Workshop - Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals

Become an expert in EDR evasion & shellcode loader development!

Modern Endpoint Detection and Response (EDR) systems are becoming increasingly sophisticated – but if you really understand their mechanisms, you can bypass them effectively. My workshop “Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals” provides exactly this knowledge: in a structured, hands-on way with in-depth debugging. Learn how to develop evasive shellcode loaders step by step and bypass EDR detections through in-depth understanding instead of blind trial and error.

Whether you are a red or blue teamer, this workshop is for all IT security professionals who want to develop a deeper understanding of how EDRs work in detail on Windows, how to build an evasive shellcode loader in Portable Executable (PE) format based on Windows APIs (Win32 APIs) step by step, and in particular how to comprehensively analyze and understand the techniques and processes implemented in the code through targeted debugging.

The course is designed so that about 25% of the time is spent on theoretical basics and 75% on practical lab exercises. Participants work with detailed workbooks to develop various shellcode loaders, solve code-based tasks, and debug their implementations in the respective loader. Debugging is a particular focus because it is a central component of the course and is crucial to gaining an in-depth understanding of the techniques and processes used in the respective shellcode loaders.

Basic programming and C knowledge as well as basic knowledge of Windows internals are advantageous but not mandatory and are taught through preparatory chapters in the script and can also be worked through by the participant in preparation after booking the course. The course material and the POCs are structured in such a way that each practical chapter is accompanied by one or more lab exercises based on ready-made Visual Studio projects.

This means that course participants do not write code in C from scratch, but rather the focus is on understanding how the code implemented in the respective shellcode loader works, implementing missing code parts and debugging the code. The main tools used in the workshop are Visual Studio 2022, x64dbg, Process Hacker and the specially developed shellcode encoding/encryption tool CodeFuscation, which also plays a central role throughout the workshop.

Learn how to effectively bypass modern Endpoint Detection and Response (EDR) systems and develop evasive shellcode loaders – with in-depth debugging and hands-on practice.

🎯 Format: 4-day in-person training (max. 9 participants)

📍 Location: Austria/Innsbruck - Hotel Innsbruck

📅 Date: 23.09-26.09.2025

💯 Benefits: Slides, script 1200 pages A4, POCs, tools, lab, certificate of participation etc.

💰 Participation fee: 3799€ (excl. VAT)

🚀 Secure your place now! Register at workshop@redops.at

Included services

The registration fee includes full access to all course materials, including slides and an extensive script of approximately 1200 A4 pages, which contains both the entire theory and the workbooks for the lab exercises. In addition, all participants will have access to all Visual Studio Proof of Concepts (POCs), the specially developed shellcode obfuscation tool CodeFuscation, and a personalized lab setup, but will not have access to commercial EDRs or commercial C&C frameworks.

A certificate of successful participation will be issued at the end of the course. The participation fee includes coffee, snacks and lunch on all four days of the course at the Hotel Innsbruck, located on the edge of the old town of Innsbruck.

Services not included

The course fee does not include accommodation costs. However, course participants have the option of booking a room directly at the Hotel Innsbruck or, alternatively, at the Hotel Congress Innsbruck, which is a little further out of the city center.

The course language depends on the participants:

• If all participants are German-speaking, the course will be held in German.
• If the audience is international, the course will be held in English.

Regardless of the course language, the course material is currently only available in English.

If you have any questions about the scope, organization, venue, etc., or if you are not yet sure whether the training is right for you, please feel free to contact me in advance at workshop@redops.at. I'll be happy to help!

================================================================================

================================================================================

Workshop Focus

When I started developing this course about a year and a half ago, my initial goal was to create a comprehensive four-day course covering all the important concepts of EDR evasion and malware development. However, after several months of work and having completed about 18 chapters, I realized that it is impossible to fit all this content into a single course – even extending it to five or six days would not have been enough. To solve this problem, I decided to split the material into two parts.

