top of page

Malware Training

Workshop Abstract

Come join White Knight Labs as they teach customized courses on malware development!

Topics that will be covered are: AMSI/ETW bypass, writing shellcode, writing BOFS, malleable C2 profile, various process injection techniques, hiding strings and imports, and more.

Block 1 – Intro to AV Evasion - 9:00 AM - 11:00 AM

  • hiding malicious strings

  • hiding malicious imports in the IAT

  • pros/cons of encryption/encoding shellcode

Block 2 – PE/COFF Primer - 11:00 AM - 1:00 PM

  • sections and purposes of the PE file format

  • storing shellcode in different sections

  • using and writing BOFs

Block 3 – Process Injection and Loaders - 2:00 PM - 4:00 PM

  • vanilla local and remote process injection

  • kernel callback for shellcode execution

  • Dirty Vanity and MockingJay

Block 4 – Writing Shellcode by Hand - 4:00 PM - 6:00 PM

  • intro to Assembly and memory registers

  • using nasm

  • assembly obfuscation


  • Participants should have basic knowledge of the following: AV/EDR, C/C# programming, C2 basics, Windows APIs

  • Participants need to bring the following: laptop /w 16GB RAM minimum and 1 x external monitor is recommended

  • The following software should be installed: IDA community, nasm, WSL2, VS Code

  • This is deeply technical hands-on training, get a night’s sleep and drink coffee. All the coffee.

Date & Time

September 8, 2023  |  9:00 AM - 6:00 PM | All 4 Blocks will be taught throughout the day, in 2-hour intervals



Jefferson Community and Technical College (JCTC) - 110 W Chestnut St, Louisville, KY 40202

Your Instructors

Greg Hatcher

Greg’s time in Army Special Forces and teaching at the NSA gives him a unique background for conducting full-scope offensive cyber operations. Greg has also led a traveling CISA red team that simulated attacks on America’s infrastructure. He has led over 100 penetration tests that include network, cloud, mobile, web app, API technologies – but his heart belongs to the cloud Windows malware development. He has authored and taught courses at DerbyCon, Wild West Hackin’ Fest, Calvin University, Antisyphon, and the HackDown Summit.

Greg holds the following certifications: GIAC Certified Penetration Tester (GPEN),GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), GIAC Web Application Penetration Tester (GWAPT), and Certified Red Team Professional (CRTP), and 10-ish more. Greg lives in rural Michigan with his family. He is a weightlifter with an ultra-running problem.

  • LinkedIn

John Stigerwalt

During the last 10 years, John has worked in the following roles: blue team lead, developer, and senior penetration tester. John has led multiple red teams over the years, including filling the role of red team for F-Secure for the western hemisphere. Focused mostly on exploit development and offensive cyber operations, he has: led red team engagements in highly complex Fortune 500 companies, worked hand-in-hand with Microsoft to increase kernel security for the Windows 10 operating system, and is very proficient at surreptitious entry and alarm/lock bypass during physical penetration tests. He has authored and taught several courses at BlackHat, DerbyCon, Wild West Hackin’ Fest, Antisyphon, and the HackDown Summit.

John holds the following certificates: Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), Certified Red Team Expert (CRTE), and SLAE64. John lives on a maple syrup farm in rural Pennsylvania with his family. He was recently bullied by his business partner to get back into running and now is completely addicted to it.

bottom of page