Sektor7 Institute’s Malware Development Essentials Review

Ethics Disclaimer

Like in my CRTO Review, I would like to make some disclaimers in order to preserve ethical integrity. I was asked by my manager shortly after finishing my CRTO for any course requests for the year that I am interested in taking. I submitted my list and after a few months of being stuck in approval hell, the courses got approved. Which means that like CRTO, I had this course paid for by my employer. I am unaware of any pre-existing relationship between my employer and Sektor7. The Sektor7 Institute is not compensating me for this review, and they have no editorial input or early preview. There are also no affiliate links present in the review either. The content in this piece is of my opinion, and mine alone.

Background

I started taking this course in late May of 2022, but had to stop after 2 lessons to (re)learn some C concepts. I took a C++ Class in university, however retained little of it. After a little investigation, the course appears to have used C++ in a very C-like manner. Especially regarding it’s usage of strings. That being said, I would argue that I am barely competent in C, if I can even give myself that. So my observations may be a little off base here. I picked up Learn C the Hard Way by Zed Shaw at the recommendation of a friend to upskill so I could understand what was going on in the videos.

Course Content

Through roughly 4 hours of videos, Malware Development Essentials covers the basics of Windows Portable Executable files and spends a lot of time on the headers, where data is stored to show up in which sections of the headers, and the differences between .dll files and .exe files to name a few. The course uses a few dummy payloads to test and focuses primarily on building a dropper rather than extensive shellcoding and focuses on payload storage, obfuscation, and injection mostly. There are also smaller sections of how to trojanize existing applications, and Defender bypassing.

The bulk of the work in this course was in the final project, where you have to build a dropper from scratch. The first part is walked through with reenz0h and he shows you how to implement a basic dropper that can inject a payload into explorer.exe. Then he will have you create a secondary dropper that changes the encryption from XOR to AES, better obfuscate Windows API calls and strings, as well as a different method of dropping a payload.

Thoughts

I think that reenz0h does a good job explaining the basics so that even someone who isn't super heavy in a development background is able to understand things reasonably. My development background is somewhere between 80-85% Python based, with random other languages thrown in there for the last 15-20%. I do not have a strong Computer Science history and in this course, it showed. Especially when looking at the final project and trying to really understand what the code is doing, even while it was being explained to me in the videos. As an aside, it took me a little while to understand what reenz0h meant by PE at first, despite it being right in the course outline. Naturally, it instead came to me in the shower.

I appreciate that reenz0h gives some resources to better learn PE files through the Corkami project. I will likely continue to reference this repo into the future. The next section was on obfuscation and hiding your code in memory, and from AV. Again, I have to give reenz0h props here on his easy to understand explanations, especially for the difference between encoding and encryption. Prior to this, I obviously knew the difference between encryption and encoding. It was just taught to me in a confusing manner, thus understood it in a janky way. However my understanding of it is much simpler now. In the course, reenz0h simply says, the difference between an encoding algorithm and an encryption algorithm is that encryption algorithms are algorithms that require a key, whereas encoding algorithms do not. I had never heard it put so succinctly, and I cant believe that it took me this long.

reenz0h covers code injection in a practical manner. I had the concept down from my CRTO training, so I don't have a ton to say about it here.

Final Project

The final project was fun. I have to shout out register#7493, heartburn#2701, and Archiba#0025 for some help with figuring out why my AES Encrypted obfuscated function calls were not working. After working through the walk-along section of the project, I had to change out the encryption type from XOR to AES, implement function obfuscation on the remaining functions, bypass Windows Defender, and encrypt the rest of the strings. 2 key takeaways came from this. 1. C strings suck. 2. Remember that AES is a block cipher, and will pad crap to the end of a string to round out a block. So, when decrypting the string, make sure to have a null byte inserted at the end of the original string so you can pass that string around without causing crashes all over. Plus when you are done, you have a custom dropper that does bypass defender, which is a nice takeaway.

Final Thoughts

For $200, I think the course is reasonable. I wish there was more hands on programming however. Most of it was follow along and take notes style learning. Not to say it was bad though. reenz0h did a good job explaining concepts, and the reasoning why it’s being done in the manner it is. This course is my first step into better understanding a lot of new under the hood concepts in Windows, non-REST APIs, low level programming, malware, and AV. I think it was well worth the time and money to take this, and Malware Development Intermediate will be the next course I take.