While developing and preparing the content for the course, I realized that topics related to operational security (OPSEC), such as indirect syscalls or unhooking, are not the ideal entry point for a basic understanding, or they don't even play a role depending on the EDR (e.g. in the case of Elastic EDR and MDE). It is much more important to first understand central concepts of Windows internals such as memory management. The course Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals therefore does not focus primarily on OPSEC techniques, but rather teaches the essential basics in areas such as Windows internals, Windows APIs, encryption, shellcode placement, memory reservation and controlled execution of shellcode - in an understandable, practical and detailed way.

The main objective of the workshop is to provide participants with a solid foundation for developing evasive shellcode loaders. At the same time, this knowledge creates the basis for a better understanding of more advanced topics in malware development and OPSEC, and for implementing them in a targeted manner. This course does not cover advanced malware development topics and OPSEC-specific techniques such as user mode unhooking, direct and indirect syscalls, DLL sideloading, or other advanced evasion methods. During the entire course, we work exclusively with Windows APIs (Win32 APIs) and deliberately avoid direct or indirect syscalls.

Further advanced OPSEC-specific topics such as indirect syscalls, sideloading, hardware breakpoints etc. will be covered in a separate course titled “Endpoint Security Insights: Advanced Malware Evasion & OPSEC”, tentatively scheduled for 2026/27.

================================================================================

================================================================================

Why this course?

Without dealing with EDR evasion and malware development on an almost daily basis, it has become increasingly difficult in recent years to write your own malware or shellcode loaders that can be used specifically to bypass modern EDR solutions such as Microsoft Defender for Endpoint (MDE), Elastic, CrowdStrike or SentinelOne in red team simulations.

EDR evasion has emerged as a distinct discipline and plays a crucial role in professional red team exercises, particularly when employing a shellcode loader to initiate access to a target network. Of course, there are commercial tools that make it easier to create such loaders, but these usually come with high annual license fees. In the long term, it makes much more sense to acquire the necessary knowledge yourself and understand how to develop an evasive shellcode loader in a structured and step-by-step manner – for example, in the C programming language.

While there are plenty of resources online for those who want to teach themselves EDR evasion, malware development, and debugging, they often lack depth of detail, background knowledge, and a structured approach. This is precisely where this course comes in: a hands-on, guided training course with high-quality materials that not only teaches the technical basics, but also provides an in-depth understanding of how Windows works and how modern security solutions work.

An important note: in the context of this workshop, “evasion” or “bypass” means that the developed shellcode loaders are neither actively detected nor blocked by prevention mechanisms of an EDR. This means that no direct alerts are triggered on the target system or in the web console of the respective EDR. However, this does not mean that no telemetry is generated by these activities – security-related events could still be used for behavioral analysis.

What makes this course unique

✔️ 1200-page A4 script with theory & detailed workbooks
✔️ Practical POCs with step-by-step implementation & debugging focus
✔️ Your own shellcode encoding tool “CodeFuscation” for obfuscation & encryption
✔️ Discord access for ongoing post-course support & networking (6 months)
✔️ Live classroom training with a maximum of 9 participants for optimal support
✔️ Practical focus: 75% hands-on labs with a focus on shellcode loader development and debugging
✔️ Lab: Individual lab setup for each participant
✔️ Experienced instructor with multiple years of practical experience in EDR evasion and malware development 

In contrast to many other courses, participants not only receive slides for each chapter, but also a comprehensive, 1200-page A4 script - in both digital and printed form. This contains all the theoretical content as well as detailed instructions for the practical work. The course and the script are structured in such a way that participants never feel lost and achieve continuous learning success from chapter to chapter.

If you have any questions about the course content, materials, etc., or if you are unsure whether the course is right for you, please feel free to contact me in advance at workshop@redops.at.

================================================================================

================================================================================

What you will learn

My main goal in developing this course was to provide high-quality, practice-oriented material that would enable participants to delve deeply into the subject matter and have an exceptional learning experience. The course not only imparts theoretical knowledge, but also places particular emphasis on practical skills, which are taught in a structured and comprehensible way. The ratio between theory and practice is deliberately chosen so that about 25% of the time is spent on basic concepts, while 75% is spent on lab exercises, where participants work step by step on various topics and implement them directly.

