An Epic Introductory Journey in Malware Development

Last Updated: 6 May 2025

Preface (still to do)

• Course Introduction
• [Course Preview + Curriculum]
• [Recommended Lab Setup]

Module 1: DLLs and Basic Loading

• Introduction to DLLs (Theory 1.1)
• Introduction to Shellcode (Theory 1.2)
• Standard DLL Loading in Windows (Theory 1.3)
• Create a Basic DLL (Lab 1.1)
• Create a Basic Loader in Go (Lab 1.2)

Module 2: PE Format for Loaders

• PE File Structure Essentials (Theory 2.1)
• Addressing in PE Files (Theory 2.2)
• PE Header Inspection with PE-Bear (Lab 2.1)
• PE Header Parser in Go (Lab 2.2)

Module 3: Reflective DLL Loading Core Logic

• Intro to Reflective DLL Loading (Theory 3.1)
• Memory Allocation (Theory 3.2)
• Mapping the DLL Image (Theory 3.3)
• Manual DLL Mapping in Go (Lab 3.1)

Module 4: Handling Relocations and Imports

• Base Relocations (Theory 4.1)
• IAT Resolution (Theory 4.2)
• Intentional Base Relocation (Lab 4.1)
• IAT Processing (Lab 4.2)

Module 5: Execution and Exports

• The DLL Entry Point (Theory 5.1)
• Exported Functions (Theory 5.2)
• Call DllMain (Lab 5.1)
• Call Exported Function (Lab 5.2)

Module 6: Basic Obfuscation - XOR

• Introduction to Obfuscation (Theory 6.1)
• Simple XOR (Theory 6.2)
• XOR Functions in Go (Lab 6.1)
• Obfuscated Loading (Lab 6.2)

Module 7: Rolling XOR & Key Derivation

• Rolling XOR (Theory 7.1)
• Key Derivation Logic (Theory 7.2)
• Implementing Rolling XOR (Lab 7.1)
• Implementing Key Derivation (Lab 7.2)

Module 8: Network Delivery & Client/Server

• Client + Server Communication (Theory 8.1)
• Communication Protocol Design (Theory 8.2)
• Environmental Keying + Client ID (Theory 8.3)
• Client + Server Logic (Lab 8.1)
• Implement Client ID and Key Derivation (Lab 8.2)

Module 9: Refining In-Process Execution

• Decoupling Memory Permissions (Theory 9.1)
• Introducing Basic Delays and Misdirection (Theory 9.2)
• Decoupling, Delays, and Misdirections (Lab 9.1)
• Shellcode Encryption & Decryption In-Memory (Theory 9.3)
• Implementing Runtime Shellcode Decryption (Lab 9.2)
• Basic Thread Obfuscation Concepts (Theory 9.4)

Module 10: Process Injection Fundamentals (WinAPI)

• Process Injection Introduction & Target Selection (Theory 10.1)
• Finding and Opening Target Processes (Lab 10.1)
• Remote Memory Operations (WinAPI) (Theory 10.2)
• Performing Remote Memory Operations (Lab 10.2)
• Remote Thread Execution (WinAPI) (Theory 10.3)
• Executing Code via CreateRemoteThread (Lab 10.3)

Module 11: Module 11: Introduction to the Native API

• API-Hooking and the Native API (Theory 11.1)
• Finding Native API Functions (Theory 11.2)
• Finding Native API Function Addresses (Lab 11.1)
• Calling Native API Functions (Theory 11.3)
• Calling Native API via Syscall Package (Lab 11.2)

MORE TO COME… WIP