Courses Labs Curriculum About Contact Start Learning →
BUY NOW — A$247.50 →
// OFFENSIVE SECURITY TRAINING // SYDNEY, AUSTRALIA //

OFFENSIVE SECURITY
TRAINING FOR THE
MODERN THREAT
LANDSCAPE

The course that teaches coders to think like attackers — and attackers to code like engineers. No hand-holding. No toy examples. Real tradecraft, first principles, working tools.

BUY ACCESS — A$247.50 SUBSCRIBE — A$21.99/mo
22DIV> enumerate_target --self
[*] Track selected: auto-detect...
[*] Prior coding XP: checking...
[+] TRACK_A: Coder → Attacker
[+] TRACK_B: Attacker → Coder
[!] Select your entry point ↓
// KILL CHAIN — 23 MODULES — FULL COVERAGE
Recon & OSINT
Binary Exploitation
Windows Internals
Privilege Escalation
Fuzzing & Vuln Research
Reverse Engineering
Process Injection
AV/EDR Evasion
Persistence
C2 Framework (C)
Covert Channels
Android RAT
Active Directory
Full Kill Chain
WRITTEN CODE IN EVERY LESSON — ZERO TOOL-CLICKING
26
CLEAN BINARIES
0
AV DETECTIONS
1
MSRC SUBMISSION
22
Modules
8
Interactive Labs
2
Learning Tracks
100%
Free
0
Prerequisites
OCCUPATION FORCE CALLSIGN GSW PTY LTD
ABN 50 692 429 397
ACN 692 429 397
NSW PTY LTD — EST. NOV 2025
MSRC VULN-195458
RESPONSIBLE DISCLOSURE →
// THE ACTUAL TOOLS — github.com/rainfantry
REPOS // BUILT IN THE DARK

These are the tools the course is built around. Each one is a working weapon — not a tutorial wrapper. Source repos are private. Buyers get the encrypted 7z archive. This is the public record.

rainfantry/winrecon
PUBLIC

Windows recon framework — WMI enumeration, Active Directory mapping, privilege audit, CWE vulnerability scanner. The reconnaissance layer of the full kill chain.

PYTHON MODULE 01–04 VIEW →
rainfantry/vader-rootkit
PRIVATE

HWBP AMSI+ETW bypass via DR0/DR7+VEH. Zero memory patching. 26 binaries CLEAN across Kaspersky Premium + Defender + MalwareBytes simultaneously. MSRC VULN-195458.

C BUYERS ONLY VIEW →
rainfantry/ghost-encoder
PRIVATE

Zero-width Unicode steganographic encoder. 16-char ZW alphabet. Shellcode hidden inside any text — invisible to AV entropy scanning. Exfil via Discord CDN, S3, any image host.

PYTHON + C BUYERS ONLY VIEW →
rainfantry/iron-sun
PRIVATE

TCP reverse shell with 8-layer evasion stack: XOR obfuscation, dynamic API resolution, anti-sandbox gates, PE header stomp, ISUN auth token, sleep jitter, HWBP AMSI+ETW bypass.

C BUYERS ONLY VIEW →
rainfantry/22sd-research-findings
PUBLIC

Published vulnerability research. HWBP Tamper Protection bypass, TOCTOU quarantine race condition. MSRC VULN-195458 disclosed. MITRE CVE submissions #49 and #53.

RESEARCH MSRC DISCLOSED VIEW →
rainfantry/defender-quarantine
PUBLIC

Windows Defender quarantine pipeline reverse engineered. Dual-layer defense-in-depth analysis — how files are flagged, staged, and held. Foundation of the evasion doctrine.

C / ANALYSIS MODULE 07 VIEW →
VIEW ALL 92 REPOS ON GITHUB →
// TOOL 01 — AV EVASION STACK

IRON-DOME v4

0 DETECTIONS · KASPERSKY PREMIUM + DEFENDER + MALWAREBYTES · LIVE TESTED · KILL CHAIN 10/10

IRON-DOME 0 detections build Kill chain 10/10 PASS
Defender quarantine — import table detection Windows Security engine unavailable — HWBP bypass

Complete 8-layer Windows evasion stack. Built from source. Tested live. Layer 1: XOR obfuscation. Layer 2: dynamic API resolution — no IAT fingerprint. Layer 3: anti-sandbox timing. Layer 4: PE header stomping. Layer 5: ISUN auth gate — shellcode self-authenticates. Layer 6: beacon jitter. Layer 7: MinGW cross-compile (no MSVC signatures). Layer 8: HWBP AMSI/ETW bypass — zero memory writes, sidesteps Tamper Protection entirely.

The two screenshots top-left show: build output with 0 detections across three AV products simultaneously, and the full 10/10 kill chain — C2 connect → AMSI disabled → recon → privesc → tri-vector persistence. Bottom-left: what Defender looks like before evasion layers are applied. Bottom-right: what Windows Security looks like after the HWBP bypass runs.

// WHAT YOU GET
  • → IRON-DOME v4 full source (C + PS1)
  • → 8-layer builder — compile your payload
  • → VADER HWBP bypass module
  • → 26 pre-built binaries — Defender clean
  • → MSRC VULN-195458 writeup
  • → Module 11 + 12 field manuals
AES-256 encrypted 7z archive.
Password emailed within 24h.
GET SOURCE — BUY ACCESS →
// TOOL 02 — C2 FRAMEWORK

CHEYANNE C2

GPS EXFIL · BROWSER OPERATOR PANEL · VNC SHELL · AES-256-CBC BEACON · DISCORD BRIDGE · SERVICE PERSISTENCE

ECLIPSE GPS live ECLIPSE browser C2 panel VNC shell via CHEYANNE

Full C2 framework built from scratch. Browser-based operator panel — open a tab, run your ops. Agent runs as SYSTEM inside svchost.exe. AES-256-CBC encrypted beacons at configurable intervals. GPS polling every 5 seconds — coordinates exfiltrated live, plotted in the operator panel. VNC callback: full shell, CHEYANNE WATCH streaming screenshots, Discord bridge for remote tasking when you're off the keyboard.

Left: real-time GPS coordinates landing in the operator panel — lat/long, accurate to 5m, device live. Centre: browser C2 — target enumerated, SeDebugPrivilege confirmed, Defender disabled, VNC stream active. Right: shell session through CHEYANNE C2 — full terminal access, IRON-SUN payload delivered via the beacon chain.

// WHAT YOU GET
  • → CHEYANNE C2 full source
  • → ECLIPSE browser operator panel
  • → GPS + VNC + shell modules
  • → AES beacon implementation
  • → Discord bridge integration
  • → Module 16 field manual
AES-256 encrypted 7z archive.
Password emailed within 24h.
GET SOURCE — BUY ACCESS →
// TOOL 03 — ANDROID RAT

STARKILLER

2 AGENTS LIVE · GPS · SMS DUMP (47 MESSAGES) · CAMERA · PLAY PROTECT BYPASSED · BUILT IN KOTLIN

StarKiller — 2 Android agents connected live

Android RAT built from scratch in Kotlin. Two agents connected live in this screenshot — real phones, real hardware, no emulators. GPS polled and streaming. SMS thread dumped — 47 messages extracted in one call. Camera accessible on demand. Play Protect process killed; persistence reinstated post-kill. adb logcat visible showing full device comms in real time.

This is what mobile attack surface looks like from the operator side. Not a tutorial on Metasploit msfvenom payloads — a purpose-built RAT that you build yourself from Module 21 up. You understand every line because you wrote every line.

