Training/Workshop - Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals

Become an expert in EDR evasion & shellcode loader development!

Modern Endpoint Detection and Response (EDR) systems are becoming increasingly sophisticated – but if you really understand their mechanisms, you can bypass them effectively. My workshop “Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals” provides exactly this knowledge: in a structured, hands-on way with in-depth debugging. Learn how to develop evasive shellcode loaders step by step and bypass EDR detections through in-depth understanding instead of blind trial and error.

Whether you are a red or blue teamer, this workshop is for all IT security professionals who want to develop a deeper understanding of how EDRs work in detail on Windows, how to build an evasive shellcode loader in Portable Executable (PE) format based on Windows APIs (Win32 APIs) step by step, and in particular how to comprehensively analyze and understand the techniques and processes implemented in the code through targeted debugging.

The course is designed so that about 25% of the time is spent on theoretical basics and 75% on practical lab exercises. Participants work with detailed workbooks to develop various shellcode loaders, solve code-based tasks, and debug their implementations in the respective loader. Debugging is a particular focus because it is a central component of the course and is crucial to gaining an in-depth understanding of the techniques and processes used in the respective shellcode loaders.

Basic programming and C knowledge as well as basic knowledge of Windows internals are advantageous but not mandatory and are taught through preparatory chapters in the script and can also be worked through by the participant in preparation after booking the course. The course material and the POCs are structured in such a way that each practical chapter is accompanied by one or more lab exercises based on ready-made Visual Studio projects.

This means that course participants do not write code in C from scratch, but rather the focus is on understanding how the code implemented in the respective shellcode loader works, implementing missing code parts and debugging the code. The main tools used in the workshop are Visual Studio 2022, x64dbg, Process Hacker and the specially developed shellcode encoding/encryption tool CodeFuscation, which also plays a central role throughout the workshop.

Learn how to effectively bypass modern Endpoint Detection and Response (EDR) systems and develop evasive shellcode loaders – with in-depth debugging and hands-on practice.

================================================================================

Workshop Focus

When I started developing this course about a year and a half ago, my initial goal was to create a comprehensive four-day course covering all the important concepts of EDR evasion and malware development. However, after several months of work and having completed about 18 chapters, I realized that it is impossible to fit all this content into a single course – even extending it to five or six days would not have been enough. To solve this problem, I decided to split the material into two parts.

While developing and preparing the content for the course, I realized that topics related to operational security (OPSEC), such as indirect syscalls or unhooking, are not the ideal entry point for a basic understanding, or they don't even play a role depending on the EDR (e.g. in the case of Elastic EDR and MDE). It is much more important to first understand central concepts of Windows internals such as memory management. The course Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals therefore does not focus primarily on OPSEC techniques, but rather teaches the essential basics in areas such as Windows internals, Windows APIs, encryption, shellcode placement, memory reservation and controlled execution of shellcode - in an understandable, practical and detailed way.

The main objective of the workshop is to provide participants with a solid foundation for developing evasive shellcode loaders. At the same time, this knowledge creates the basis for a better understanding of more advanced topics in malware development and OPSEC, and for implementing them in a targeted manner. This course does not cover advanced malware development topics and OPSEC-specific techniques such as user mode unhooking, direct and indirect syscalls, DLL sideloading, or other advanced evasion methods. During the entire course, we work exclusively with Windows APIs (Win32 APIs) and deliberately avoid direct or indirect syscalls.

Further advanced OPSEC-specific topics such as indirect syscalls, sideloading, hardware breakpoints etc. will be covered in a separate course titled “Endpoint Security Insights: Advanced Malware Evasion & OPSEC”, tentatively scheduled for 2026/27.

================================================================================

================================================================================

Why this course?

Without dealing with EDR evasion and malware development on an almost daily basis, it has become increasingly difficult in recent years to write your own malware or shellcode loaders that can be used specifically to bypass modern EDR solutions such as Microsoft Defender for Endpoint (MDE), Elastic, CrowdStrike or SentinelOne in red team simulations.

EDR evasion has emerged as a distinct discipline and plays a crucial role in professional red team exercises, particularly when employing a shellcode loader to initiate access to a target network. Of course, there are commercial tools that make it easier to create such loaders, but these usually come with high annual license fees. In the long term, it makes much more sense to acquire the necessary knowledge yourself and understand how to develop an evasive shellcode loader in a structured and step-by-step manner – for example, in the C programming language.

While there are plenty of resources online for those who want to teach themselves EDR evasion, malware development, and debugging, they often lack depth of detail, background knowledge, and a structured approach. This is precisely where this course comes in: a hands-on, guided training course with high-quality materials that not only teaches the technical basics, but also provides an in-depth understanding of how Windows works and how modern security solutions work.