During the course, participants learn various concepts of EDR evasion, malware development and debugging. The first day starts with a solid theoretical foundation, but the focus is on getting into practice as quickly as possible. The starting point is a classic Win32 shellcode loader, which in its original form is of course not suitable for EDR evasion. But it is precisely this starting point that is crucial: we analyze its vulnerabilities in detail, understand the reasons for its detectability, and systematically proceed to eliminate these vulnerabilities. Chapter by chapter, we develop different variants of evasive shellcode loaders that are based on Win32 APIs and implemented as Portable Executable (PE).

Each chapter guides participants through the entire process – from design to implementation to debugging their own shellcode loader. The focus on debugging is essential, as it provides a deep understanding of the mechanisms behind shellcode loaders and the central concepts necessary for their development.

During the whole course, we work with the Meterpreter framework, as we cannot provide access to commercial frameworks such as Cobalt Strike, Brute Ratel or Nighthawk. Nevertheless, participants will find that even with simple Meterpreter shellcode, well-known EDR solutions such as Microsoft Defender for Endpoint (MDE, formerly MS-ATP) can be bypassed to a certain extent. From this, it can be deduced that a suitably developed loader in combination with evasive shellcode - e.g. from Brute Ratel - can be even more effective and successful.

🚀 This course focuses on self-injection shellcode loaders and NOT on remote process injection techniques.

✔️ How EDRs work in detail on Windows: What mechanisms are used to detect malware, and how can they be specifically bypassed?

✔️ How to develop an evasive shellcode loader step by step based on the Windows APIs (Win32 APIs).

✔️ Basics of Windows internals in the areas of system architecture, processes, threads, Windows APIs, native APIs, system calls, and memory management.

✔️ The vulnerabilities of a classic Win32 loader (Classic Loader) and how it can be gradually developed into an evasive loader.

✔️ The possibilities for placing shellcode both inside and outside a PE file.

✔️ Methods for obfuscating shellcode – whether by encryption or encoding. What are the differences between encoding and encryption? How can different obfuscation methods be integrated into a loader?

✔️ How virtual memory works on Windows: What is private committed memory? How can heap memory allocation be implemented in a loader? What is the difference between virtual APIs and heap APIs?

✔️ What is module or function stomping? What are the differences? What advantages does stomping offer from an EDR evasion perspective? What are the methods for loading a module (DLL) into the address space of a process under Windows? What does module mapping mean? etc.

✔️ What alternatives exist to copying shellcode compared to the classic memcpy function? What are the special features of the Windows API ReadProcessMemory, and what advantages does it offer?

✔️ How to prevent detection by EDRs when shellcode is executed by a new thread. How do asynchronous procedure calls work in detail? How can callback functions be used to execute shellcode? How do thread pools work? What advantages do fibers and user-mode scheduled threads offer for shellcode execution?

✔️ And much more.

================================================================================

================================================================================

Workshop Syllabus

The syllabus for the four-day in-person workshop is outlined below. It contains the main topics of the individual course days as well as the PRE-Chapters, which participants can use to familiarize themselves with in advance. This gives them the opportunity to prepare for the course in a targeted way, but preparation is not a requirement for the course. The complete course material will be provided approximately 5-7 days before the start of the workshop.

As mentioned at the beginning, the course is designed so that approximately 25% of the time is spent on theoretical foundations and 75% on practical lab exercises.

Participants will work with detailed workbooks to develop various shellcode loaders, solve code-based tasks, and debug their implementations in the respective loader. Debugging is a particular focus of the course as it is a central component and crucial to gaining an in-depth understanding of the techniques and processes used in the respective shellcode loaders.