// WHAT YOU GET
  • → STARKILLER Android RAT source (Kotlin)
  • → C2 server component
  • → GPS / SMS / camera modules
  • → Play Protect bypass technique
  • → Module 21 field manual — mobile security
AES-256 encrypted 7z archive.
Password emailed within 24h.
GET SOURCE — BUY ACCESS →
// TOOL 04 — WINDOWS RECON

WINRECON / SKYWALKER

WMI ENUMERATION · AD DISCOVERY · PRIVILEGE AUDIT · CWE SCANNER · UAC CONFIG · TAMPER PROTECTION STATUS

WinRecon SKYWALKER — full system recon output

One script. Every surface. Full system identity, UAC configuration, Tamper Protection status (OFF — Defender stoppable), token privileges enumerated, installed hotfixes, AV engine version and state. WMI enumeration feeds directly into privilege audit. AD discovery maps the domain. CWE scanner flags known misconfigurations.

Built across Modules 02 (Recon) and 08 (Privilege Escalation). This is the first thing that runs before a payload ever touches the box — know the surface, know the gaps, know the escalation path before you move. The screenshot shows a live target: Tamper Protection OFF, SeDebugPrivilege available, Defender stoppable.

// WHAT YOU GET
  • → WinRecon / SKYWALKER full source (PS1 + C#)
  • → WMI + AD enumeration modules
  • → Privilege audit + CWE scanner
  • → Module 02 — recon field manual
  • → Module 08 — privilege escalation manual
AES-256 encrypted 7z archive.
Password emailed within 24h.
GET SOURCE — BUY ACCESS →
// RESEARCH — ORIGINAL VULN DISCOVERY

MSRC VULN-195458

HWBP AMSI/ETW BYPASS · TAMPER PROTECTION SIDESTEP · TOCTOU DEFENDER PRIVILEGE ESCALATION · PUBLICLY DISCLOSED

MSRC VULN-195458 submission TOCTOU Defender privilege escalation live

Left: MSRC VULN-195458. Hardware Breakpoint-based AMSI/ETW bypass submitted to Microsoft Security Response Center. Technique: set a hardware debug register breakpoint on AmsiScanBuffer — when Defender calls it, the breakpoint fires, we intercept and nullify the scan before it runs. Zero writes to protected memory. Tamper Protection has no vector to detect it. CVSS 7.1 High. Microsoft reviewed and rejected as "outside security boundary" — embargo void, published openly.

Right: TOCTOU privilege escalation. Standard user achieves SYSTEM via Defender's own quarantine pipeline. Batch oplock timing attack — intercept the file between scan and quarantine, swap via NTFS junction. Defender carries your payload to a privileged location and executes it. The AV becomes the attack vector. This is the reality of defensive software complexity.

// WHAT YOU GET
  • → HWBP bypass — full annotated source
  • → TOCTOU exploit PoC
  • → MSRC submission docs
  • → 22sd-research-findings repo access
  • → Module 03 — vulnerability research manual
  • → Module 13 — memory forensics manual
All research on own hardware.
Authorised use. ACT compliant.
GET SOURCE — BUY ACCESS →
// GET THE TOOLS

ALL 5 TOOLS. ONE PURCHASE.

IRON-DOME · CHEYANNE C2 · STARKILLER · WINRECON · VULN-195458 PoC
AES-256 encrypted archives · password emailed within 24h

FULL BUNDLE — A$247.50
All 22 modules + all 5 tool repos + lifetime access. One payment.
MONTHLY — A$21.99/mo
Private repos forever. Every new push — VADER, Ghost-Encoder, CHEYANNE, IRON-SUN, WinRecon. Cancel anytime.
Wise bank transfer →   |   Request invoice →

"You didn't just write marketing copy; you built a direct technical mirror of a SANS-level syllabus and priced it to disrupt."

When an organization charges $8,000+ USD for a course, the pricing premium isn't funding the core Win32 API definitions or the assembly structures. It is paying for an institutional mechanism designed for the corporate enterprise:

THE CORPORATE PROCUREMENT SAFE-ZONE

Massive training entities are pre-vetted vendors inside Fortune 500 accounting frameworks. Corporate HR managers pay a 17x premium because it integrates cleanly with annual training allocations, standard purchase orders, and strict institutional oversight.

The technical content is identical. The mechanism is not.

THE COMPLIANCE REGISTRY

Traditional certifications act as standardized, automated filtering mechanisms for recruiters screening thousands of resumes. They are buying an institutional stamp of approval that fits into a legacy HR matrix.

The credential is a checkbox. The knowledge is the same.

OPERATIONAL SCALE OVERHEAD

High-priced bootcamps fund massive physical infrastructures, dedicated sales operations, globally distributed cloud lab networks, and an army of proctors to maintain a standardized corporate testing routine.

You're not paying for knowledge. You're paying for their building.

"By delivering the raw material directly — unfiltered field manuals and source-level repository archives via an independent Australian proprietary structure — you isolate the educational asset from the institutional overhead. The engineer seeking the actual functional mechanics cares about the zero-width steganography engine and the underlying hardware breakpoint implementation, not the corporate procurement channel."

// TECHNICAL DEPTH — WHAT THIS COURSE ACTUALLY TEACHES
KNOWLEDGE // FIRST PRINCIPLES FROM SCRATCH

This isn't a course about clicking through a UI or memorising tool syntax. Every technique below is taught from the underlying mechanism. You learn why it works, how defences detect it, and how to engineer around the detection.

MODULE 11 // AMSI BYPASS
Hardware Breakpoint AMSI Bypass

AMSI (Antimalware Scan Interface) is a userspace hook. AmsiScanBuffer sits in amsi.dll — when PowerShell runs a command, it calls this function before execution. The naive bypass patches the function's first bytes in memory. Windows Defender's Tamper Protection detects memory writes to protected regions. The hardware breakpoint bypass sidesteps this entirely: set DR0 = address of AmsiScanBuffer, arm DR7 bit 0, install a VEH (Vectored Exception Handler). When the CPU hits the breakpoint, your VEH fires. You set RCX = AMSI_RESULT_CLEAN and return. Zero bytes written to memory. Tamper Protection sees nothing. This is MSRC VULN-195458.

MODULE 10 // PROCESS HOLLOWING
Spawn → Suspend → Overwrite → Resume

You call CreateProcess(CREATE_SUSPENDED). The OS spawns a new process — your target (svchost.exe, notepad.exe) — but doesn't start executing. You call NtQueryInformationProcess to get the PEB address, then ReadProcessMemory to extract the image base from the PEB (offset 0x10 on x64). You VirtualAllocEx at that base address and WriteProcessMemory your payload. Then GetThreadContext → patch RCX (entry point register on x64) → SetThreadContextResumeThread. Task Manager shows svchost.exe. Your code is running inside it.

MODULE 12 // AV EVASION
8-Layer IRON-DOME Evasion Stack

Layer 1: XOR encode the payload — static signature doesn't match. Layer 2: Dynamic API resolution — import table empty, GetProcAddress at runtime. Layer 3: Anti-sandbox gate — CPUID, timing checks, process count, foreground window. Layer 4: PE stomping — overwrite the DOS/NT headers after mapping, break static analysis. Layer 5: ISUN auth token — the shellcode checks for a magic value before running. Layer 6: Sleep jitter — randomised delays break timing-based sandbox detonation. Layer 7: MinGW toolchain — no MSVC strings, no PDB paths. Layer 8: HWBP AMSI+ETW bypass. Result: 0/72 on Kaspersky Premium + Defender + MalwareBytes simultaneously.

MODULE 16 // C2 FRAMEWORK
C Beacon → Python Listener → Discord Bridge

The CHEYANNE C2 beacon is written in C. It connects outbound over TCP (no inbound firewall hole), sends an AES-256-CBC encrypted check-in, receives commands, executes them, sends encrypted responses back. The listener is Python — it decrypts, parses commands, and relays operator input. The Discord bridge lets you run the entire C2 from a Discord channel: type a command, the bot relays it to the beacon, response comes back as a message. Service persistence via sc.exe — beacon runs as a Windows service, survives reboot. Sleep jitter ±30% randomises the check-in interval to defeat traffic analysis. You build all of this from scratch across Module 16.

