Malware and Exploit Essentials

The Malware and Exploit Essentials course will provide deep technical insights for cyber defenders techniques that malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction to OS features and analysis techniques, the use of debuggers as the most important tools for exploit research and methods for vulnerability detection like fuzzing will be discussed and then trained in hands-on exercises.

Learning Objectives

  • Introduction into memory, assembly language and compiling
  • Usage of debuggers (GDB, Immunity Debugger / WinDBG)
  • Basic exploitation techniques like buffer overflows on Linux and Windows systems
  • Introduction to fuzzing
  • Understand operating system mechanisms like ASLR, SEH/SafeSEH and DEP and how they get bypassed
  • Hands-on training of all the learned techniques

 Target Audience

  • Technical staff of CERTs, IT departments or other governmental or military entities being involved in technical IT security or cyber defence.


  • Introduction:
    • Course Introduction
    • Malware and Exploits – basics and definitions
  • Modern OS environment:
    • Creating a program
    • Compilation, linking, shared libraries, sections of program
    • Assembly introduction, AT&T vs. Intel syntax, endianness
  • Debuggers:
    • Static and dynamic program analysis.
    • Getting info about binaries.
    • Introduction to GDB debugger.
  • Buffer overflows:
    • Concept of stack frame and local variables of function.
    • Buffer overflows without ASLR and NX/XD techniques.
    • Return-to-system and chaining
  • Introduction to Immunity debugger and windbg
  • Generating shell code
  • Heap overflows:
    • Exploitability of heap management
    • Modern heap implementation
  • Protective mechanisms and common exploitation ideas:
    • Canaries, non-executable stack
    • ASLR, Position independent code
  • Windows exploitation in practice:
    • Structured Exception Handler (SEH, SAFESEH, SEHOP)
    • Disabling DEP, permanent DEP
    • Return-Oriented-Programming approach
  • ASLR (brute forcing, non ASLR libs, Information Leakage + HEAP spraying).


  • Good work/administration experience in the Linux and Windows environments, especially command line
  • Comfortable with using virtual machines for training environment (Virtual Box or similar)
  • Basic understanding of assembler and higher programming languages (optional)
  • Programming experience in assembler, C(++) or PYTHON (optional)
  • English language skill comparable to STANAG 6001,

NB! Please be aware of the highly technical nature of this course: this is not a course for beginners. The participation of students who do not fulfil the prerequisites is strongly discouraged, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendees is likely to hinder the overall progress of the course.


Registration opens on 4 February 2019. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact.  An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]