Malware and Exploit Essentials

The Malware and Exploit Essentials course will provide deep technical insights for cyber defenders into techniques that malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction to OS features and analysis techniques, the use of debuggers as the most important tools for exploit research and methods for vulnerability detection like fuzzing will be discussed and then trained in hands-on exercises.

Learning Objectives

  • Introduction into memory, assembly language and compiling
  • Usage of debuggers (GDB, Immunity Debugger, WinDBG)
  • Basic exploitation techniques on Linux and Windows systems
  • Introduction to fuzzing
  • Understand operating system mechanisms like ASLR, SEH and DEP and how they get bypassed
  • Basic static (IDA Pro), dynamic (OllyDbg) and behavior analysis on different malware samples
  • IOC’s writing (Yara)
  • Hands-on training of all the learned techniques

Target Audience

  • Technical staff of CERTs, IT departments or other governmental or military entities being involved in technical IT security or cyber defence.


  • Introduction:
    • Course Introduction.
    • Malware and Exploits – basics and definitions.
  • Modern OS environment:
  • Creating a program.
  • Compilation, linking, shared libraries, sections of program.
  • Assembly introduction, AT&T vs. Intel syntax, endianness.
  • Debuggers:
    • Static and dynamic program analysis.
    • Getting info about binaries.
  • Buffer overflows:
  • Concept of stack frame and local variables of function.
  • Buffer overflows without ASLR and NX/XD techniques.
  • Return-to-system and chaining.
  • Protective mechanisms and common exploitation ideas:
  • Canaries, non-executable stack.
  • Structured Exception Handler (SEH).
  • Address space layout randomization (ASLR).
  • Data Execution Prevention (DEP)
  • Return-Oriented-Programming (ROP)
  • Examining static properties of suspicious programs
    • Static analysis (IDA Pro)
  • Performing behavioral analysis of malicious Windows executables
    • Inetsim, FakeDNS, Wireshark
  • Performing dynamic code analysis of malicious Windows executables
    • Dynamic analysis (OllyDbg, WinDgb)
  • Determining the network and host-based indicators (IOC)
    • IOC’s writing (Yara)


  • Good work/administration experience in the Linux and Windows environments, especially command line.
  • Basic understanding of assembler and higher programming languages (optional).
  • Programming experience in assembler, C(++) or PYTHON (optional).
  • English language skill comparable to STANAG 6001,

NB! Please be aware of the strong technical nature of this course: this is not a course for beginners. Note that we most strongly discourage the participation of students who do not fulfil the prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendees is likely to hinder the overall progress of the course.


Registration opens on 22nd of  June, 2020. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]