Technical Courses /

Malware and Exploit Essentials Course


28 Aug-1 Sep 2017

Registration deadline:

26 Jun 2017



Tallinn, Estonia

Participation fee:

300 € (no fee for the Sponsoring Nations, Contributing Partners and NATO bodies)

The Malware and Exploit Essentials course will provide deep technical insights for cyber defenders into techniques that modern malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction to modern OS features and analysis techniques, the use of debuggers as the most important tools for exploit research and up‐to‐date methods for vulnerability detection like fuzzing and code coverage will be discussed.

Learning Objectives 

Once vulnerabilities have been found, there are different approaches to make use of them to exploit a system. The course will start by introducing basic exploitation methods like buffer and heap overflow techniques, as well as more advanced ideas for both Windows and Linux systems (for the experts: ASLR, SEH/SafeSEH, ROP, DEP etc. will be demonstrated and explained). Since system security is mainly based on encryption technologies, modern crypto systems will be explained, as will aspects of crypto security and how intruders try to break them.

Another important topic on this course is software resilience: malware execution is always based on an unintended program flow redirection. This course will show how code can be protected from being altered by introducing code morphing and obfuscation techniques. It is also planned to give an overview of virtualisation techniques, which help engineers analyse malware as long as the malware is not aware it is being executed in a research environment, but also carries the risk of potential malware escapes from the virtual environments, which have been seen before.

Target Audience

The target audience is exclusively technical staff of CERTs/CIRTs or other governmental or military entities being involved in technical IT security or cyber defence.


  • Introduction
    • Course Introduction
    • Malware and Exploits – basics and definitions
  • Modern OS environment
    • Creating a program
    • Compilation, linking, shared libraries, sections of program
    • Assembly introduction, AT&T vs. Intel syntax, endianness
  • Debuggers
    • Static and dynamic program analysis
    • Getting info about binaries
    • Introduction to GDB debugger
  • Buffer overflows
    • Concept of stack frame and local variables of function
    • Buffer overflows without ASLR and NX/XD techniques
    • Return‐to‐system and chaining
    • Introduction to Immunity debugger and windbg
    • Generating shell code
  • Heap overflows
    • Exploitability of heap management
    • Modern heap implementation
  • Protective mechanisms and common exploitation ideas
    • Canaries, non‐executable stack
    • ASLR, Position independent code
  • Linux exploitation in practice
    • Return‐Oriented‐Programming approach
  • Windows exploitation in practice
    • Structured Exception Handler (SEH, SAFESEH, SEHOP)
    • Disabling DEP, permanent DEP
    • ASLR (brute forcing, non ASLR libs, Information Leakage + HEAP spraying)


  • Sound knowledge of assembly level programming
  • Sound knowledge of operating system details at process/library level on both Windows
    and Linux systems
  • English language skill comparable to STANAG 6001,

NB! Please be aware of the strong technical nature of this course: this is not a course for beginners. Note that we most strongly discourage the participation of students who do not fulfil the prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendees is likely to hinder the overall progress of the course.

Registration info

Please register for the course by visiting the NATO CCD COE website and completing the provided registration form before the deadline. Should you have any questions, please contact: events -at- 
* Before registering, please check the up‐to‐date course information on the NATO CCD COE website