Reverse

Offensive Windows development Intermediate - 5 days

Description

Nowadays, AVs and EDRs aggressively scan created processes for intrusions, and Windows attempts to protect itself through a significant number of recently introduced countermeasures (AppContainer, ProtectedProcess, AMSI). This is why it is becoming more and more necessary for a pentester to be able to build personalized intrusion tools under Windows in order to go under the radar of security solutions during their red team engagements.

During this training, the students will learn to use low-level Windows APIs in order to perform stealthy operations considered hostile on the targeted system. They will also learn to use traditional system diagnostic tools such as an application debugger in order to resolve the problems inherent to development of intrusion tools. Finally, they will be exposed to the Windows security model and how the operating system is architected on the user-space side.

  • 5 days (35 hours)

  • 8h theoretical courses / 27h practical labs

Public and prerequisites

This training is an intermediate level course designed for pentesters, Windows developers, and security teams.

  • Pentesters

  • Windows developers

  • Security teams

Good knowledge of C development and a good understanding of the associated memory model is recommended.

Content

Day 1

Presentation of the work environment. Introduction to the PE format and diagnostic tools under Windows, basic use of a debugger (x64dbg and WinDBG).

Day 2 and 3

Visual Studio toolchain, native Windows development (win32), code injection, persistence and hooking.

Day 4

Practical exercises based on a RAT prototype, implementation of injection and persistence techniques.

Day 5

Presentation of the Windows security model (integrity levels, tokens, security descriptors, SIDs) and understanding of the associated limits.