Developping hacking tools targetting Windows


The era of simply dropping mimikatz as a post exploitation step is coming to an end.


Nowadays, AVs and EDRs aggressively scans for public intrusion tools and Windows is pushing mitigations in order to break post exploitation (AppContainer, ProtectedProcess, AMSI, etc.). That's why it becomes all the more necessary for any pentester to build a custom suite of intrusion tools for Windows in order to stay "below the AV's radar" during their redteam exercises.


During this training, students will learn how to use Windows low-level API in order to furtively do unapproved actions on the target system. They will also learn how to use system diagnostic tools such as a debugger in order to troubleshoot issues in their intrusion tool's code. Finally, they will be introduced to the Windows security model and the way the OS is designed on the userland side.


The introduction to redteam tooling development for Windows is an advanced training catered for pentesters, native Windows developers and security teams. It is still advised to know how to write in C and understand its memory model before attending this training.


5 days / 8 hours of class / 27 hours of hands-on training


First Part (1 day)


  • Greetings and environment setup (laptops with preinstalled VMs are provided)

  • PE format and static/dynamic analysis tools for Windows

  • Debugging exercises using either x64dbg or WinDBG



Second Part (3 days)


  • Visual Studio toolchain

  • Native Windows developement (Win32)

    • native api

    • WinAPI

      • Process & Threads

      • IPC

      • Registre

      • Services

      • CryptoAPI

      • Networking

  • Code injection techniques :

    • CreateRemoteThread

    • ProcessHollowing

    • Thread Hijacking

    • Reflective DLL

    • APC Injection

  • Persistence

  • Hooking


By the end of these 3 days, the students should have a working skeleton of a basic RAT, which they can then improve it piecemeal by swapping code injection techniques or hooking frameworks.


Third Part (1 day)


This part presents how the Windows security model works (integrity level, token, etc.). This presentation completes the previous part by showing to the students the reasons why certain APIs can or can't be used on the system.


  • Security Model :

    • SID

    • ACL

    • Privileges

    • Token

    • UAC

    • Sessions

    • Integrity Level



  • Recent security technologies :

    • AMSI

    • SmartScreen

    • Protected Process

    • ATP