On This Page

The Shellcode Lab

Paul Kalinin, Ygor da Rocha Parreira | August 4-5 & August 6-7


The Shellcode Lab is the training that takes your penetration testing and low level technical skills to the next level! With 17 multi-part hands-on labs and over 150 slides of hard core technical content, you will learn the inner workings of how to develop payloads for Linux, Mac and Windows and integrate them into public exploits and the Metasploit exploit framework.

We will take you from zero to 100 in less than 2 days! You will learn everything from memory management and assembly, to compiling and extracting shellcode, to using syscalls and dynamically locating functions in memory. You will develop a wide range of backdoors from 32-bit Command Execution to tiny Egg Hunters to 64-bit Port Bind payloads, and then use your custom payloads to exploit systems.

What people are saying:

  • "By far the best course I've taken at Black Hat."
  • "This is the BEST class I have attended in my 17 year professional career."
  • "One of the most well-organized, well paced courses I've ever attended at Black Hat."
  • "Best course ever. Thanks. I learned a lot."
  • "I loved it!"
  • "Great explanations and worked with individual student to make sure no one was left behind."
  • "Excellent job! I would recommend this course."
  • "Extremely organized and would recommend to colleague. Thank you."

You will also be provided with a "Virtual Shellcode Development Environment" that is designed to enable shellcode development and testing across multiple platforms.

Day 1:

  • Shellcode and Exploitation Introduction
  • Memory Management
  • Introduction to Assembly
  • 32-bit and 64-bit Registers
  • Tiny Shellcode Techniques
  • Virtual Shellcode Development Environment
  • Shellcoding Tools
  • Disassembling Binaries
  • Assembly Layout
  • Linux Syscalls
  • Compiling and Extracting Shellcode
  • Techniques to Removing Bad Characters
  • Debugging Shellcode Using Various Debuggers
  • Linux Shellcode and File Descriptors
  • Locating and Manipulating Strings in Memory
  • Reusing Shellcode Blocks
  • Learn an Easier Way to Compile and Extract Shellcode
  • Linux Command Execution Shellcode
  • Mac OS X 64-bit Shellcode
  • Tools and techniques to compile 64-bit Shellcode for Mac OS X
  • 64-bit Null Free Shellcode
  • Port Bind Shellcode
  • Write 64-bit portbind shellcode for OS X from scratch
  • Modify 64-bit OS X shellcode to be null free and small
  • Metasploit Shellcode Tools for Generation and Encoding

Day 2:

  • Windows 32-bit Memory Layout
  • Windows 64-bit Memory Layout and ASLR
  • Windows Library Layout – Real Limits
  • Windows Shellcoding Techniques
  • Windows Shellcoding - 32-bit vs 64-bit
  • Locating memory addresses of functions in Windows DLLs
  • Debugging Windows Shellcode using various debuggers
  • Windows Shellcode Function Call Techniques
  • Windows Shellcode to Dynamically Locate Kernel32.dll
  • Windows 64-bit Command Exec Shellcode
  • Converting 32-bit Shellcode to 64-bit Shellcode
  • Windows Shellcode Networking
  • Connect Back Shellcode
  • Develop Connect Back Shellcode
  • Egg Hunter Shellcode
  • Windows System Calls
  • Implement your own Egg Hunter
  • Reviewing Public Exploits for Malicious Shellcode
  • Modifying Shellcode to Fit Into Exploits
  • Encoding Shellcode to Work In Exploits
  • Exploitation Using Your Custom Shellcode
  • Creating Metasploit Payload Modules
  • Integrating Shellcode into Metasploit
  • Staged Loading Shellcode
  • Protocol Tunnelling Shellcode
  • Kernel Level Shellcode Concepts
  • Kernel Level Shellcode Walkthrough

We will take your security skills to the next level. Register now to secure your spot!

Who Should Take this Course

  • Penetration Testers, Security Officers, Security Auditors, System Administrators and anyone else who wants to tune their elite security skills.

  • Anyone who is interested in shellcoding, exploitation, vulnerabilities or Metasploit are prime candidates for this course. Students will be taught from scratch everything they need to know to complete this course successfully and walk away with a thorough knowledge and practical skills on how to create shellcode.

  • This class is a great follow on course to "The Exploit Laboratory" and "The Exploit Laboratory: Black Belt". These students will have learned a lot about exploitation, but are still limited to pre-packaged shellcode. This course lets you create custom shellcode to maximize exploitation success rates.

  • Developers who want to learn low-level security development skills with shellcoding and assembly.

  • Managers who want to gain a more in depth understanding of how systems can be compromised, how security controls can be bypassed both at the operating system level and network level, and how network access controls and intrusion prevention systems play a big part in preventing shellcode successfully connecting back to the attacker, and the general risks associated with your network security.

Student Requirements

We will teach you everything you need to know from scratch! The course is designed to hold your hand at every step.

As long as you can "double-click" in Windows and use basic command line navigation in Linux, then we can take you from n00b to l33t in 2 days!

What Students Should Bring

  • A working laptop (Windows, Mac or Linux) to run 2 x VMware VMs
  • MINIMUM 2048 MB RAM (Ideally more)
  • Wireless network adapter for internet access
  • 20 GB free Hard disk space
  • LATEST version of VMWare Player (or Workstation, Server, Fusion, etc.)

What Students Will Be Provided With

  • A "Virtual Shellcode Development Environment" that is designed to enable shellcode development across multiple platforms
  • The Shellcode Lab workbook
  • Lab instructions and solutions


Paul Kalinin is a Senior Security Consultant at Threat Intelligence Pty Ltd, and has been working in the IT industry for 20 years with the last decade being dedicated as a security specialist focusing on penetration testing. Paul presented at Black Hat USA 2018 on The Active Directory Botnet, and has run numerous specialised security courses over the years. He has achieved industry certifications such as CISSP, PCI QSA, CEH and CREST with areas of expertise including web and mobile application penetration testing, internal and external infrastructure penetration testing, wireless infrastructure penetration testing, read teaming and open source intelligence specialist. Paul has been a key player in the development of penetration testing tools, exploits, methodologies and cyber threat intelligence gathering within the Threat Intelligence team.

Ygor da Rocha Parreira has been working with IT for the last 20+ years, and with security for the last +14 years. He has extensive experience in vulnerability assessments and penetration testing, focused towards network infrastructure, TCP/IP protocols, classes of memory corruption and dangling pointers, source code review, web applications, wireless, RFID, PoS and credit card systems, ATMs, mobile (iOS and Android), phishing, client side exploitation, and red teaming including physical attacks, lock picking, and manipulation of sensors and cameras. He has an impressive background having co-founded the Hackers 2 Hackers Conference (H2HC) in 2004, which is currently the longest running security conference in Latin America. H2HC was created with the main goal to allow Brazilian security specialists and researchers to meet and exchange information. Ygor is the H2HC Magazine Editor and Columnist responsible for the column “Fundamentals of Offensive Computing”. Ygor has extensive experience delivering training focused in penetration test and red team, exploitation of memory corrupt vulnerabilities, and reverse engineering. Currently he works as senior security researcher at Intel Corporation in the Security Center of Excellence where he helps to improve the security of the CPU and platform finding security issues and vulnerabilities.