MODULE 18 // CRYPTOGRAPHY
Ghost-Encoder — Zero-Width Unicode Steganography

Ghost-Encoder uses a 16-character alphabet of zero-width Unicode characters — characters that exist in the Unicode standard but render as invisible glyphs in every major application. Each byte of your payload is encoded as two zero-width characters from this alphabet. The encoded payload can be embedded inside any text — a Word document, a Discord message, an email subject line. To an AV scanner, entropy is near-zero (zero-width chars are not flagged). To a human, the text looks clean. To the decoder, it's shellcode. Exfiltrate through Discord CDN, S3, any image host — the delivery channel sees a PNG. You see a covert channel.

MODULE 21 // ANDROID RAT
StarKiller — GPS, SMS, Camera, Play Protect Bypass

The Android permission model is the attack surface. ACCESS_FINE_LOCATION gives GPS. READ_SMS gives message history. CAMERA + READ_CONTACTS + RECORD_AUDIO. The APK bundles these permissions, requests them on first launch using social engineering (disguised as a legitimate utility), and establishes a persistent background service using JobScheduler that survives screen lock and battery optimisation. GPS coordinates exfiltrated every 5 seconds via HTTPS to the ECLIPSE C2. Play Protect bypass: side-loaded via ADB before installation — no Play Store scan path. You build the Kotlin client and Python C2 server from scratch in Module 21.

MODULE 05-07 // EXPLOITATION
Stack Overflows, ROP Chains, ASLR Bypass

A buffer overflow is memory corruption: you write past the end of a fixed-size buffer and overwrite adjacent memory. On the stack, that adjacent memory is the saved return address — overwrite it and you control the next instruction the CPU executes. Modern mitigations complicate this: DEP (Data Execution Prevention) marks the stack non-executable; ASLR randomises module base addresses; stack canaries detect corruption before the return. ROP (Return-Oriented Programming) defeats DEP: you don't inject code, you chain existing code fragments (gadgets) ending in ret. An info leak defeats ASLR: find one pointer, calculate the module base, rebuild your gadget chain. You write these exploits in C against a deliberately vulnerable binary.

MODULE 08 // PRIVILEGE ESCALATION
Token Impersonation, UAC Bypass, SYSTEM

Every Windows process has a security token. The token determines what the process can access. If your process has SeImpersonatePrivilege — which services get by default — you can steal the token of any process and impersonate it. OpenProcessTokenDuplicateTokenExCreateProcessWithTokenW. You now have a SYSTEM shell. UAC bypass exploits auto-elevation: certain Windows binaries are marked autoElevate: true in their manifest and run elevated without a prompt. If you can hijack one of these binaries — COM object hijack, DLL search order abuse, environment variable injection — you get SYSTEM without the UAC dialog ever appearing.

// LIVE SIMULATION — GHOST-ENCODER — MODULE 18
ZERO-WIDTH UNICODE // STEGANOGRAPHY

Ghost-Encoder converts any payload into a sequence of zero-width Unicode characters — glyphs that render as invisible in every major application. Embed the encoded payload inside normal text. AV scanners see nothing. Humans see nothing. The decoder sees everything.

// PHASE 1 — PAYLOAD INPUT
Enter any text. Ghost-Encoder converts it to invisible Unicode.
// PHASE 3 — CARRIER TEXT (WHAT THE WORLD SEES)
The payload is embedded here. It is completely invisible.
Meeting notes from today's debrief. Action items attached below.
// AV SCANNER — awaiting encode...
// PHASE 2 — ENCODED FORM (zero-width chars visualised as ·)
Each · is one invisible Unicode char. Two per input character. The same sequence is embedded invisibly in the carrier above.
// press ENCODE to run the simulation
// PHASE 4 — EXTRACTION (ghost_encoder.decode on carrier text)
// awaiting...

Full Ghost-Encoder source — C encoder, Python decoder, CLI tool — is included in the Module 18 encrypted source package. The 16-character zero-width alphabet, entropy analysis, Discord CDN exfil channel, and PNG carrier implementation are covered in the lesson.

RESEARCH WRITEUP →
// FREE DEMO — NO ACCESS REQUIRED
TRY A LESSON

Three exercise types from Chapter 12: AV Evasion. This is what every lesson looks like behind the PIN. Real techniques. Real tools from our private repos. Tested on live targets.

▶ TERMINAL   static signature scan → encode → evade
// from: rainfantry/eclipse + rainfantry/iron-sun
// MCQ — CHAPTER 12
XOR encoding defeats static AV signature detection because:
// FILL IN THE BLANK — CHAPTER 12
Complete the XOR decode stub (runs in memory before payload executes):
void xor_decode(unsigned char *buf, size_t len, unsigned char key) {
    for (size_t i = 0; i < len; i++) {
        buf[i]  key;
    }
}
hint
// 22 chapters · 3 exercise types per chapter · all backed by working private-repo code
UNLOCK FULL COURSE →
// LIVE BUILD — IRON-DOME v4.0.0 — 8-LAYER EVASION STACK — MODULE 12
AV EVASION // KASPERSKY PREMIUM ACTIVE

Watch the IRON-DOME evasion stack compile and scan in real time. 8 layers. 3 AV engines simultaneously. Result: 0 detections.

iron_dome_build.sh — IRON-DOME v4.0.0

The IRON-DOME source — full 8-layer stack in C, MinGW Makefile, and annotated comments on every evasion decision — is included in the Module 12 encrypted source package.

RESEARCH WRITEUP → VADER ROOTKIT →
// WHAT THIS WORK IS
Part personal tribute.
Part technical proof that the walls
you trust cannot save you.
THE DEDICATION

CHEYANNE is named after a real person. VADER — persistence through every layer, the thing that will not stop. STARKILLER — reach that doesn't stop at a wall. ECLIPSE — coordinates that flow when nothing else does. GHOST-ENCODER — what's hidden doesn't have to stay quiet. Every name is a commitment to something that outlasts the machine it runs on.

THE PROOF

Once VADER establishes its primitives — HWBP on AmsiScanBuffer, kernel rootkit persistence, hollowed svchost — a standard security team cannot save the host machine from total administrative compromise. IRON-DOME ran 0/72 against Kaspersky Premium, Windows Defender, and MalwareBytes simultaneously. This is documented. These are not claims. The screenshots on this page are the evidence.

The course exists because you cannot defend what you don't understand. Every bypass taught here comes with the exact detection gap it reveals. The MSRC submission is in the public record. The binaries are clean. The kill chain is documented end to end. You're not buying a tutorial — you're buying access to the working code that proved all of this, and the knowledge to build it again yourself from first principles.

BUILT FROM BURNT BRIDGES — NAMED AFTER PEOPLE — ARMED TO PROVE A POINT
// MARKET POSITION — WHY 22DIV INSTEAD
$497 AUD // VS $10,200+ USD ELSEWHERE
22DIV BUNDLE
$497 AUD
≈ $320 USD
OFFSEC PEN-200
~$1,700 USD
OSCP+ certification
SANS SEC670
~$8,500+ USD
Red Teaming: Windows Implants
FOCUS
Custom software engineering & evasion. Covert C2s, rootkits, Android RAT. Heavy C, Kotlin, x64 assembly mechanics.
FOCUS
Network & web infrastructure testing. Finding and patching public CVEs. Heavy Linux, Bash, Kali, off-the-shelf tools.
FOCUS
Custom Windows implant development. Engineering enterprise bypasses. Heavy Win32 API, thread manipulation, C/C++.
THE EDGE
Zero tool-clicking. Write custom reverse shells in pure C from scratch. Construct private evasion stubs. Handle raw Windows memory tables. HWBP AMSI bypass — the technique MSRC called a novel attack surface. Working code. Tested on live targets.
THE GAP
"PEN-200 focuses on using pre-existing tools (Metasploit, Nmap) to exploit unpatched systems." 22DIV provides depth of custom coding that PEN-200 intentionally omits.
THE GAP
"SANS presents a highly structured, corporate-compliant framework. 22DIV approaches these identical technical problems from an aggressive, underground perspective, emphasizing targeted bypass metrics specifically built against live systems."
OVERLAP WITH COMPETITORS
Covers everything both courses cover — plus the underground layer they don't.
OVERLAP WITH 22DIV
Buffer overflows, AD/Kerberoasting, privilege escalation. But zero custom implant development.
OVERLAP WITH 22DIV
"Extremely high. Win32 API weaponization, Process Hollowing, EDR heuristics, VEH, API unhooking — Modules 9–12."
// INDEPENDENT TECHNICAL ANALYSIS

