Course Reviewed
Format:
This course is online.
Materials:
This course materials included videos as well as a virtual machine.
Class size:
The class is single user.
Environment
The lab environment is NOT shared with other students.
Estimated cost:
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
$19d9.00 USD
About the course:
It will teach you how to develop your own custom malware. This malware will include a dropper for your payload, injecting your shellcodes into remote processes, creating trojan horses (backdooring existing software) and bypassing Windows Defender AV.
My motivation:
I want to learn more about creating my own code for red team/penetration testing/CTFs/training. And, a co-worker highly recommended this class.
My review:
To start with, VirtualBox was the recommended virtualization product for running the VM included with the course. I have used VMWare products for longer than I can remember, and I was a little hesitant at first about trying VirtualBox. But learning new things is a part of the game, and I wanted to branch out. With that in mind, I downloaded and installed VirtualBox and was very impressed. No issues at all, and I like it. Now I have an alternate to VMWare Workstation (I use Player and Pro a LOT).
The course started with an introduction, and VM setup guide. Next was an introduction to PE files, and the information covered in that section would be needed as the course progressed. You can view the course outline, and see what topics are covered, and each topic builds upon the next topic.
I basically watched the videos and paused them to follow along in the VM. I made sure I understood the section before moving on. I would also make a change every once and a while to see if I understood enough to modify the code. I only ran in to an issue once, which appeared to be the way C++ coding works and I am pretty sure I understand why it did what it did, or at least I undertstood enough to make the changes needed to make it work right.
The next section was the dropper section, and it begins with an overview of where to store the code (.text, .data and .rsrc). You then get to work on small programs that show you how to store data in each section. I just watched the videos and followed along, and each section was explained well enough that I could follow with no issues.
Obfuscation and hiding were the topics covered after learning where to store your payload. Now that you know where and how to store your payload, you will learn how to obfuscate you code through encoding and encryption. This section also covers obfuscating function calls to avoid anti-virus detection.
Backdooring a PE was up next. This was straightforward and easy to follow, and a good example. I have seen similar things covered in other classes, but I am thinking this was one of the easiest to follow and understand.
The code injection section covers moving from your initial process into another process. This becomes important when your initial program may be closed and your code closed as well, so moving to another process is a needed skill to learn. You will also learn how to inject a DLL into a remote process. You go through the process of creating the DLL and injecting the DLL. This was a fun section.
At this point, you are almost done, and the next task up is learning how to make your program invisible (or rather how to hide the pop cmd window that shows up.) There are two different methods taught in this section.
With the end in sight, you learn how to put things together, creating a single program that combines multiple techniques learned earlier. Once you have gone through the videos and followed making the code, you are given an assignment. This assignment pushes you to modify the program you just created and take things a little bit further.
By the time I reached the end, I was very pleased with the way this course worked out. I really liked how things built upon each other as the course went along, and the final part was putting it all together and pushing you to go further with an assignment. I was having a little bit of trouble with the final assignment, and my co-worker recommended I jump in to the Intermediate course because it would help me.
Misc:
The only real issue I had during the course was my VM shutting down from time to time. I would often have to take a break after a section or two (due to stuff happening around me), and when I would get back to my computer, the VM would have turned off (maybe a setting on my laptop or VirtualBox...it wasn't important enough for me to worry about troubleshooting). I never lost any work or anything like that, and the VM was fast to boot and responded really well.
The Exam:
There is no certification exam at the present time, but you can get a Certificate of Completion upon request.
I will post a copy of the CoC when I get it.
My two cents:
The price, the information, the short videos and the easy to follow code, made this course great. If you are looking to get in to malware development for red teaming/penetration testing/CTFs/training, I highly recommend this course to you.