PRE-Workshop

• Windows Internals Basics
• Introduction to C

Day 1:

• Introduction & Course Overview
• Windows Internals Basics
• EDR a Primer
• Staged vs. Stageless Shellcode
• A base Classic Loader
• Shellcode Positioned in PE
• Summary and Q&A for day 1

Day 2:

• Memory Protection
• Shellcode Encoding
• Shellcode Encryption
• Shellcode Positioned on Webserver
• Summary and Q&A for day 2

Day 3:

• Heap Memory
• Mapped Memory
• Module Stomping
• Function Stomping
• Summary and Q&A for day 3

Day 4:

• MemCopy Alternatives
• Asynchronous Procedure Calls
• Callback Functions
• Thread Pools 
• PE Loader Fine Tuning
• Summary and Q&A for day 4

Bonus Material Homework:

• Fibers
• User-Mode Scheduling Threads
• Drip Allocation

This is, of course, only a small excerpt from the agenda and the timetable. If you need more details about the workshop schedule, you are welcome to view and download the PDF document provided below.

If you have any questions about the content and focus of the workshop or are unsure whether the training is suitable for you, please feel free to contact me at workshop@redops.at.

================================================================================

================================================================================

What this course is not

Of course, successfully completing this course and having a solid understanding of the topics covered are no guarantee that you will be able to bypass all EDRs in the world afterwards – even if some people on social media like to give the impression that it's that easy 😉. Based on my many years of experience as a commercial EDR tester, I believe that each EDR is different and has its own strengths and weaknesses. This means that a shellcode loader that is successful against MDE, for example, does not necessarily have to work against Elastic or other EDRs (even if they supposedly make a worse impression than the tested EDR). Ultimately, you should leave nothing to chance in a professional Red Team simulation and strategically test as many scenarios as possible.

To summarize, this course does not offer a “silver bullet” for developing shellcode loaders or completely bypassing all EDR systems, but it does cover important basics, concepts, alternatives, etc. Even after completing the course, applying the course material in practice requires constant practice in your own lab. You need to experiment, try different approaches, and take the time to develop a good understanding of EDRs and evasion.

I can't give you direct access to EDRs, but in the workshop I'll be happy to show you how to set up your own EDR test environment.

================================================================================

================================================================================

Who is this course for?

Regardless of whether you work as a red or blue teamer, this workshop is aimed at all IT security experts who want to develop a deeper understanding of how EDRs work in detail on Windows and how they can be bypassed using shellcode loaders. The goal is to develop an evasive shellcode loader in Portable Executable (PE) format step by step – based on Windows APIs (Win32 APIs) – and to comprehensively analyze and understand the techniques and processes implemented in the code through targeted debugging.

The Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals workshop is suitable for both beginners and slightly advanced IT security experts in this field. The course material, consisting of detailed slides and a comprehensive script, is designed so that beginners can understand and successfully complete all tasks. At the same time, there are additional lab tasks for advanced learners so that they too are challenged and not underchallenged.

If you have any questions about the difficulty level of the workshop or are unsure whether the training is suitable for you, please feel free to contact me at workshop@redops.at.

================================================================================

================================================================================

Training format & requirements

As already mentioned, the training format is a four-day face-to-face workshop with a small group of up to nine participants. Each participant needs their own laptop to log into the Azure Lab environment via RDP.

Registration is only open to employees or self-employed people in the field of IT security or related fields with a business email address. To participate, you must be employed by a company in the field of IT security or related fields or be a founder of your own company in the field of IT security.

Registrations with private email addresses such as Gmail or ProtonMail will not be accepted and will not be answered.

Since the workshop covers very sensitive topics in the area of ethical hacking, RedOps GmbH generally reserves the right to reject registrations if there are reasonable doubts about the seriousness of the company. If you have any questions about the training format, content, lab, etc., or if you are unsure whether the training is right for you, please feel free to contact me at workshop@redops.at.

================================================================================

================================================================================

Price & Booking

Expand your knowledge of endpoint security evasion, shellcode loader development and debugging in a hands-on, structured training course. Secure your place now on the Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals course and deepen your skills through targeted theory and hands-on labs.

🎯 Format: 4-day in-person training

🎓 Participants: Max. 9 participants – limited places!

📍 Location: Austria/Innsbruck - Hotel Innsbruck

📅 Date: 23.09-26.09.2025

💯 Benefits: Slides, script 1200 pages A4, POCs, tools, lab, certificate of participation etc.

💰 Participation fee: 3799€ (excl. VAT)

📩 Book now by emailing workshop@redops.at