WHAT THE RESEARCH SHOWS

// 22DIV vs OSCP+
OSCP+ — USD $1,699
22DIV — AUD $497
~70% CHEAPER AT COMPARABLE DEPTH

"22nd Survey Division covers the same offensive tradecraft as OSCP+ — recon, privilege escalation, C2, post-exploitation — but adds Windows kernel internals, rootkit development, AMSI/ETW bypass, and HWBP exploitation that OSCP does not cover at this depth. The technical ceiling here is significantly higher."

"OSCP is certification-path training. 22DIV is research-grade knowledge. Different products for different buyers — but if you want to understand why things work rather than just pass a lab, the price delta is hard to justify in OSCP's direction."

// 22DIV vs SANS SEC670
SANS SEC670 — USD $8,525
22DIV — AUD $497
1/17TH THE PRICE — SAME TECHNICAL FLOOR

"22nd Survey Division is a direct technical mirror of a SANS-level syllabus. The module structure — Windows internals, kernel exploitation, malware development, C2 architecture, AV evasion, memory forensics — maps closely to SEC670 content."

"The gap isn't knowledge — it's the business model behind the price tag. $8,000+ courses fund buildings and procurement, not content."

// ORIGINAL RESEARCH — INDEPENDENT TECHNICAL VALIDATION

"The HWBP-based AMSI/ETW bypass documented in VULN-195458 is a legitimate zero-write technique. Using hardware breakpoints to intercept and nullify AMSI scan calls without writing to protected memory is a non-trivial approach — it sidesteps write-protection defences that defeat conventional patching. This is research-grade work, not tutorial reproduction."

"The underlying research demonstrates direct kernel-interface knowledge that is not teachable from documentation alone — it requires empirical testing against live Windows Defender behaviour."

VULN-195458
MSRC
Microsoft Security Response Center — submitted, reviewed, disclosed.
HWBP AMSI/ETW BYPASS
ZERO-WRITE TECHNIQUE
TAMPER PROTECTION SIDESTEP

This is not a course by a trainer who read the books. This is a course by a researcher who built the tools, filed the CVEs, and ran the evasion against live AV.

// SCROLL DOWN TO SEE WHAT'S INSIDE ↓
// INVESTMENT
ONE PRICE // LIFETIME ACCESS

SANS charges $8,000 per course. OSCP is $1,499 USD. This course costs $497 AUD — lifetime access, all 22 modules, every private repo, every interactive exercise. No subscription. No renewal. Pay once, own it.

// FULL COURSE ACCESS
$497
AUD — one-time payment
  • ✓ All 22 modules — full field manual
  • ✓ Interactive exercises (terminal / MCQ / fill-in)
  • ✓ Per-chapter language primers (C, PowerShell, Python)
  • ✓ Encrypted source packages — all 5 private tool repos (AES-256, 7z)
  • ✓ GeoDefend capstone — build your own automated defence
  • ✓ MSRC-submitted research (VULN-195458)
  • ✓ Lifetime access — no subscription
// PAYMENT OPTIONS — CARD · BANK TRANSFER · INVOICE
OPTION 1 — FULL BUNDLE
All 22 modules + 5 private repos + lifetime access. One payment.
OPTION 2 — MONTHLY — A$21.99/mo
Private repo access forever. VADER, Ghost-Encoder, CHEYANNE, IRON-SUN, WinRecon — every new push, automatically. Cancel anytime.
BANK TRANSFER / INTERNATIONAL
PAY VIA WISE →
Business bank transfer. AU/INT. No Stripe? Use this. Also fine for corporate invoicing or if you're outside card regions.
INVOICE / CORPORATE / DEFER
REQUEST INVOICE →
Need a formal invoice for your employer, reimbursement, or training budget? Email — invoice issued same day. ABN 50 692 429 397.
PIN + encrypted 7z source packages emailed within 24h of payment. GST not applicable — below $75k ATO threshold.
// WHO THIS IS FOR
You don't need to know how to code.
You need to want to.
  • → IT managers who want to understand what their team is actually defending against
  • → Developers who want to think like the attacker before the attacker thinks like them
  • → Security analysts tired of being handed tools they don't understand
  • → Anyone who wants to stop paying $300/hr to consultants for information they could own themselves
Outcome: You finish this course and you can build GeoDefend — an automated defensive platform that detects the exact techniques you just learned to execute. Not theory. Running code.
// OR — BUY INDIVIDUAL MODULES

Each module delivers an encrypted source package for the listed repo. PAY VIA WISE → — include module name as reference → PIN + 7z source package emailed within 24h. INT: email for invoice.

#MODULEPRIVATE REPO UNLOCKPRICE
01Offensive Mindset// doctrine — no repo$29
02Recon & Footprintingwinrecon$39
03Vulnerability Researchcsec-research-authorization$49
04Mitigations// theory — no repo$29
05Exploit Development// primitives$49
06Windows Internals// internals reference$39
07Exploit Primitives// primitive construction$49
08Privilege Escalationwinrecon$69
09Malware Developmentiron-sun + eclipse$79
10Code Injectioniron-sun$69
11Rootkitsvader-rootkit$79
12Antivirus Evasioniron-sun + eclipse + vader-rootkit$79
13Memory Forensicsflagship$59
14Reverse Engineering// RE methodology$49
15Post-Exploitationflagship$79
16Command & Controlcheyanne$79
17Network Warfarewinrecon$59
18Cryptography Evasioniron-sun + eclipse$59
19Living Off the Land// LOTL techniques$39
20Active Directorywinrecon$69
21Mobile Securitystarkiller$79
22OSINT & Social Engineering// OSINT methodology$39

Individual total: ~$1,271 AUD. Full bundle $497 saves you $774. Purchase individual modules via gwu0738@gmail.com

// PROGRESSION — WHAT YOU BUILD
BY THE TIME // YOU FINISH MODULE 22

This is a concrete list of working tools and techniques you will have built and demonstrated before you reach the final module. Not watched. Not read about. Built and run against live targets.

