Windows Malware Implants: OPSEC, Evasion and Anti-Reversing Techniques
Silvio La Porta and Antonio Villani

This course details techniques modern malware uses to evade defenders and security tools like AV, IPS, IDS, and EDR. It also covers how attackers design implants for quick redeployment after detection or public disclosure by researchers or security vendors.

Windows Malware Implants: OPSEC, Evasion and Anti-Reversing Techniques // Silvio La Porta, Antonio Villani

In-Person | March 18-21 | 4 Days

BOOK NOW

ABSTRACT

The course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.

The course will also cover real-world scenarios impairing reverse engineering efforts and make first responders' jobs tougher. The techniques will be demonstrated by reversing real malware samples, and then by re-implementing improved versions of the malware code. The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class.

The course focuses primarily on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of code to help study complex malware techniques.

Theory sessions will be followed by exercises where participants will reverse and re-implement parts of real malware in order to fully understand all techniques involved. 50% of the course will be dedicated to hands-on labs translating theory into practice.

Labs provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

Students will be provided with our training agent and C2's source-code to develop and test the techniques.

Windows Malware Implants: OPSEC, Evasion and Anti-Reversing Techniques // Silvio La Porta, Antonio Villani

In-Person | March 18-21 | 4 Days

BOOK NOW

INTENDED AUDIENCE

Developers and Reverse engineers who want to understand the tradecraft from a different point of view, red-team members who want to go beyond using third-party implants, and researchers who want to develop anti-detection techniques of real malware/apt.

TESTIMONIALS

💬
"4 hectic days caught me up with over 20 years of work in offensive EDR security. Given how far behind I was, I fully expected to not understand several sections of cutting edge bypass techniques. Pleasantly, this turned out not to be the case. Silvio and Antonio made the material very accessible by going through each technique in sufficient detail enabling complete understanding. I fully expect to be back at Ringzer0 for further training."

KEY LEARNING OBJECTIVES

  • Be able to recognize, implement and deal with stealthy malware/backdoor techniques and tradecraft.
  • Modify malware components and pre/post build tools to protect against reversing efforts.
  • Familiarize with the latest advances, DLL injection techniques, and customize reflective loaders.
  • Build custom obfuscators and to recognize obfuscation transform patterns.
  • Learn attacker tradecrafts to impair incident response analysis.
BOOK NOW

COURSE DETAILS

Module 1

  • Warm up (refresh basic concepts)
  • DynLoader
    • Dynamic APIs resolution
    • Import by hash
    • PEB walk
    • Syscall direct invocation
    • API Custom implementation
  • Obfuscation Part I
    • Obfuscation techniques
    • Opaque predicates, MBA, VM obfuscators

Module 2

  • Obfuscation Part II
    • Source level obfuscation
    • Intermediate representation obfuscations (LLVM)
  • Bring your own Loader
    • Windows Loader
    • Alternative Loaders
  • Injection Part I (Advanced Reflective Loader)
    • Wide used injection techniques
    • Reflective Loader deep analysis
    • Customize RL

Module 3

  • Injection Part II (Exotic Injection)
    • Uncommon injection techniques
    • Hooks
    • Implement an exotic injector
  • Anti-Debug
    • Debugging internals
    • Breakpoint detection (HW and SW)
    • Anti-tampering
  • Persistence
    • COM/DLL Hijacking
    • WMI persistence

Module 4

  • Anti-VM
    • Artifact detection
    • Instruction and timing detection
    • Build an anti-vm module
  • Multi Lang Module
    • Run managed code from unmanaged
    • AMSI
    • Execution Guardrails
    • IPC
  • Final Lab
BOOK NOW

Knowledge Prerequisites

  • Programming experience (C, C++, Python, .NET, and PowerShell)
  • Be familiar with assembly language and Debuggers (IDA pro, WinDBG)

Hardware Requirements

  • Virtualization capable Intel CPU(s) (ARM CPUs are not supported)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 80 GB free disk space

Software Requirements

  • Host OS Windows 10 64-bit
  • Debugging Tools for Windows (Ida Pro, WinDBG). Decompiler recommended.
  • SysInternals Tools
  • Virtualization Software (VMWare, VirtualBox)
  • Guest OS Windows 10 64-bit
  • System Administrator access required on both host and guest OSs
Laptops with Apple Silicon are NOT supported in this class. Please ensure that your laptop has an Intel or equivalent x86-64 processor.

YOUR INSTRUCTORS: Drs Silvio LaPorta and Antonio Villani

Dr. Silvio La Porta is a senior cyber security architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the centre of excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading security service level agreement (SEC-SLA) and end user security/privacy protected data store projects for hybrid cloud environments. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a malware reverse engineer in Symantec’s Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy.

Dr. Antonio Villani spent the past years analyzing high level implants for top tier customers, providing detailed implementation information to support cyber-defense and cyber threat intelligence teams. Now, he uses his experience in the reverse engineering of multi-stage implants to improve detection and response capabilities of endpoint security products. As a researcher he published in top tier conferences and journals and he participated in European research projects in the field of cyber resilience and data security. During his PhD he also worked in the field of malware research and digital forensics.

BOOK NOW
See also
BOOTSTRAP25

VoidStar Security - Hardware Hacking for Reverse Engineers

This course teaches hardware reverse engineering fundamentals, focusing on low-level protocols like SPI, I2C, JTAG, and SWD in embedded systems. Students develop tools to interface with these protocols. All hardware is provided, and students keep the tools after completing the course.
4 min read
BOOTSTRAP25

Patch Diffing In The Dark: Reverse Engineering Modern CVEs

This course teaches patch diffing to analyze real-world Windows and Android vulnerabilities. Students use open-source tools like Ghidra to reverse engineer recent CVEs, gaining the skills and confidence to discover complex vulnerabilities with tools they already have.
6 min read
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated