Course Reviewed
Format:
This course is online.
Materials:
This course materials included videos as well as a virtual machine.
Class size:
The class is single user.
Environment
The lab environment is NOT shared with other students.
Estimated cost:
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
$229.00 USD
About the course:
This course builds on what you have learned so far by extending your development capabilities with: playing with Process Environment Blocks and implementing our own function address resolution more advanced code injection techniques understanding how reflective binaries work and building custom reflective DLLs, either with source or binary only in-memory hooking, capturing execution flow to block, monitor or evade functions of interest grasping 32- and 64-bit processing and performing migrations between x86 and x64 processes discussing inter process communication and how to control execution of multiple payloads. The course ends with a combined project, where you will create a custom dropper implementing discussed techniques.
My motivation:
I really want to learn more about creating my own code for red team/penetration testing/CTFs/training and, when this course was announced, I signed up before I even started the essentials course.
My review:
It starts off innocent enough with an overview of the course and setting up the VM environment.
From there you get a deep dive into the PE file format. And by deep dive, it went crazy deep! It doesn't cover every single thing, but it covers a lot. Just look at the section title "PE madness". I felt the madness part! The first video "Revisiting PE file format" was a more detailed review of the PE file format than I expected. Good information, but wow, it was complex. I was able to follow along easily enough, and the overview was important information for later. It was also a chance to get a better feel for hasherzade's PE-Bear tool that we used in the first course.
About mid-way through the PE Madness section, you get to look at some code that should look familiar from the first course, but then it gets modified. The modifications are the GetProcAddress/GetModuleHandle helper section. When I first started this section, I felt it was pretty complex to follow, but after taking a few minutes to digest what was being said, I felt I understood it enough to move on. The final part of this section is the PE with no imports, and this part was pretty straight forward. Here you get your first assignment, which is pretty easy to do on your own.
Code Injection was the next section. It starts with a review of the techniques learned in the essentials, moved into thread injection, and then into Section & View injection, followed by asynchronous procedure calls and finishes up with the EarlyBird injection technique. These sections were short, easy to follow, and the code sections were easy to understand..At this point you reach your second assignment, and it begins to challenge you to go further than the course materials.
The section that I thought I was looking forward to, Reflective DLLs, had one short video explanation of what a reflective DLL is and then a few of long videos going over .reflectiveload source code review and then RDI. Luckily I had just gotten a little exposure to the sRDI stuff when going over some information I was given to look over. So just when I felt I was getting overwhelmed by this section, I found something familiar and felt a little more comfortable. I always enjoy the little tips and tricks on avoiding AV and customizing code, and there were a few tips in this section.
Next up was x86 vs x64 (or 32 bit vs 64 bit). This is basically some information on 32 bit vs 64 bit programs, and how to migrate your shell code from the 32 bit process to a 64 bit process (and the Metasploit migrate process is used to explain this.)
Hooking is the next section. So far this was to me the most straight forward and fun section. I took extra time during this section to play with the code a little. I expected, since I don't have a lot of experience in C++, that my modifications wouldn't work. I was pleasantly surprised. I guess, between these classes and a few others, I am starting to get better at this.
On to Multiple Payload control. Image you finish your really cool code, and run it on the target and then get numerous call backs. That can get interesting. So this is the section that covers that. Short, sweet and right on point, with a few different methods of accomplishing the same thing thrown in for good measure.
At this point we reach the Combined Project section. The project is really cool. I don't want to say much about it, because you really need to sign up for this class and see for yourself. But this is pretty much all the previous sections rolled up into one. Going from 64 bit to 32 bit and back to 64 bit. Plus the building on the fly and working through issues is a great way to teach you how to troubleshoot your own applications once you start building them.
The final part is the conclusion. Cry a little because the course is over. But all good things must come to an end.... but this isn't the end. You have reached a point where you get to go out and test your new found skills and grow more.
It took me a lot longer to go through this course than I expected, and I will probably go back through it again. I learned a lot and highly recommend this course. It isn't the end all be all, but it should jump start your journey.
Misc:
The only real issue I had during the course was my VM shutting down from time to time. I went really slowly through this course with a lot of research on the side, and when I would get back to my computer, the VM would have turned off (I really don't care because with Notepad++ and the way I worked, I never lost any data or anything, and the VM booted super quick). I also did some of the work with the VM using VMWare instead of VirtualBox, and apart from getting the VMWare Tools installed, I didn't have any issues.
The Exam:
There is no certification exam at the present time, but you can get a Certificate of Completion upon request.
I will post a copy of the CoC when I get it.
My two cents:
If you are reading this, you are most likely interested in the topic and the course itself. If that is the case, go ahead and buy it. I know several people that think it is an amazing course!