from SEKTOR7 really helped me get familiarized with Windows malware.

I recommend this course as well as the Essentials course to anyone who has a fair amount of programming experience and is interested in Windows malware. You will probably have a hard time following along with this course if you do not understand the basics of C programming.

This course took me roughly 18 hours to work through and left me with a backlog of papers and articles to read, so I feel that it was worth the price of $229.

What’s Included

  • ~6 1/2 hours of on-demand video
  • 7 assignments
  • Zip file containing example C code
  • A Windows virtual machine with the all of the tools required to work through this course pre-installed

Final Project

The final project involved writing a password stealer for a popular disk encryption program. The instructor walks through the process of getting the password stealer working, and suggests making a handful of enhancements to this malware for self-study.

Resources

Links to bookmarks made while working through this course:

http://blog.omega-prime.co.uk/2011/07/04/everything-you-never-wanted-to-know-about-dlls/
http://pinvoke.net/default.aspx/Structures.IMAGE_EXPORT_DIRECTORY
http://pinvoke.net/default.aspx/Structures/IMAGE_IMPORT_DESCRIPTOR.html
https://0x00sec.org/t/reflective-dll-injection/3080
http://sandsprite.com/CodeStuff/Understanding_imports.html
https://attack.mitre.org/techniques/T1055/003/
https://bsodtutorials.wordpress.com/2014/03/02/import-address-tables-and-export-address-tables/
https://docs.microsoft.com/en-us/cpp/build/exporting-functions-from-a-dll-by-ordinal-rather-than-by-name?view=msvc-160
https://docs.microsoft.com/en-us/cpp/build/reference/dumpbin-options?view=msvc-160
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-peb
https://docs.microsoft.com/en-us/windows/win32/api/dbghelp/nf-dbghelp-imagedirectoryentrytodata
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthread
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread
https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createeventa
https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32first
https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32next
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea
https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createsemaphorea
https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-teb
https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messagebox
https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
https://docs.microsoft.com/en-us/windows/win32/procthread/process-creation-flags
https://docs.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls
https://docs.microsoft.com/en-us/windows/win32/winprog64/wow64-implementation-details
https://en.wikipedia.org/wiki/Doubly_linked_list
https://en.wikipedia.org/wiki/Process_Environment_Block
https://en.wikipedia.org/wiki/Relocation_(computing)
https://en.wikipedia.org/wiki/Thunk
https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
https://en.wikipedia.org/wiki/WoW64
https://gist.github.com/Cr4sh/76b66b612a5d1dc2c614
https://github.com/0x09AL/RdpThief
https://github.com/3gstudent/Inject-dll-by-APC/blob/master/NtCreateThreadEx.cpp
https://github.com/arbiter34/GetProcAddress
https://github.com/darkspik3/Valhalla-ezines/blob/master/Valhalla%20%231/articles/HEAVEN.TXT
https://github.com/hasherezade/pe-bear-releases
https://github.com/microsoft/Detours/
https://github.com/microsoft/Detours/wiki/DetourAttach
https://github.com/microsoft/Detours/wiki/DetourTransactionBegin
https://github.com/microsoft/Detours/wiki/DetourTransactionCommit
https://github.com/microsoft/Detours/wiki/DetourUpdateThread
https://github.com/monoxgas/sRDI
https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/migrate/executex64.asm
https://github.com/stephenfewer/ReflectiveDLLInjection
https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html
https://ivanlef0u.fr/repo/madchat/vxdevl/papers/winsys/pefile/pefile.htm
https://malwology.com/2018/10/05/exploring-the-pe-file-format-via-imports/
https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73
https://posts.specterops.io/the-curious-case-of-queueuserapc-3f62e966d2cb
https://pypi.org/project/pefile/
https://relearex.wordpress.com/2017/12/26/hooking-series-part-i-import-address-table-hooking/
https://tech-zealots.com/malware-analysis/journey-towards-import-address-table-of-an-executable-file/
https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/
https://www.apriorit.com/dev-blog/160-apihooks
https://www.exploit-db.com/docs/english/13007-reflective-dll-injection.pdf
https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html
https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++
https://www.ired.team/offensive-security/code-injection-process-injection/import-adress-table-iat-hooking
https://www.ired.team/offensive-security/code-injection-process-injection/injecting-to-remote-process-via-thread-hijacking
https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection
https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
https://www.ired.team/offensive-security/code-injection-process-injection/reflective-shellcode-dll-injection
https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert
https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/huntusenixnt99.pdf
https://www.netspi.com/blog/technical/adversary-simulation/srdi-shellcode-reflective-dll-injection/
https://www.ragestorm.net/blogs/?p=107
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FAPC%2FNtTestAlert.html
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FRtlCreateUserThread.html
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProcess%2FNtFlushInstructionCache.html
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FSection%2FNtCreateSection.html
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FSection%2FNtMapViewOfSection.html
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtCreateThread.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s