Introduction to Modular Implant Design for Windows

Instructors:  Kai (Kbsec)
Dates:  June 23 to 26 2025
Capacity:  25

This course introduces students to modular implant design. While it focuses on the Windows operating system, many of the topics are applicable to other systems with slight modifications. This course takes an opinionated approach to implant development that asserts payloads should be as complex as they need to be and no more. In particular, it should be easy to extend implant functionality, selectively compile in features and adjust to the quirks of the environment they are deployed in. Lectures cover strategies for designing flexible implants and labs will center around developing a command and control server, with an implant derived from sHELL (hell shell).

sHELL

sHELL (Hell shell): a hellish way to develop a shell. sHELL is a teaching shell that demonstrates one strategy for building modular implants: custom dynamic linking. In particular, each command that the shell supports is implemented in a separate binary file refereed to as a module. At runtime, the main program can load a module and extend runtime functionality. To start with, sHELL supports loading DLL modules from disk. As the course progresses, students will work to add functionality, implement loaders for other types of modules, and improve opsec.

Course Agenda

Day one

• Implant Design 101
• what makes an implant flexible
• Custom implants: when and when not to use
• Basic windows internals
• DLLs, linking
• introduction to sHELL (Hell Shell)
• interfaces, vtables and custom dynamic linking
• implementing basic features of sHELL

Day two

• Building a basic dependency system
• PE file format in depth
• PE loading
• Building a minimal Windows PE
• sHELL: replacing LoadLibraryA with a custom PE Loader
• COFF

Day Three

• C2, Channels
• Constrained channels
• Low latency vs High latency
• Having a backup plan
• Turning sHELL into rev-sHELL
• Building target specific channels
• Examples: TCP, HTTP, SMB
• Cryptography
• TLS, and TLS footguns
• to WinAPI or not to WinAPI
• Implant Opsec: strings, libraries, syscalls and all that
• reversing our implants

Day four

• Putting it all together: building a basic listening post
• case study: switching string command to opcode/hash
• Switching from Library functions to direct syscalls
• embedding interpreters
• interop with other languages. Case study: rust

Who Should Attend

Folks who are interested in demystifying Windows malware.

Class Requirements

• Experience with C programming
• Knowledge of basic Windows internals
• Basic knowledge of computer networking
• Socket programming in language of your choice. This course uses python3 for implementing listening posts, but the students are encouraged to use whatever language they are most comfortable with.

Hardware/Software requirements

A laptop capable of running a Windows 10 VM.

minimum specs:

• 16 GB of RAM 200GB of unused storage, AMD/Intel CPU. Note that this means that Mac M series chips will not work!
• It must have its network card
• To save time, please consider installing virtual box.

BIO

Kai (kbsec) is a seasoned security researcher and reverse engineer with over a decade of experience in offensive security. Currently pursuing a PhD at Northeastern University (NEU), Kai spends his idle time teaching students how to develop implants to better understand the systems they target-- or as he puts it "Trojan horsing systems security via malware development."

 

To Register

Click here to register.