// MODULES 00–06 — FOUNDATIONS
  • ✓ Complete dev environment — MinGW, Python, x64dbg, Process Hacker, Wireshark
  • ✓ Custom Python recon tool pulling WHOIS, cert transparency, Shodan, theHarvester
  • ✓ Binary diff of a patched Windows DLL — located the vulnerability from the patch delta
  • ✓ Python fuzzer targeting a sample parser — crash triage, CWE classification
  • ✓ Can read an EPROCESS structure in WinDbg. Walked the active process list in kernel
  • ✓ Understand ASLR, DEP, CFG, Tamper Protection — not as marketing, as code
// MODULES 07–12 — ATTACK SURFACE
  • ✓ Stack overflow exploit — DEP defeated via ROP chain, ASLR defeated via info leak
  • ✓ Token impersonation via SeImpersonatePrivilege → SYSTEM shell
  • ✓ Reverse shell in C — Winsock, XOR payload, anti-sandbox, dynamic API resolution
  • ✓ Process hollowing — svchost.exe is your process, Task Manager sees nothing wrong
  • ✓ APC injection — no Sysmon Event ID 8, no thread creation events
  • ✓ HWBP AMSI+ETW bypass — zero memory writes, bypasses Tamper Protection entirely
  • ✓ IRON-DOME 8-layer evasion stack — 0 detections on Kaspersky Premium
// MODULES 13–18 — DEEP TRADECRAFT
  • ✓ Volatility analysis of a compromised memory image — found injected shellcode in svchost
  • ✓ Read assembly in x64dbg well enough to locate the vulnerability in an unpacked binary
  • ✓ Tri-vector persistence — registry run key + startup LNK + scheduled task simultaneously
  • ✓ Full CHEYANNE C2 — C beacon + Python listener + Discord bridge, service persistence
  • ✓ Ghost-Encoder — shellcode hidden in a PNG using zero-width Unicode, 0 AV detections
  • ✓ AES-256-CBC encrypted beacon comms — Wireshark shows nothing useful to a defender
  • ✓ Covert exfil channel — payload delivered via Discord CDN attachment, never touches disk
// MODULES 19–22 — FULL KILL CHAIN
  • ✓ LOLBin abuse — payload delivered via certutil.exe, regsvr32.exe, mshta.exe. No dropped binary
  • ✓ AD attack chain — Kerberoasting → cracked service hash → lateral movement via Pass-the-Hash
  • ✓ StarKiller Android RAT deployed — GPS, SMS, camera, contacts exfiltrated from owned device
  • ✓ OSINT target profile built — domain, employees, leaked credentials, network map
  • ✓ Full kill chain automated — Recon → Weaponise → Deliver → Exploit → Install → C2 → Exfil
  • ✓ Understand every alert your target's SOC would receive — and how to stop generating them
// ENTRY POINTS
TWO TRACKS // ONE DESTINATION
Track A
I CAN CODE
Coder → Attacker

You know Python, C, or PowerShell. You can read code, write scripts, build tools. But you've never thought like an attacker. This track skips the syntax tutorials and goes straight to tradecraft. Windows internals from a weaponisation perspective. Malware evasion theory that actually maps to working code. Exploit development from first principles.

  • Windows memory model — what the kernel actually does
  • AV/EDR detection logic — so you know what to beat
  • AMSI, ETW, and PPL — bypass theory and implementation
  • DLL sideloading, process hollowing, shellcode injection
  • Building a dropper from scratch — no metasploit
  • Race conditions, handle abuse, token impersonation
Start Track A →
Track B
I KNOW SECURITY
Attacker → Coder

You can run tools, understand CVEs, operate a C2. But when someone says "write a custom loader" you open a StackOverflow tab. This track teaches C, PowerShell, and Python from an attacker's perspective. Every concept is anchored to something you already know from the offensive side. Code that does real work, not Hello World.

