Introduction
The CodeMachine Windows Developer Bootcamp addresses the skills gap between the undergraduate computer science curriculum and the developer skills requirement in the information security industry. It is ideally suited for the pool of fresh hires who must ramp up quickly and become productive as a computer network operations (CNO) developer.
This is a comprehensive training program comprising of 5 weeks of live instructor-led security-focused courses that provide a jump-start into the world of offensive and defensive security software development for the Windows platform. Topics in the training courses have been chosen based on their applicability to security, malware, rootkits, red teaming, and blue teaming.
These courses are not about running tools such as Metasploit, CobaltStrike, PowerShell Empire, etc., instead, they provide a deeper understanding of how things work under the hood through extensive hands-on labs preparing students to develop offensive and defensive tools on their own.
This Bootcamp is only available to government organizations/agencies and defense contractors. We have no plans to offer this publicly as open enrollment to individual attendees.
Unique Features
Designed for maximum engagement. Each training courses are a mix of theory, instructor-led demos, code walkthroughs, lab exercises, and quizzes.
Hands-on labs focus. With at least 50% of class time dedicated to hands-on labs, students get to apply everything they have learned.
Taught by practitioners. The same designated instructor delivers the entire Bootcamp, ensuring continuity and minimizing overlap.
Security-focused training. All training courses focus on security aspects. They have been created specifically for information security practitioners.
Effective use of time. Students don't spend valuable lab time installing and configuring tools instead, they work on what is important.
Continuous testing. Each module is followed by a learning assessment test to ensure every student has grasped the key concepts.
Latest technology. All hands-on lab exercises are performed on the latest version of 64-bit Windows.
Regular refresh. Course content and hands-on labs are updated continious to reflect changes in the Windows platform.
Learning Goals
Upon completion of the Bootcamp, students should be comfortable performing the following post-exploitation tasks programmatically using C/C++:
- Reverse engineer Windows OS functions to understand how they work
- Inject code into a remote process using multiple methods
- Execute code in a remote process using multiple methods
- Achieve persistence through various methods undetected by SysInternals AutoRuns
- Detect the presence of hostile environment (sandbox and analysts tools)
- Bypass user more hooks and invoke native APIs
- Enumerate networked systems and file shares
- Exfiltrate data using DNS tunneling mechanism
- Beacon out and receive tasking orders from a C2 server
- Remove forensics identifiers from PE files
- Develop shellcode using C/C++ and nifty compiler and linker tricks
- Escalate privileges through token manipulation and grafting
- Exploit multiple kernel-mode code execution vectors
- Manipulate directory contents using a file-system mini-filters
- Hide registry keys using configuration manager (registry) callbacks
- Subvert code flow using data only hooking undetected by PatchGuard
- Perform stealth keylogging using an IRP filter driver
- Filter network traffic using WFP filter drivers
- Erase memory artifacts for kernel modules (anti-forensics)
Prerequisites
Students are expected to have a computer science background.
Knowledge of C/C++ programming and a good understanding of concepts such as pointers, structures, unions, bit-fields, arrays, linked lists, etc.
Basic understanding of operating system constructs such as process, thread, virtual memory, file system, inter-process communication, and synchronization.
Student takeaways
Printed copies of all course handouts.
Certificate of completion for the Bootcamp signed by the instructor.
Tons of production quality source code that can be repurposed for CNO development.
Solutions to all hands-on lab exercises for post-course review.
Pre-training reading material to get students ready for the bootcamp.
Post-training reading material for learning continuity.
