Windows Malware Techniques (WINMAL)

Instructed by T. Roy

User mode malware on Windows is ubiquitous and custom user mode implants are used regularly in red-team engagements. Knowledge of the latest malware techniques helps red teamers improve their custom tooling, malware analysts in taking apart malware, and anti-malware solution developers in designing behavioral solutions to detect malicious activity.

The common theme amongst all Windows malware and implants is that they abuse the facilities provided by the Windows platform to achieve their objectives. Knowledge of the rich set of Windows APIs, understanding their usage in various stages of an implant, and leveraging them to detect and bypass various defenses in the system is essential for red and blue teamers.

Classes are limited. Get registered!

This training course takes attendees through a practical journey with a hands-on approach to teach them about the post-exploitation techniques used by PE file-based implants at every stage of their execution.

Beneficial to both the offensive and the defensive side of the camp, the knowledge and hands-on experience gained in this training will help attendees with real-world red teaming engagements and in defending against both custom advanced persistent threat (APT) tooling and common-off-the-shelf (COTS) malware. Attendees will learn about how malware and implants interact with the latest version of Windows and how the different stages of malware abuse and exploit various components of Windows OS to achieve their goals and evade defenses.

Hands-on Labs

In the hands-on labs, attendees implement various post-exploitation techniques used by PE file-based user-mode implants using Win32 and Native APIs in C and X64-bit assembler. All labs are performed on the latest version of Windows 10 64-bit so attendees can observe the impact of the latest defenses built into the system and learn how to evade them.

Learning Objectives

  • Build custom tooling for offensive operations.
  • Build position independent shellcode using C/C++.
  • Perform basic tasks required by user-mode implants.
  • Inject and execute shellcode and DLLs in code in privileged processes.
  • Perform code flow subversion through hooking and subvert anti-malware hooks.
  • Beacon out and receive tasking from a C2 infrastructure.
  • Exfiltrate data using protocol tunneling.
  • Implement persistence and auto-execution to survive system reboots.
  • Detect and evade various defensive mechanisms in the system.


  • Shellcoding
  • System Interfaces
  • Code Injection
  • Hooking
  • Persistence
  • Communications
  • Self-Defense



Live-Online & In-Person


Sept/Oct 2024 (Live-Online)


5 days


Security researchers, malware analysts, red-teamers, blue-teamers and security software developers

  • Standard Rate


Attendees must have a solid understanding of Windows internals and familiarity with user-mode development on Windows using Win32 APIs. This is a developer-oriented course and attendees are expected to have prior experience with C/C++ programming on Windows 10.

Why choose the Center for Cyber Security Training

Interactive, classroom-based learning

Subject matter experts

Trusted by US government agencies


T.Roy, an author, instructor, and consultant, is the founder of CodeMachine. He has more than 20 years of experience in information security has been involved with Windows internals, development, debugging and security, since the inception of Windows NT in 1992. He has been involved in the development of some of the leading endpoint security solutions such as intrusion prevention, network firewalls, behavioral anti-malware, document security and data leak prevention systems. He has taught all over the world and has received many instructor recognition awards.

I really enjoyed the course! It was interesting to see a different perspective on penetration testing and ways of progressing from recon to initial access to escalating privilege and lateral movement.

- Robert L., Washington, DC

Want more information?

Download the Windows Malware Techniques course outline now.

Upcoming Training Sessions

Sept/Oct 2024 (Live-Online)

Classes are limited.

Enroll Now.

Related Courses

Our classroom delivers the most in-demand content from the highest profile subject matter experts. Intense and interactive, our courses prepare students with actionable insight and proven strategies.

windows internal architecture

Windows Internal Architecture

Whether you analyze malware, perform security research, conduct forensic investigations, engage in adversary simulation or prevent it, or build security solutions for Windows, understanding how Windows works internally is critical to be effective at your task.


Exploit Development Bootcamp & Advanced

Our three-day Bootcamp will teach both basic & advanced techniques from a leading exploit developer. In our Advanced course, experienced students will learn how to write exploits that bypass modern memory protections for the Win32 platform in a fast-paced, interactive learning environment.

Looking for a course that's not here? We'd love to hear your suggestions!

Are you fully prepared to deal with today's increasing cyber security risks? We can help you get the training you need.


*We respect your privacy