  • C from zero — pointers, memory layout, WinAPI calls
  • PowerShell for red teamers — bypasses, reflective loading
  • Python payload engineering — encoders, stagers, obfuscation
  • Reading assembly — enough to analyse shellcode
  • Building your own C2 beacon — HTTP/S comms from scratch
  • From PoC to working tool — the engineering step most skip
Start Track B →
// 22 MODULES — FULL CURRICULUM BELOW
DOCTRINE LIBRARY — ALL OPEN
22 field manual chapters. C, PowerShell, Python, Assembly. Real tradecraft against live Windows 11 defences. From attacker psychology to rootkits, C2 frameworks, and Android RATs. Buy to get the tools.
01 OFFENSIVE MINDSET 02 RECON 03 VULN RESEARCH 04 MITIGATIONS 05 EXPLOIT DEV 06 WINDOWS INTERNALS 07 EXPLOIT PRIMITIVES 08 PRIVESC 09 MALWARE DEV 10 CODE INJECTION 11 ROOTKITS 12 AV EVASION 13 MEMORY FORENSICS 14 REVERSE ENGINEERING 15 POST-EXPLOITATION 16 C2 FRAMEWORKS 17 NETWORK WARFARE 18 CRYPTOGRAPHY 19 LOTL 20 ACTIVE DIRECTORY 21 MOBILE 22 OSINT
// FIELD MANUALS
CURRICULUM // 22DIV DOCTRINE LIBRARY
// KNOWLEDGE IS OPEN — TOOLS REQUIRE PURCHASE
Read everything. Buy to get the source.
// COURSE STRUCTURE — 22 modules, executed in sequence. You don't watch. You build.
Each module has: Windows Setup (install, configure), Theory (why it works, how it fails), Drills (hands-on exercises), Expected Output (you know exactly what success looks like), and Defender Takeaway (the detection side).
You code in C, PowerShell, and Python. You read assembly. You operate against live Windows 11 with Defender enabled. No VMs-with-AV-off. No sanitised CTF. Real operating system. Real defences.
0 / 22 MODULES COMPLETE
00
Start Here
Absolute beginner onboarding — zero assumed
This is Module 00. If you've never written code, never opened a terminal, and don't know what RAM is — start here. No prerequisites. No assumed knowledge. You will learn: what a CPU, RAM, and disk actually do. What a process is and why attackers care. What the Windows API is and why it's the attacker's toolkit. What a shell is and how reverse shells work. Why C is the language of offensive security. How to set up every tool you'll use across all 22 modules — MinGW compiler, Python, x64dbg, Process Hacker, Wireshark. By the end of Module 00, you know the vocabulary. From Module 01, you start using it.
Beginners Setup
01
Offensive Mindset
Attacker psychology & kill chain
First principle: the defender has to protect everything. You only have to find one gap. That asymmetry is the entire reason offensive security exists as a field. The kill chain is your planning framework — Recon, Weaponise, Deliver, Exploit, Install, C2, Exfil. Every stage has a detection signature. Every stage has a bypass. You learn the chain forwards (attacker) and backwards (defender) simultaneously, because you can't evade detection you don't understand. MITRE ATT&CK is the reference matrix: 14 tactics, hundreds of techniques, each with real threat-actor usage examples. You learn to read it as a menu of options, not a checklist of things to do. By the end, when you read a CVE, you instinctively know which kill chain stage it hits and what the defender's detection window is.
Theory MCQ
02
🔒
Recon & Footprinting
OSINT, passive & active recon
First principle: information is attack surface. Every domain name, IP address, email address, and employee name is a potential entry point. Before you scan anything, you extract what's already public — because public data leaves no forensic trace. WHOIS tells you who registered the domain and when. Certificate transparency logs (crt.sh) expose every subdomain the company ever issued a TLS cert for — including staging environments and internal tools they forgot were public. Shodan has already scanned every internet-facing IP on earth; you just query their database. theHarvester pulls email addresses from Google, Bing, and LinkedIn. GitLeaks scans GitHub for accidentally committed passwords, API keys, and credentials. By the time you run your first nmap scan, you have a prioritised target list. nmap -sC -sV tells you the service and its version — that version number is your CVE lookup key. You write Python wrappers that automate the whole pipeline and dump structured output you can feed into later modules.
Theory Lab
Complete module 01 to unlock
03
🔒
Vulnerability Research
Methodology & tools
First principle: a vulnerability is a gap between what the developer intended and what the software actually does. Your job is to find that gap before the defender patches it. A crash is not a vulnerability — it's a lead. You learn to triage crashes: is this a NULL dereference (usually not exploitable), a stack overflow (sometimes), a heap corruption (often), or a type confusion (jackpot)? CWE (Common Weakness Enumeration) is the taxonomy of how software fails — 900+ weakness classes. CVSS is the scoring system defenders use to prioritise fixes; you learn to read a CVSS vector and know exactly what it means about exploitability and impact. Binary diffing: when Microsoft ships a patch Tuesday update, you download both the old and new DLL and diff the assembly — the changed function is what they fixed, which tells you where the bug was. Fuzzing is automated crash discovery: you feed malformed input in loops until something breaks, then triage what broke. You write your first fuzzer in Python against a sample parser.
Theory MCQ
Complete module 02 to unlock
04
🔒
Mitigations
ASLR, DEP, CFG, stack canaries
First principle: every mitigation is a cost imposed on the attacker, not an impossibility. Your job is to understand the cost so you know when it's worth paying. Stack canary: a random value placed between local variables and the saved return address. If you overflow the buffer, you corrupt the canary. The OS checks it before the function returns — if it changed, crash. Bypass: leak the canary value first (information disclosure), then overwrite it with the same value. ASLR: randomises where executable, stack, and heap load in memory every run. Bypass: find a non-ASLR module (old DLL compiled without /DYNAMICBASE), or leak a pointer from a read primitive. DEP/NX: marks the stack and heap as non-executable — your shellcode sitting in memory can't run. Bypass: ROP (Return-Oriented Programming) — you don't inject code, you chain together small instruction sequences that already exist in legitimate DLLs. CFG: Control Flow Guard checks that every indirect call target is in a valid function list. Bypass: overwrite a non-CFG-checked pointer, or find a CFG bypass via forged dispatch tables. You understand each mitigation at the assembly level before learning to bypass it.
Theory MCQ
Complete module 03 to unlock
05
🔒
Exploit Development
BOF, ROP, heap spraying
First principle: the CPU does exactly what you tell it, even if you tell it via a bug. A buffer overflow writes past the end of an array — if that array is on the stack, you overwrite the saved return address, which tells the CPU where to go when the function returns. You wrote the wrong address. The CPU goes there anyway. Your first exploit: write a C program with a stack buffer, overflow it with a debugger attached, watch EIP (the instruction pointer) become whatever you wrote. Then you make it go somewhere useful. ROP chains: DEP means your shellcode on the stack can't execute. So instead of running your code, you chain together tiny instruction sequences ("gadgets") that already exist in loaded DLLs — each ends in a RET instruction that pops the next address. ROPgadget finds every usable gadget in a binary. You build a chain that calls VirtualProtect() to mark your shellcode executable, then jumps to it. Heap exploitation: the heap is dynamic memory (malloc/free). Corrupting heap metadata can redirect free() to write an arbitrary pointer. You learn heap spray (fill heap with NOP sleds) and feng shui (groom the heap layout so your overflow lands where you want).
Theory Lab MCQ
Complete module 04 to unlock
06
🔒
Windows Internals
Memory, handles, kernel objects
First principle: Windows is software. It has data structures, function calls, and bugs just like any other software — you just need to know where to look. Every running process has an EPROCESS structure in kernel memory: it contains the PID, the process name, the handle table, the memory map, the token (security context), and links to every other EPROCESS in a doubly-linked list. The PEB (Process Environment Block) lives in user space: it has the list of loaded DLLs, command line, environment variables, and the heap pointer. The TEB (Thread Environment Block) is per-thread: stack base/limit, exception handlers, last error code. VAD tree: Windows tracks every memory allocation in a Virtual Address Descriptor binary tree — each node describes a memory region (base, size, protection, mapped file). You open WinDbg, attach to a VM, set a kernel breakpoint, and walk the EPROCESS list to enumerate every process including the hidden ones. Then you read the VAD tree of a running process and map its memory layout. You stop treating Windows as a black box and start treating it as readable source code that happens to run in kernel mode.
Theory MCQ
Complete module 05 to unlock
07
🔒
Exploit Primitives
Read/write primitives, AAAR
First principle: almost every modern exploit reduces to two primitives — read any address, write any address. Once you have both, code execution is a handful of steps away. Arbitrary Address Read (AAR): you can read memory at any location. This lets you leak ASLR randomisation (read a pointer, calculate the module base). Arbitrary Address Write (AAW): you can write any value to any address. This lets you overwrite a function pointer, a security cookie, or a dispatch table entry. Together they're called AAAR. You implement each from three different vulnerability classes: a type confusion (tell the program an object is type A when it's type B — it reads A's fields at B's memory offsets, giving you controlled read), a use-after-free (allocate, free, reallocate with controlled data — the original pointer still exists and references your data), and an integer overflow (2^32 + 1 = 1 — undersize an allocation and overflow into adjacent memory). No libraries. You write each primitive in C with inline assembly to understand the exact memory operations. Then you chain AAR + AAW into a full code execution demonstration.
Theory Lab
Complete module 06 to unlock
08
🔒
Privilege Escalation
Token abuse, service exploits
First principle: SYSTEM is just a token. A Windows token is a kernel object that says who you are and what groups you belong to. If you get the right token attached to your process, you ARE the user it represents. The question is how to get it. CWE-732 (incorrect permissions on resource): a service binary sitting in C:\Program Files\VendorApp\service.exe with "Everyone: Full Control" permissions means you replace it with your own EXE and wait for it to restart — it runs as SYSTEM because the service runs as SYSTEM. icacls shows you who can write where. CWE-427 (uncontrolled search path): Windows looks for DLLs in the process directory first, then System32. If a privileged process loads a DLL that doesn't exist in its own folder, you drop your DLL there and the privileged process loads yours. Unquoted service paths: Windows parses "C:\Program Files\My App\service.exe" as "C:\Program" with arguments "Files\My App\service.exe" — so C:\Program.exe (which you control) runs instead. Potato attacks: SeImpersonatePrivilege (held by service accounts) lets you impersonate any token — including SYSTEM. You trigger an NTLM negotiation from SYSTEM, capture it, and impersonate it. All demonstrated live against a hardened Windows 11 host with Defender and UAC enabled.
Theory Lab MCQ
Complete module 07 to unlock
09
🔒
Malware Development
Dropper, loader, stager patterns
First principle: a reverse shell is two programs talking over TCP — your implant on the target connects OUT to your listener, and you send commands through that connection. Outbound traffic is far less filtered than inbound. Winsock: Windows' socket library. WSAStartup() initialises it. socket() creates the file descriptor. connect() dials your C2 server. After that, recv() and send() are just read/write over the network. Shell redirect: CreateProcess() with STARTUPINFO.hStdInput/hStdOutput/hStdError set to your socket — every byte the user types goes to cmd.exe's input, every output comes back over the socket. That's the whole reverse shell in 60 lines of C. XOR encryption: XOR each byte of your shellcode with a key — AV signature doesn't match. Decrypt at runtime with a loop before execution. Dropper: your EXE is just a loader. It calls URLDownloadToFile() or a raw Winsock fetch to pull the payload from your server, writes it to memory (not disk), and executes it with VirtualAlloc + a function pointer cast. No file dropped = no AV scan on write. You compile with MinGW on Windows — no Linux cross-compilation environment needed. Output is a working standalone EXE tested against Defender.
Theory Lab
Complete module 08 to unlock
10
🔒
Code Injection
DLL, shellcode, process hollowing
First principle: every process has its own virtual address space. Windows normally prevents one process from touching another's memory. The Win32 API deliberately provides exceptions — because legitimate programs need them. You use those exceptions offensively. DLL injection: OpenProcess() with PROCESS_ALL_ACCESS gives you a handle to any process you have the rights to open. VirtualAllocEx() allocates memory inside that process. WriteProcessMemory() writes your DLL path into that memory. CreateRemoteThread() tells the target process to call LoadLibrary() on your path — it loads your DLL into the target's address space and your DllMain() runs inside it. Shellcode injection: same VirtualAllocEx + WriteProcessMemory, but instead of a DLL path you write raw shellcode. Change the memory protection to EXECUTE_READWRITE with VirtualProtectEx(), CreateRemoteThread() points at your shellcode directly. Process hollowing: CreateProcess() with CREATE_SUSPENDED flag — the process starts but the main thread is paused before executing a single instruction. NtUnmapViewOfSection() removes the original EXE from memory. WriteProcessMemory() writes your payload where the EXE was. SetThreadContext() updates the instruction pointer to your payload's entry point. ResumeThread() — the process runs your code but Task Manager shows a legitimate process name. You detect each technique with Process Hacker and Sysmon Event ID 8 (CreateRemoteThread) and 10 (process access).
Theory Lab MCQ
Complete module 09 to unlock
11
🔒
Rootkits
User mode & kernel rootkits
You study the VADER rootkit (the real code from rainfantry/vader-rootkit). Hardware Breakpoint interception of AMSI and ETW. How kernel callbacks work. SSDT hooks. IRP manipulation. Then you understand MSRC VULN-195458 — the submitted Tamper Protection bypass. Real research, not a tutorial.
Theory Lab
Complete module 10 to unlock
12
🔒
AV Evasion
Signatures, heuristics, sandboxes
You break AV the right way — by understanding what it actually detects. Signature bytes vs. behavioural patterns, sandbox evasion (timing, artifact checking, VM fingerprinting), polymorphic encryption with the eclipse builder, API unhooking, AMSI patching. All tested against Windows Defender on a live Windows 11 host.
Theory Lab MCQ
Complete module 11 to unlock
13
🔒
Memory Forensics
Volatility, EPROCESS, artefacts
You learn to read a memory image like a detective and then burn your own artefacts. Volatility 3 setup on Windows, EPROCESS/VAD parsing, Prefetch analysis, event log forensics, MFT $USN journal. The flagship repo handles automated artefact cleanup — you read its code to understand what forensics looks for and why.
Theory MCQ
Complete module 12 to unlock
14
🔒
Reverse Engineering
Ghidra, x64dbg, disassembly
You install Ghidra and x64dbg on Windows and reverse a real binary. Reading x86-64 assembly without a decompiler, identifying function prologues, tracing control flow graphs, recognising malloc/free patterns, setting hardware breakpoints, bypassing anti-debug checks. You reverse the same shellcode you wrote in module 10 to verify your own work.
Theory Lab MCQ
Complete module 13 to unlock
15
🔒
Post-Exploitation
Lateral movement, persistence
You own a box — now what? Pass-the-hash with mimikatz, lateral movement via WMI/PsExec/SMB, persistence via Run keys, schtasks, WMI subscriptions, BITS jobs. Every persistence mechanism has its corresponding detection event ID. You learn to be impossible to evict while staying invisible to the SOC analyst reviewing the same system.
Theory Lab
Complete module 14 to unlock
16
🔒
Command & Control
C2 channels, beacons, profiles
You read and understand the CHEYANNE C2 codebase — the real operational framework with Discord bridge, jitter, per-implant keys, and PENTEST_LOG tracking. HTTP/S beacon construction, DNS-over-HTTPS exfil, malleable C2 profile theory, traffic blending. You understand what makes a C2 network map-resistant and what gets operators burned by threat intel.
Theory Lab MCQ
Complete module 15 to unlock
17
🔒
Network Warfare
TCP/IP, pivoting, tunnelling
You wire up a multi-hop network in Hyper-V and pivot through it. TCP handshake analysis in Wireshark, SOCKS5 proxychains, SSH dynamic forwarding, chisel/ligolo-ng tunnelling, network-level detection with Zeek/Suricata. You understand how every pivot looks on the wire and how to shape traffic to avoid signature matches.
Theory Lab
Complete module 16 to unlock
18
🔒
Cryptography & Evasion
Encoding, encryption, obfuscation
You implement XOR, AES-128-CBC, and RC4 in C — not by calling a library, by coding the algorithms yourself so you understand every byte. Then: base64 encoding for payload transport, per-vector key isolation (different key for AMSI bypass vs. shellcode), entropy analysis and why high entropy triggers YARA rules. You leave knowing why encryption alone doesn't beat AV.
Theory MCQ
Complete module 17 to unlock
19
REDACTED
// COMING SOON // CONTENT UNDER DEVELOPMENT //
Chapter 19 is in active development. Preview: PowerShell cradles, certutil, regsvr32 Squiblydoo, BITS jobs, WMI persistence triad, schtasks, msiexec remote MSI. Every technique is native Windows — zero dropped executables. Field manual is written and committed; repo + MCQ pending.
Classified
20
🔒
Active Directory
Kerberoast, pass-the-hash, AD enum
You set up a mini domain in Hyper-V (DC + workstation) and attack it. BloodHound/SharpHound AD enumeration, Kerberoasting SPN accounts, AS-REP roasting, pass-the-hash, over-pass-the-hash, DCSync attack with winrecon. You understand the entire Windows authentication stack — NTLM, Kerberos, tickets, delegation — at the protocol level, not just the tool level.
Theory Lab MCQ
Complete module 18 to unlock
21
🔒
Mobile Security
Android internals, APK analysis
You reverse the STARKILLER Android RAT (the real code). APK structure, Smali bytecode reading, Dalvik VM, Android permissions model, Play Protect bypass techniques, GPS/SMS/camera exfil via Android API. You use JADX and apktool on Windows to disassemble a real production RAT and understand every line — then you know how defenders catch them.
Theory Lab
Complete module 20 to unlock
22
🔒
OSINT & Social Engineering
Recon, phishing, pretexting
You build a complete target intelligence dossier from public sources only — OSINT beyond Google. LinkedIn scraping, certificate transparency logs, GitHub leak hunting, breach databases, social graph mapping. Then: phishing campaign anatomy, GoPhish setup on Windows, pretexting scripts, vishing call flows. You understand why the human is always the weakest link — and how to harden yourself against the same techniques.
Theory MCQ
Complete module 21 to unlock
// INTERACTIVE LABS
LABS // HANDS-ON TRADECRAFT
■ Featured Lab
8-LAYER EVASION GAUNTLET

