Exploit Development and Malware Analysis - Sam Bowne, Elizabeth Biddlecome, Kaitlyn Handelman, & Irvin Lemus - DCTLV2026

Name of Training: Exploit Development and Malware Analysis
Trainer(s): Sam Bowne, Elizabeth Biddlecome, Kaitlyn Handelman & Irvin Lemus
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm 
Venue: Las Vegas Convention Center
Cost: $3,000 (USD)

Short Summary:

Learn how to gain control of systems by injecting raw binary exploit code into vulnerable processes, on Linux and Windows systems. Learn Windows internals and how malware operates, in both EXE and DOT NET formats. This is a highly-hands-on workshop with brief demonstrations and explanations, and many projects and challenges for participants to perform.

Course Description: 

Exploit Development: Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions. We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems.

Malware Analysis: Explore the structure of Windows executable files and the operating system itself, to better understand programs, services, malware, and defenses. Projects include: cheating at games, building malicious DLL libraries, stealing passwords from the API, building a keylogger, and debugging a driver. Tools used include FLARE-VM, pestudio, API Monitor, Visual Studio, OllyDbg, IDA Pro, Ghidra, and WinDbg.

Course Outline: 

The workshop is structured as a series of challenges, with a live CTF-style scoreboard. We will demonstrate and explain each challenge, and then help particpants through them. Each challenge has an easy portion with complete instructions, so beginners can succeed, and harder tasks to challenge advanced participants.

All materials, including the running CTF scoreboard, are in the public domain and will remain available after the workshop for the participants to use.

Day 1: Exploit Development: 

I: Why are exploits possible?

1. The fundamental problem
   1. Data and code use the same bytes
   2. Code is processed by distinct modules
      
   3. A module passes data on to another module, losing context
      
   4. Developers make inaccurate assumptions about data structure
      
   5. Attackers send input which is accepted as data, but misunderstood by later modules and executed as code
2. Command Injection
   
   1. User input used to construct a command line
      
   2. Router network test pages
      
   3. Injecting bash commands with a semicolon
      
   4. Injecting CMD commands on a vulnerable Windows web server form
      
   5. ImageMagick exploitation with injected commands in a crafted malicious image
3. SQL Injection
   
   1. User input included in a SQL command
      
   2. PHP operating correctly sends the command to a SQL server
      
   3. The SQL server operates correctly and executes the command
      
   4. Crafted code steals data
      
   5. Uploading a PHP shell to gain unlimited remote code execution
4. How programs use memory
   
   1. Memory segments: text, stack, and heap
      
   2. Registers
      
   3. Writing simple assembly code and stepping through it
5. Compiling C code on Linux
   
   1. Using gcc to compile programs
      
   2. Using objdump and gdb to examine the compiled code
      
   3. Recognizing C constructs in assembly: loops, branches, library calls, and function calls
      
   4. Data storage: stack, heap, .data section, strings, and null terminators
      
   5. Stack frames, function prologue and epilogue
6. Stack overflows on Linux
   
   1. Buffer overflow to change EIP and redirect execution within a program
      
   2. Using a debugger and breakpoints to understand the overflow
      
   3. Injecting shellcode
      
   4. Turning off stack protections
      
   5. Using a NOP sled
      
   6. Creating shellcode with msfvenom
      
   7. Types of shellcode: bind shell, reverse shell, metasploit
      
      1. The complete process of exploit development:
      2. Fuzzing to find a crash
      3. Analyzing the crash in a debugger to find the root cause
      4. Sending a nonrepeating pattern of characters to target the EIP
      5. Testing all bytes to identify bad characters
      6. Generating an encoded payload without bad characters
      7. Sending a complete exploit against a target in a debugger
      8. Adjusting the exploit to work outside the debugger
7. Heap overflows on Linux
   
   1. Heap usage and structure: linked lists
      
   2. malloc() and free()
      
