On This Page

Advanced Exploitation: for Hackers and Developers

VDA Labs, LLC | March 28 - 29



Overview

Day 1

1. ROP
Lecture: EMET includes 5 ROP protections. We discuss how they work, and how they could be bypassed
Lab: Bypass EMET by upgrading existing working exploit

2. Use-after-free
Lecture: Browser vendors have added UaF protections
Lab: Bypass Isolated Heap and Deferred Free

3. Control Flow Integrity
Lecture: Describe new feature in VS 2015, used to protect program execution
Lab: Bypass Microsoft's Control Flow Guard

4. Browser Extension Exploitation
Lecture: Discuss flash and describe an exploit that was disclosed as part of the Hacking Team fiasco
Lab: Understand and work with the exploit

Day 2

1. Kernel Debugging
Lecture: Discuss the Windows Architecture, including the principles and components of the Kernel
Lab: Learn how to debug system code

2. Kernel Auditing
Lecture: Windows drivers- how they work and how to find bugs in them
Lab: Find bugs in the provided driver code

3. Kernel Fuzzing
Lecture: Syscalls, IOCTLs, User/GDI, Networking/IO stacks, etc.
Lab: Perform GDI/Font fuzzing

4. Kernel Exploitation
Lecture: Teach about kernel exploits and defenses
Lab: Examine details of two kernel exploits: how ROP and actual elevation works

Who Should Take this Course

Developers, security researchers, hackers, managers, anyone wanting deep insight into how exploits work, and how to create defenses to mitigate them.

Student Requirements

It is recommended that you take VDA Labs "Application Security: for Hackers and Developers" course first, or have similar equivalent knowledge. This is not a hard prereq, but we do not review basic exploit techniques, etc.

What Students Should Bring

Students are required to provide a laptop for the course:

  • Your computer should have at least 80GB of free HD space and should have 6GB+ of RAM.
  • Install Ahead of Time: VMware workstation/player or Fusion

What Students Will Be Provided With

The course material will be provided to you on day one. As soon as you receive the course material, copy it from the media (and pass media to neighbor) and extract and test the virtual machine.

Trainers

Dr. Jared DeMott is developing Vision (an EDR product), as the CTO of Binary Defense Systems. Jared is also the founder and regular trainer for vdalabs.com. You'll find fingerprints of his work all across the security industry. From fuzzing, code auditing, and exploitation, to malware and developer security courses on Pluralsight. When he's not bypassing EMET or CFG, he's spending time with his family.

Josh Stroschein, Senior Trainer and Consultant with VDA Labs, has spent over a decade as a programmer and consultant with a focus on application security. His expertise includes malware analysis, application security, software development, reverse engineering, and exploit development. Josh enjoys teaching VDA Labs classes. He's nearly complete with his PhD in CS.