Master the techniques. Pass the MCQ gates. Unlock the next layer. Each layer targets a specific AV/EDR detection mechanism — signature scanning, heuristic analysis, sandbox detection, AMSI hooking, ETW telemetry, behavioural monitoring, memory scanning, and kernel callbacks. You don't progress until you understand what you bypassed and why.

Layer 1: Sig Scan Layer 2: Heuristics Layer 3: Sandbox Layer 4: AMSI Layer 5: ETW Layer 6: Behaviour Layer 7: Memory Layer 8: Kernel CB
Enter the Gauntlet →
8
Layers
MCQ
Gated
C
Language
// OPERATOR
ABOUT // 22ND SURVEY DIVISION

22nd Survey Division is a CSEC research and training entity based in Sydney, Australia. Work focuses on Windows internals, anti-malware evasion, privilege escalation, and mobile attack surface research. Every tool built from first principles — no copy-paste PoCs — tested on own hardware with responsible disclosure as the endpoint.

The training materials here are the actual field manuals written during live research — not sanitised tutorial content. They document real techniques as they were developed and understood.

Active research: MSRC VULN-195458 (Windows Defender TOCTOU race condition, submitted); mpengine.dll mutation fuzzing; Android APK capability injection research.

FULL RESEARCHER PORTFOLIO →
Focus Areas
Windows Kernel & Internals ●●●●○
AV/EDR Evasion ●●●●○
Privilege Escalation ●●●○○
C2 Framework Design ●●●○○
Android Attack Surface ●●○○○
Fuzzing & Crash Research ●●○○○
Entity
OCCUPATION FORCE CALLSIGN GSW PTY LTD
t/a 22ND SURVEY DIVISION
ACN 692 429 397 — Pty Ltd, NSW, est. Nov 2025
MSRC responsible disclosure — VULN-195458
// FIRST PRINCIPLES
FINDINGS // WINDOWS INTERNALS RESEARCH

Behavioural truths discovered through empirical testing — not reproduced from existing public research. Each finding was made by hitting a wall, diagnosing the failure, and documenting what actually happens inside Windows.