Content and Schedule
The course schedule for the 5-week program is below:
| Week | Course | Description |
|---|---|---|
| 1 | Windows User Mode Internals | Most modern computer science curriculum is built around studying the internals of *Nix family of operating systems. Windows differs significantly from *Nix in many areas of functionality. To be effective at performing security related programming tasks on Windows it is critical for students to gain a sound understanding of how the Windows operating system works internally. This is the overarching goal of the first week of the Bootcamp. During this week, students learn about the behind-the-scenes functionality of Windows pertaining to user-mode applications and services. The hands-on lab exercises involve using SysInternals and other publicly available tools, PowerShell scripts, and WinDBG to dig deep into the aspects of the Windows operating system that are relevant to security. Other than writing a few PowerShell scripts, students do not perform any programming exercises during this week. |
| 2 | Windows Kernel Mode Internals | Having built a strong foundation of the operating system that manages applications and services, the focus during second week shifts to the kernel-mode side of things. During this week, students learn about the behind-the-scenes functionality of Windows pertaining to kernel-mode drivers. Students get a good understanding of the environment within which AV/EDR products and rootkits operate. The hands-on lab exercises involve using WinDBG to dig into the inner working of the Windows kernel with an emphasis on security. This is performed on a live virtual machine as well as pre-captured system memory dumps. Students don't perform any programming exercises other than simple automation with PowerShell scripts. Students do not perform any programming exercises during this week. |
| 3 | Windows Software Development | During this week, students apply their knowledge of Windows internals to code, build, test and debug Windows 64-bit console applications and software drivers in C/C++. Students learn about the user and kernel-mode code development environment and toolchain and how to use Win32 APIs, Native APIs, and WDM APIs. The foundational knowledge of Windows user and kernel-mode programming gained during this week is essential to build user-mode malware and kernel-mode rootkits during the last two weeks of the Bootcamp. The hands-on lab exercises involve coding in C/C++ using Visual Studio 2022, Windows 11 SDK, and Windows 11 WDK and debugging using WinDBG. Programming exercises cover topics that are relevant from an offensive and defensive security perspective as opposed to building GUI applications and hardware drivers. |
| 4 | Windows User Mode Malware Development | During this week, students apply their knowledge of user-mode internals and programming to perform post-exploitation tasks on Windows in user-mode. Students learn about techniques used in different execution stages of PE file-based implants along with the forensic artifacts and noisiness of the techniques. The hands-on lab exercises involve coding in C/C++ to implement stages of user-mode malware that bypass some of the defenses that are built into the system. In addition, students use dynamic malware analysis tools such as Process Monitor, Process Explorer, SysMon, Autoruns, Event Logs, etc. to observe the run-time behavior of the malware they build. |
| 5 | Windows Kernel Mode Rootkit Development | During this week, students apply their knowledge of kernel-mode internals and programming to perform post-exploitation tasks on Windows in kernel-mode. Students learn how to abuse kernel APIs, leverage undocumented features to subvert the kernel, bypass some of the kernel security mitigations, exploit third-party kernel drivers, intercepting various system-level activities, and minimize the forensic footprint of the kernel rootkits they develop. The hands-on lab exercises involve coding in C/C++ along with a sliver of x64 assembler to implement stages of kernel-mode rootkits. In addition, students use publicly available debugger extensions and anti-rootkit tools to understand the forensic footprint of these techniques. |
Logistics
All courses are live instructor-led and available for online/virtual or onsite delivery.
Each course is about 40 hours of instruction and hands-on labs. The total instruction time for the Bootcamp is around 200 hours.
The entire Bootcamp is delivered over 5 weeks.
Courses can be delivered back to back or with a few weeks of gap in between depending on student's schedule, holidays, and instructor availability.
The daily schedule for deliveries is flexible. We will do what works best for the students.
We strongly recommend restricting the class size to 10-students so that students can receive individual attention.
The same set of students must go through the entire program to maintain learning continuity.
Each student must complete a capstone project to receive the bootcamp completion certificate.
Students work on the capstone project on their own time after the completion of the bootcamp.
System Requirements
Each student must bring their own laptop capable of hardware-assisted virtualization.
VMware Player is used as the virtualization software. A pre-configured VM will be provided.
A licensed copy of Windows 11 64-bit Professional or Enterprise edition must be installed on each system.
All development courses require Visual Studio 2022, Windows 11 SDK, Windows 11 WDK, and WinDBG Preview.
All other software will be provided to students before the Bootcamp.