Clouds

Windows User Mode Exploit Development (OSED)

Essential Skills Gained

Checkmark

Develop the skills to bypass security mitigations

Checkmark

Write handmade Windows shellcode

Checkmark

Adapt older techniques to more modern versions of Windows

Format

5 day course with lecture and hands-on labs.

Audience

Exploit Developers

Security Researchers

Malware Analysts

Software Developers Working On

Security Products

Description

General Course Information

  • About the EXP301 Course

  • Provided Materials

  • Overall Strategies for Approaching the Course

  • About the EXP301 VPN Labs

  • About the OSED Exam

  • Wrapping Up

WinDbg and x86 Architecture

  • Introduction to x86 Architecture

  • Introduction to Windows Debugger

  • Accessing and Manipulating Memory from WinDbg

  • Controlling the Program Execution in WinDbg

  • Additional WinDbg Features

  • Wrapping Up

Exploiting Stack Overflows

  • Stack Overflows Introduction

  • Installing the Sync Breeze Application

  • Crashing the Sync Breeze Application

  • Win32 Buffer Overflow Exploitation

  • Wrapping Up

Exploiting SEH Overflows

  • Installing the Sync Breeze Application

  • Crashing Sync Breeze

  • Analyzing the Crash in WinDbg

  • Introduction to Structured Exception Handling

  • Structured Exception Handler Overflows

  • Wrapping Up

Introduction to IDA Pro

  • IDA Pro 101

  • Working with IDA Pro

  • Wrapping Up

Overcoming Space Restrictions: Egghunters

  • Crashing the Savant Web Server

  • Analyzing the Crash in WinDbg

  • Detecting Bad Characters

  • Gaining Code Execution

  • Finding Alternative Places to Store Large Buffers

  • Finding our Buffer - The Egghunter Approach

  • Improving the Egghunter Portability Using SEH

  • Wrapping Up

Creating Custom Shellcode

  • Calling Conventions on x86

  • The System Call Problem

  • Finding kernel32.dll

  • Resolving Symbols

  • NULL-Free Position-Independent Shellcode (PIC)

  • Reverse Shell

  • Wrapping Up

Reverse Engineering for Bugs

  • Installation and Enumeration

  • Interacting with Tivoli Storage Manager

  • Reverse Engineering the Protocol

  • Digging Deeper to Find More Bugs

  • Wrapping Up

Stack Overflows and DEP Bypass

  • Data Execution Prevention

  • Return Oriented Programming

  • Gadget Selection

  • Bypassing DEP

  • Wrapping Up

Stack Overflows and ASLR Bypass

  • ASLR Introduction

  • Finding Hidden Gems

  • Expanding our Exploit (ASLR Bypass)

  • Bypassing DEP with WriteProcessMemory

  • Wrapping Up

Format String Specifier Attack Part I

  • Format String Attacks

  • Attacking IBM Tivoli FastBackServer

  • Reading the Event Log

  • Bypassing ASLR with Format Strings

Format String Specifier Attack Part II

  • Write Primitive with Format Strings

  • Overwriting EIP with Format Strings

  • Locating Storage Space

  • Getting Code Execution

  • Wrapping Up

Trying Harder: The Labs

  • Challenge 1

  • Challenge 2

  • Challenge 3

  • Wrapping Up

Your Team has Unique Training Needs.

Your team deserves training as unique as they are.

Let us tailor the course to your needs at no extra cost.