Modular Implant Design for Windows

Instructor:  Kai (Kbsec)
Dates:  June 15 to 18 2026
Location:  Hilton DoubleTree Montreal
Capacity:  20

This course introduces students to modular implant design. While it focuses on the Windows operating system, many of the topics are applicable to other systems with slight modifications.

This course takes an opinionated approach to implant development that asserts payloads should be as complex as they need to be and no more.

In particular, it should be easy to extend implant functionality, selectively compile in features and adjust to the quirks of the environment they are deployed in. Lectures cover strategies for designing flexible implants and labs will center around developing a command and control server, with an implant derived from sHELL (hell shell).

sHELL

sHELL (Hell shell): a hellish way to develop a shell.

sHELL is a teaching shell that demonstrates one strategy for building modular implants: custom dynamic linking. In particular, each command that the shell supports is implemented in a separate binary file refereed to as a module. At runtime, the main program can load a module and extend runtime functionality. To start with, sHELL supports loading DLL modules from disk. As the course progresses, students will work to add functionality, implement loaders for other types of modules, and improve opsec.

Schedule

Day One

• Implant Design 101
• What makes an implant flexible
• Custom implants: when and when not to use
• Basic Windows internals
• DLLs, linking
• Introduction to sHELL (Hell Shell)
• Interfaces, vtables and custom dynamic linking
• Implementing basic features of sHELL

Day Two

• Building a basic dependency system
• PE file format in depth
• Building a minimal Windows PE
• PE loading
• sHELL: replacing LoadLibraryA with a custom PE Loader
• COFF/BOF

Day Three

• C2, Channels
  • Constrained channels
  • Low latency vs High latency
  • Having a backup plan
• Turning sHELL into rev-sHELL
• Building target specific channels
  • Examples: TCP, HTTP, SMB
• Cryptography
  • TLS, and TLS footguns
  • to WinAPI or not to WinAPI
• Implant Opsec: strings, libraries, syscalls and all that
• Reversing our implants

Day Four

• Putting it all together: building a basic listening post
• Case study: switching string command to opcode/hash
• Switching from Library functions to direct syscalls
• Embedding interpreters
• Interop with other languages. Case study: zig

Requirements

Hardware/Software:

• Laptop capable of running Virtual Machines
• Laptop with at least 200GB of free space, 16GB of RAM, capable of running VMs

Prerequisites:

• Experience with C programming
• Knowledge of basic Windows internals
• Basic knowledge of computer networking
• Socket programming in language of your choice. This course uses python3 for implementing listening posts, but the students are encouraged to use whatever language they are most comfortable with

Learning Objectives

Create a modular first stage implant with the following features:

• No dependency on Libc (-nostdlib)
• Capabilities can be selectively included at both compile time and runtime
• Integration into other languages/frameworks

Who Should Attend

Folks who are interested in demystifying Windows malware.

Who Should NOT Attend

Folks who are uncomfortable with programming in C.

BIO

Kai (kbsec) is a seasoned security researcher and reverse engineer with over a decade of experience in offensive security. Currently pursuing a PhD at Northeastern University (NEU), Kai spends his idle time teaching students how to develop implants to better understand the systems they target-- or as he puts it "Trojan horsing systems security via malware development."

To Register

Click here to register.