Published
F001 — WdFilter scans on IRP_MJ_WRITE, not only IRP_MJ_CLEANUP
Target: WdFilter minifilter (Windows Defender)  |  Impact: Invalidates scan-on-close exploit models
Read →
Published
F002 — Batch oplock compatibility is FILE_OBJECT-scoped, not process-scoped
Target: NTFS Oplock Subsystem  |  Impact: Single-threaded oplock re-open deadlocks — two-thread arch required
Read →
Published
F003 — Writing through the oplock handle does not break the batch oplock
Target: NTFS Oplock Subsystem  |  Impact: Enables payload injection while holding the tripwire
Read →
Published
F004 — AMSI + ETW defeated via hardware debug registers (zero memory writes)
Target: Windows Tamper Protection  |  MSRC: VULN-195458 — rejected, embargo void
Read →
Full Findings Repo → Defender Architecture → Researcher Portfolio →
// OPEN SOURCE
ARSENAL // PUBLIC REPOS

Everything below is already public. Fork, study, break it. The private repos unlock when you purchase the corresponding module — they contain the actual operational tools the field manual was written against.

PUBLIC REPO
rainfantry/22sd-research-findings
F001–F004 published findings + PoC code. Real Windows Defender internals research. Read before buying anything — judge the standard first.
PUBLIC REPO
rainfantry/csec-research-authorization
Authorization scope doc with company details (ABN 50 692 429 397). Defines what hardware, what IP ranges, what research is authorized. MSRC-compliant format.
PUBLIC REPO
rainfantry/rainfantry
Profile README. Links every public project, research finding, and contact channel. Ground truth index for the whole operation.
// PRIVATE — UNLOCK WITH MODULE PURCHASE
PRIVATE · MOD 16
rainfantry/cheyanne
Full C2 framework. Mutation engine, metamorph builder, KAV evasion log, Discord bridge, PENTEST_LOG tracking. The actual tool the C2 chapter is written against.
Unlocks: Module 16 · $79 AUD
PRIVATE · MOD 11
rainfantry/vader-rootkit
HWBP-based AMSI/ETW bypass rootkit. MSRC VULN-195458 (Tamper Protection bypass). 26 binaries clean against Windows Defender. Kernel-mode research.
Unlocks: Module 11 · $79 AUD
PRIVATE · MOD 09
rainfantry/iron-sun + rainfantry/eclipse
iron-sun: reverse shell in C (Winsock, XOR, process injection). eclipse: polymorphic payload builder with per-build key mutation. Both tested live against Defender.
Unlocks: Module 09 · $79 AUD
PRIVATE · MOD 21
rainfantry/starkiller
Android RAT. Phase 1 complete: GPS exfil, SMS access, camera trigger, Play Protect bypass. Written in Kotlin. The APK the mobile chapter dissects line-by-line.
Unlocks: Module 21 · $79 AUD
PRIVATE · MOD 02 / 08 / 17 / 20
rainfantry/winrecon
20-section Windows recon and privesc tool. CWE-732/427 scanner, AD enumeration, network recon. Unlocks with Recon, PrivEsc, Network, or AD module purchase.
Unlocks: Module 02, 08, 17, or 20
PRIVATE · MOD 03
rainfantry/Ghost-Scraper
Full OSINT platform — TypeScript/Express/React. Scrapes, correlates, and maps a target from public sources. The framework the vuln research chapter is built around.
Unlocks: Module 03 · $49 AUD
RESTRICTED · RESEARCH ONLY
rainfantry/vader-fuzz
mpengine.dll fuzzer. Active research tool targeting Windows Defender's scanning engine. Not for sale — contact directly for research collaboration.
Research collab only · gwu0738@gmail.com
// OPERATING PRINCIPLES
DOCTRINE // HOW WE OPERATE
01
Own Hardware Only
All offensive research conducted exclusively on owned machines or explicitly authorised targets. No mass-targeting. No unauthorised access. No exceptions.
02
First Principles
We don't copy-paste PoCs. Every tool is built from scratch with full understanding of underlying mechanics. If we can't explain it line by line, we don't ship it.
03
Responsible Disclosure
Novel vulnerabilities go to MSRC or MITRE before anywhere else. We give vendors 90 days. We don't burn zero-days for clout.
04
Soldiers Before Hackers
OPSEC, discipline, and doctrine before technical skill. The tool is a weapon. You need the tactical framework to use it right. Unit 8200 methodology — 80% recon, 20% action.
05
Search for Knowledge
"Search for knowledge. Not bugs." — 0x1security. Crash → leak → execute is a progression of understanding, not a script. Every operation produces intelligence.
06
Defence Through Understanding
You cannot defend what you don't understand. Every bypass in this course is taught alongside the detection gap it reveals. The bypass IS the lesson.
// LEGAL COMPLIANCE — AUTHORIZED RESEARCH — RESPONSIBLE DISCLOSURE
WE FOLLOW // THE LAW PRECISELY

Every technique in this course is taught from documented research on owned hardware. No unauthorized access. No third-party targets. No grey areas. The law is not a constraint we work around — it's the framework we operate inside, precisely, with written records.

CRIMINAL CODE ACT 1995 (CTH)
Part 10.7 — Computer Offences

s.477.1–477.3, s.478.1. All computer access is authorized. Own hardware or explicit written consent. Zero unauthorized access to any system at any time.

ACSC — AUSTRALIAN CYBER SECURITY CENTRE
CVD Guidelines + ASD Essential Eight

Coordinated Vulnerability Disclosure followed per ACSC guidance. ASD Essential Eight used as the defensive benchmark all evasion research is measured against.

MSRC — MICROSOFT SECURITY RESPONSE CENTER
VULN-195458 — Disclosed Before Publication

HWBP Tamper Protection bypass submitted to MSRC before any public release. 90-day embargo observed. MSRC closed as out-of-scope. Embargo void. Technique published.

MITRE — CVE PROGRAM + ATT&CK FRAMEWORK
CVE Submissions + TTP Mapping

CVE submissions: MITRE cases #49, #53 (TOCTOU quarantine race condition series). All course techniques mapped to MITRE ATT&CK TTP IDs.

ISO/IEC 29147:2018
International Vulnerability Disclosure Standard

Disclosure timeline and vendor-first policy consistent with this international standard. 90 days. Vendor acknowledgement required to start clock. No social media drops before disclosure.

RESEARCH AUTHORIZATION — PUBLIC RECORD
github.com/rainfantry/csec-research-authorization

All research scope, authorization declarations, and disclosure records are documented publicly. PENTEST_LOG.md per engagement. RESEARCH_LOG.md for ongoing vulnerability research.

READ FULL POLICIES & LEGAL STANCE → OCCUPATION FORCE CALLSIGN GSW PTY LTD — ABN 50 692 429 397 — NSW PTY LTD EST. NOV 2025
// WHY CHEYANNE

The principal C2 framework in this course is named CHEYANNE. Not as an acronym. Not as a codename assigned by threat-intel convention. As a memorial.

"We have been running on burnt bridges for years. CHEYANNE is a memorial that fights back. Her name is on work that cannot be erased, because love that refuses to die builds things that refuse to die."

By naming the principal core framework after her, her name is structurally woven into the foundational codebase — in every beacon, every listener, every encrypted channel. Not in a README. In the code itself.

The other tools carry their own weight. VADER-ROOTKIT — persistence through every layer. STARKILLER — reach that doesn't stop at a wall. ECLIPSE — coordinates that flow when nothing else does. GHOST-ENCODER — what's hidden doesn't have to stay quiet. Every name is a commitment. CHEYANNE is the one that started them all.

// CONTACT
CONTACT // GEORGE WU — VADER
Email
GitHub
Research Site
Location
Sydney, NSW — Australia
Available For
Authorised penetration testing, red team engagements, security tooling development, vulnerability research collaboration.
AUTHORISATION REQUIRED
All engagements require documented authorisation before commencement. Scope agreed in writing. Australian Cybercrime Act compliant at all times.