An important note: in the context of this workshop, “evasion” or “bypass” means that the developed shellcode loaders are neither actively detected nor blocked by prevention mechanisms of an EDR. This means that no direct alerts are triggered on the target system or in the web console of the respective EDR. However, this does not mean that no telemetry is generated by these activities – security-related events could still be used for behavioral analysis.

================================================================================

================================================================================

What Makes This Course Unique

This training stands out clearly from many other offerings in the field of EDR evasion and malware development. The focus is on a combination of solid theory, practical exercises, and exclusive tools that you will hardly find anywhere else. Thanks to the clear structure and the high proportion of hands-on labs, you will be guided step by step through complex topics and will be able to apply your knowledge directly.

✔️ Comprehensive script (1,060 pages, A4) with theory & detailed workbooks – digital (PDF) & printed as a Book
✔️ Slide deck with over 460 slides – digital (PDF)
✔️ Practical PoCs with step-by-step implementation & debugging focus
✔️ Exclusive shellcode encoding tool “CodeFuscation” for obfuscation & encryption
✔️ Hands-on focus: 75% practical work with emphasis on shellcode loader development and debugging
✔️ 45 days of post-support via email or 1:1 Discord messages

ℹ️ Please note that the script printed as a hardcover book is only included in Option A (On-Site Training).

Unlike many other courses, participants not only receive slides for each chapter but also a comprehensive 1,060-page A4 script – both in digital and printed form. This includes all theoretical content as well as detailed instructions for the practical exercises. The course and script are designed so that participants never feel lost, but instead achieve continuous learning progress chapter by chapter. 

If you have any questions about the course content, materials, or if you are unsure whether the course is right for you, feel free to contact me in advance at workshop@redops.at.

================================================================================

================================================================================

What you will learn

My main goal in developing this course was to provide high-quality, practice-oriented material that would enable participants to delve deeply into the subject matter and have an exceptional learning experience. The course not only imparts theoretical knowledge, but also places particular emphasis on practical skills, which are taught in a structured and comprehensible way. The ratio between theory and practice is deliberately chosen so that about 25% of the time is spent on basic concepts, while 75% is spent on lab exercises, where participants work step by step on various topics and implement them directly.

During the course, participants learn various concepts of EDR evasion, malware development and debugging. The first day starts with a solid theoretical foundation, but the focus is on getting into practice as quickly as possible. The starting point is a classic Win32 shellcode loader, which in its original form is of course not suitable for EDR evasion. But it is precisely this starting point that is crucial: we analyze its vulnerabilities in detail, understand the reasons for its detectability, and systematically proceed to eliminate these vulnerabilities. Chapter by chapter, we develop different variants of evasive shellcode loaders that are based on Win32 APIs and implemented as Portable Executable (PE).

Each chapter guides participants through the entire process – from design to implementation to debugging their own shellcode loader. The focus on debugging is essential, as it provides a deep understanding of the mechanisms behind shellcode loaders and the central concepts necessary for their development.

During the whole course, we work with the Meterpreter framework, as we cannot provide access to commercial frameworks such as Cobalt Strike, Brute Ratel or Nighthawk. Nevertheless, participants will find that even with simple Meterpreter shellcode, well-known EDR solutions such as Microsoft Defender for Endpoint (MDE, formerly MS-ATP) can be bypassed to a certain extent. From this, it can be deduced that a suitably developed loader in combination with evasive shellcode - e.g. from Brute Ratel - can be even more effective and successful.

🚀 This course focuses on self-injection shellcode loaders and NOT on remote process injection techniques.

✔️ How modern EDRs work on Windows: understanding and deliberately bypassing detection mechanisms
✔️ Step-by-step development of a shellcode loader using Win32 APIs
✔️ Windows internals: architecture, processes, threads, APIs, system calls & memory management
✔️ From classic loader to evasive loader – identifying and fixing weaknesses
✔️ Placement of shellcode inside or outside of PE files
✔️ Shellcode obfuscation through encoding & encryption – differences and implementation
✔️ Virtual memory in Windows: understanding and applying heap and virtual memory APIs
✔️ Module & function stomping – concepts, differences, advantages, and techniques for module mapping
✔️ Alternatives to memcpy: specifics of ReadProcessMemory and other APIs
✔️ EDR evasion during execution: threads, asynchronous calls, callbacks, thread pools, fibers
✔️ …and much more

================================================================================

================================================================================

Workshop Syllabus

The syllabus for the four-day in-person workshop is outlined below. It contains the main topics of the individual course days as well as the PRE-Chapters, which participants can use to familiarize themselves with in advance. This gives them the opportunity to prepare for the course in a targeted way, but preparation is not a requirement for the course. The complete course material will be provided approximately 5-7 days before the start of the workshop.

