Advanced Windows Exploitation

Overview

Writing exploits on modern Windows based platforms over the years has become a complex dance of memory manipulation to circumvent modern mitigations Microsoft has put in place. Offensive Security's Advanced Windows Exploitation Techniques (AWE) challenges you to develop creative solutions that work in today's increasingly difficult exploitation environment.

Covering techniques ranging from precision heap spraying, to DEP, ASLR, CFG, and ACG bypass, real-world 64-bit kernel exploitation, and sandbox escapes, in a hands-on lab focused environment, AWE makes a point of introducing a concept and then allowing you to work through a case study applying what you learned, with multiple instructors on hand for help with any problems. The case studies covered include vulnerabilities discovered by our research team or exploits written by Offensive Security.

Topics covered include:

  • NX/ASLR Bypass - Using different techniques to bypass Data Execution Prevention and Address Space Layout Randomization protection mechanisms on modern operating systems

  • Function Pointer Overwrites - Overwriting a function pointer in order to get code execution

  • Precision Heap Spraying - Spraying the heap for reliable code execution

  • CFG/ACG Bypass - Vulnerabilities and design flaws are exploited to bypass Control Flow Guard and Arbitrary Code Guard

  • Sandbox Escape - Performing browser sandbox escapes to gain true arbitrary code execution

  • 64-bit Windows Kernel Driver Exploitation - Exploring 64 bit kernel exploitation from low integrity

  • Kernel memory disclosure, arbitrary kernel callback overwrite along with Page Table de-randomization

Who Should Take this Course

Advanced Windows Exploitation is NOT an entry level course. We expect students to have previous exploitation experience in a Windows environment and understand their way around a debugger. Additionally, to get the most out of the class you will want to spend time in the evenings working through case studies and reviewing the provided reading material. This is the hardest course Offensive Security offers. Abandon all hope, ye who enter here.

Student Requirements

Students should be experienced in exploit development for Windows and understand how to operate a debugger. Familiarity with WinDbg, Immunity Debugger, and Python scripting is highly recommended. A willingness to work and put in real effort will greatly help students succeed in this course.

What Students Should Bring

You want to bring a *serious* laptop along--one able to run 3 virtual machines with ease. Please do not bring netbooks or other low resolution systems.

  • 64-bit host operating system (Important)

  • Administrative access to the host operating system

  • VMware Workstation / Fusion version 14 or newer

  • CPU must support SMEP, VT-x/EPT and IOMMU

  • At least 100 GB HD free

  • At least 16 GB of RAM and 4 cores

  • Wired network support

  • USB 2.0 support or better

  • A will to suffer intensely

What Students Will Be Provided With

Students will be provided with virtual machines for use in class. Additionally, the Advanced Windows Exploitation lab guide will be provided. An in-class "Hint System" will provide electronic distribution of all scripts, POCs, and so on.

***PLEASE NOTE***
Black Hat does NOT include the exam. This can be purchased after the class for a discount.

Trainers

Alexandru Uifalvi has been a part of the Advanced Windows Exploitation class over the past 5 years. His passion for vulnerability research and exploit writing comes through in his teaching and course content creation. Alex is well versed in Windows Internals, Windows Kernel Exploitation, and reverse engineering.

Morten Schenk is content developer and trainer at Offensive Security with a focus on exploit development and mitigation bypasses on Windows. His recent work includes bypasses of exploit mitigations and exploitation vectors against the Windows 10 kernel as presented at Black Hat USA 2017 and DEF CON 25. Morten loves to build exploits against difficult targets and continuously discover new techniques to combat mitigations.