Advanced Windows Binary Exploitation - Kolja Grassmann & Florian Schweins - DCTLV2026
Name of Training: Advanced Windows Binary Exploitation
Trainer(s): Kolja Grassmann & Florian Schweins
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm
Venue: Las Vegas Convention Center
Cost: $2,500 (USD)
Short Summary:
Memory corruption bugs are alive! In this course you'll learn about all the mitigations Windows has in place to prevent you from exploiting them - and how you'll still succeed as an attacker.
Course Description:
This training dives deep into the art of binary exploitation for Windows systems. Designed for security professionals eager to elevate their skills, the course starts with foundational techniques for identifying and analyzing buffer overflow vulnerabilities. The training starts with a concise refresher on x86 assembly and tools like x64dbg and Ghidra. Afterwards, using pre-configured systems, attendees will analyze and exploit example Windows binaries.
Then, the training progresses to exploit development, covering shellcode crafting, stack smashing, and advanced topics like circumventing stack canaries, ASLR bypasses, and mastering Return-Oriented Programming (ROP). Participants will experience modern attack and defense strategies firsthand, culminating in the exploitation of real-world applications.
By the end of the course, attendees will have the skills and confidence to craft their own Windows exploits for memory corruption bugs.
Course Outline:
Day 1: Fundamentals of Exploitation (PWNing)
- Brief refresher
- Assembly, x64dbg, and Ghidra.
- Hands-on Challenges: Debugging and reversing binaries.
- Pwntools
- Overview of Pwntools: Automating interactions with binaries.
- Demo: Writing simple scripts and crafting basic exploits.
- Hands-on Challenges: Automating binary interactions.
- Shellcode Development
- Crafting shellcode: techniques, use cases, and examples.
- Hands-on Challenges: Writing and using shellcode with examples.
- Smashing the Stack
- Fundamentals of buffer overflows and stack behavior.
- Demo: Developing a stack-smashing exploit.
- Hands-on Challenges: Exploit a stack-overflow vulnerability in practice.
- Lab + Q&A Session
- Work on lab exercises.
- Discuss challenges and consolidate learning from Day 1.
Day 2: Advanced Exploitation Techniques
- Bypassing Stack Canaries
- Overview of stack canaries: Protection mechanisms and bypassing strategies.
- Hands-on Challenges: Develop an exploit to bypass stack canaries.
- Address Space Layout Randomization (ASLR)
- Understanding ASLR and techniques for bypassing it.
- Demo: Analyzing ASLR-protected binaries.
- Hands-on Challenges: Exploit an ASLR-protected binary.
- Return-Oriented Programming (ROP)
- Basics of ROP: Purpose, techniques, and crafting payloads.
- Hands-on Challenges: Exploit a binary using a basic ROP chain.
- Advanced ROP Challenges
- Build and execute ROP chains to exploit vulnerabilities.
- Challenge: Create complex ROP payloads to bypass mitigations.
- Lab + Q&A Session
- Work on lab exercises.
- Wrap-up of advanced exploitation techniques with open discussion.
Difficulty Level:
Advanced Definition - The student is expected to have significant practical experience with the tools and technologies that the training will focus on.
Suggested Prerequisites:
- Basic knowledge of low-level programming (e.g. C/C++)
- Basic understanding of x86 assembly
- Familiarity with Windows memory layout (stack, heap, ...)
- Experience with at least one Windows debugger (e.g., x64dbg)
What Students Should Bring:
A laptop with an up to date browser to access the browser-based lab
What the Trainer Will Provide:
Course material as PDF. Access to the challenge lab.
Trainer(s) Bio:
Kolja is a Security Researcher and Trainer at Neodyme. He specializes in Windows and Active Directory security. He has found vulnerabilities in widely used security products and has extensive exploit development, pentesting, and red teaming experience.
Florian is a Security Researcher and Trainer at Neodyme, specializing in fuzzing, reverse engineering, and Windows security. He brings experience from both academic research and hands-on penetration testing and has identified vulnerabilities across a wide range of software, including the Windows operating system.
Proficiency Exam Option:
This course has the option for a proficiency certificate add-on.
To earn the proficiency certificate, students must solve at least three of the challenges during the course.
Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.
Registration Terms and Conditions:
Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.
Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.
All trainings are non-refundable after August 5, 2026.
Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.
DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.