As mentioned at the beginning, the course is designed so that approximately 25% of the time is spent on theoretical foundations and 75% on practical lab exercises.

Participants will work with detailed workbooks to develop various shellcode loaders, solve code-based tasks, and debug their implementations in the respective loader. Debugging is a particular focus of the course as it is a central component and crucial to gaining an in-depth understanding of the techniques and processes used in the respective shellcode loaders.

PRE-Workshop

It's not required, but if you'd like to prepare a bit for the workshop, I recommend reading parts of Windows Internals, 7th Edition - Part 1. For example, it's helpful to familiarize yourself with topics such as system architecture, processes, threads, and memory management. However, we'll also cover these areas during the workshop, so prior reading is entirely optional.

Regarding the coding aspect, participants won't be writing code from scratch, but will be solving various tasks by filling in missing pieces of code, such as variables or small pieces of logic. However, since the workshop won't cover the basics of C programming, I suggest that you do some preparation on your own. A good place to start is the freely available SANS course An Intro to C for Windows Devs. There's also a helpful YouTube video that introduces Windows API programming in the context of malware development.

Day 1: Fundamentals

• Introduction & Course Overview
• Windows Internals Basics
• EDR a Primer
• Staged vs. Stageless Shellcode
• A base Classic Loader
• Shellcode Positioned in PE
• Summary and Q&A for day 1

Day 2: Memory Manipulation & Shellcode Enc/Dec

• Memory Protection
• Shellcode Encoding
• Shellcode Encryption
• Shellcode Positioned on Webserver
• Summary and Q&A for day 2

Day 3: Advanced Memory Techniques

• Heap Memory
• Mapped Memory
• Module Stomping
• Function Stomping
• Summary and Q&A for day 3

Day 4: Shellcode Execution Techniques & Fine Tuning

• MemCopy Alternatives
• Asynchronous Procedure Calls
• Callback Functions
• Thread Pools 
• PE Loader Fine Tuning
• Summary and Q&A for day 4

Bonus Material Homework:

• Import Address Table Hiding
• API-Hashing
• Fibers

This is, of course, only a small excerpt from the agenda and the timetable. If you need more details about the workshop schedule, you are welcome to view and download the PDF document provided below.

If you have any questions about the content and focus of the workshop or are unsure whether the training is suitable for you, please feel free to contact me at workshop@redops.at.

================================================================================

================================================================================

What this course is not

Of course, successfully completing this course and having a solid understanding of the topics covered are no guarantee that you will be able to bypass all EDRs in the world afterwards – even if some people on social media like to give the impression that it's that easy 😉. Based on my many years of experience as a commercial EDR tester, I believe that each EDR is different and has its own strengths and weaknesses. This means that a shellcode loader that is successful against MDE, for example, does not necessarily have to work against Elastic or other EDRs (even if they supposedly make a worse impression than the tested EDR). Ultimately, you should leave nothing to chance in a professional Red Team simulation and strategically test as many scenarios as possible.

To summarize, this course does not offer a “silver bullet” for developing shellcode loaders or completely bypassing all EDR systems, but it does cover important basics, concepts, alternatives, etc. Even after completing the course, applying the course material in practice requires constant practice in your own lab. You need to experiment, try different approaches, and take the time to develop a good understanding of EDRs and evasion.

I can't give you direct access to EDRs, but in the workshop I'll be happy to show you how to set up your own EDR test environment.

================================================================================

================================================================================

Who is this course for?

Regardless of whether you work as a red or blue teamer, this workshop is aimed at all IT security experts who want to develop a deeper understanding of how EDRs work in detail on Windows and how they can be bypassed using shellcode loaders. The goal is to develop an evasive shellcode loader in Portable Executable (PE) format step by step – based on Windows APIs (Win32 APIs) – and to comprehensively analyze and understand the techniques and processes implemented in the code through targeted debugging.

The Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals workshop is suitable for both beginners and slightly advanced IT security experts in this field. The course material, consisting of detailed slides and a comprehensive script, is designed so that beginners can understand and successfully complete all tasks. At the same time, there are additional lab tasks for advanced learners so that they too are challenged and not underchallenged.

If you have any questions about the difficulty level of the workshop or are unsure whether the training is suitable for you, please feel free to contact me at workshop@redops.at.

================================================================================