Technical Courses /

Malware and Exploit Essentials Course


3-7 Sep 2018

Registration deadline:

23 Jul 2018



Tallinn, Estonia

Participation fee:

300 € (no fee for the Sponsoring Nations, Contributing Partners and NATO bodies)

The Malware and Exploit Essentials course will provide deep technical insights for cyber defenders into techniques that modern malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction to modern OS features and analysis techniques, the use of debuggers as the most important tools for exploit research and up-to-date methods for vulnerability detection like fuzzing and code coverage will be discussed.

Learning Objectives

Once vulnerabilities have been found, there are different approaches to making use of them to exploit a system. The course will start by introducing basic exploitation methods like buffer and heap overflow techniques, as well as more advanced ideas for both Windows and Linux systems (for the experts: ASLR, SEH/SafeSEH, ROP and DEP will be demonstrated and explained). Since system security is mainly based on encryption technologies, modern crypto systems will be explained, as will aspects of crypto security and how intruders try to break them. Another important topic on this course is software resilience: malware execution is always based on an unintended program flow redirection. This course will show how code can be protected from being altered by introducing code morphing and obfuscation techniques. It is also planned to give an overview of virtualisation techniques, which help engineers analyse malware as long as the malware is not aware it is being executed
in a research environment, but also carry the risk of potential malware escapes from the virtual environments, which have been seen before.

Target Audience

Cyber security technical staff (CERT, IT departments, etc.) seeking to become familiar with malware analysis and related topics. 


  • Introduction:
    • Course Introduction.
    • Malware and Exploits – basics and definitions.
  • Modern OS environment:
  • Creating a program.
  • Compilation, linking, shared libraries, sections of program.
  • Assembly introduction, AT&T vs. Intel syntax, endianness.
  • Debuggers:
    • Static and dynamic program analysis.
    • Getting info about binaries.
    • Introduction to GDB debugger.
  • Buffer overflows:
  • Concept of stack frame and local variables of function.
  • Buffer overflows without ASLR and NX/XD techniques.
  • Return-to-system and chaining.
  • Introduction to Immunity debugger and windbg.
  • Generating shell code.
  • Heap overflows:
  • Exploitability of heap management.
  • Modern heap implementation.
  • Protective mechanisms and common exploitation ideas:
  • Canaries, non-executable stack.
  • ASLR, Position independent code.
  • Linux exploitation in practice:
    • Return-Oriented-Programming approach.
  • Windows exploitation in practice:
  • Structured Exception Handler (SEH, SAFESEH, SEHOP).
  • Disabling DEP, permanent DEP.
  • ASLR (brute forcing, non ASLR libs, Information Leakage + HEAP spraying).


  • Good  work/administration  experience  in  Linux  (as  the  work  environment)  and Windows (as the malware environment)
  • Sound knowledge of assembly level programming.
  • Sound knowledge of operating system details at process/library level on both Windows and Linux systems
  • English language skill comparable to STANAG 6001,

NB!  Please be aware of the strong technical nature of this course. It is not intended for inexperienced IT security specialists. 

Registration info

Please register for the course by visiting the NATO CCD COE website and completing the provided registration form before the deadline. Should you have any questions, please contact: events -at- 
* Before registering, please check the up‐to‐date course information on the NATO CCD COE website