   3. Heap overflow overwriting forward and reverse pointers
      
   4. free() crashes on an invalid write operation
      
   5. Attacker gains control of a single write operation
      
   6. Gaining code execution from a write: targeting the Procedure
      
   7. Targeting the Program Linkage Table (PLT)
8. Format string vulnerabilities
   
   1. Reading from the stack: information disclosure
      
   2. Writing with %n to cause denial of service
      
   3. Writing to the PLT to gain code execution
9. Hacking Windows EXEs with Immunity
   
   1. Running PuTTY in a debugger
      
   2. Finding stored strings
      
   3. Modifying code
      
   4. Saving changes
      
   5. Adding a new segment with LordPE
      
   6. Adding Trojan code
10. Stack overflows on Windows
    
    1. Complete exploit development process for "vulnerable server"
11. Understanding Windows defenses
    
    1. Compiling simple test cases with Visual C++ Build Tools
       
    2. Viewing security cookie implementation in IDA Pro
       
    3. Controlling Address Space Layout Randomization (ASLR)
       
    4. Using Immunity to exploit a buffer overflow without ASLR
       
    5. Viewing ASLR weaknesses: limited entropy and non-randomized segments
12. Overcoming Windows defenses
    
    1. Return-Oriented Programming (ROP) and why it works: the .text section does not randomize
       
    2. Using trampoline code to find the stack, defeating ASLR
       
    3. Constructing ROP chains with Mona to make Windows API calls
       
    4. Defeating Data Execution Prevention (DEP) with ROP chains
       
    5. Finding unprotected modules with Mona
       
    6. Using a heap spray to defeat ASLR
13. Exploiting the Structured Exception Handler (SEH) on Windows
    
    1. How Windows processes exceptions
       
    2. Finding an overflow that corrupts the SEH
       
    3. Using a stack pivot to find injected code
       
    4. Making a complete exploit with shellcode
       
    5. Overcoming SEHOP protection
14. Exploiting 64-Bit Intel Systems
    
    1. 64-bit addressing: the swindle of 48 bits
       
    2. 64-bit registers
       
    3. Writing 64-bit assembly code
       
    4. Exploiting a buffer overflow on a 64-bit system
15. Exploiting ARM32 and ARM64 Systems
    
    1. ARM assembly code
       
    2. The different role of registers
       
    3. Using QEMU Raspberry Pi emulators
       
    4. Debugging on ARM
       
    5. Exploiting a stack overflow on ARM
16. Exploiting DOT NET software
    
    1. Writing DOT NET applications in Visual Studio
       
    2. Understanding the DOT NET runtime and Intermediate Language
       
    3. Reversing DOT NET with Reflector
       
    4. Reversing DOT NET games
17. Comparing Rust to C++
    
    1. Buffer overflows are eliminated
       
    2. Memory leaks are prevented
       
    3. Directory traversal and command injection are still possible

Day 2: Malware Analysis

1. Basic static analysis of malware
   1. Using VirusTotal for an overview of its function
      
   2. Using PEview to see the structure of a PE file
      
   3. Identifying the development language with PEiD
      
   4. Identifying packers
      
   5. Extracting strings with BinText
      
   6. Identifying library usage with Dependency Walker
2. Packed code
   
   1. Using UPX to unpack a packed executable
      
   2. Building a custom version of UPX
      
   3. Manual unpacking with OllyDbg and pestudio
3. Disassembly
   1. Using assembly language in the Jasmin emulator
      
   2. Disassembling with IDA Pro
      
   3. Recognizing C constructs in assembly code
      
   4. Disassembling and decompiling code with Ghidra
4. Windows libraries
   1. Examining the Import Address Table (IAT)
      
   2. Repairing and rebuilding the IAT
      
   3. DLL hijacking with companion trojans
      
   4. Building a keylogger with Visual Studio
      
   5. Building a DLL proxy
      
   6. Stealing passwords with API Monitor
5. Debugging in user-land
   1. Modifying a windows EXE with OllyDbg
      
   2. Hacking minesweeper
      
   3. Source-level debugging
6. Debugging the kernel
   1. Examining Kernel structures with a single computer
      
   2. Kernel debugging with breakpoints and two machines
      
   3. Debugging a device driver
7. Bootkits
   
   1. Bootkit analysis with Bochs
      
   2. Understanding the MBR and a malicious MBR
8. The .NET Framework
   
   1. Common Language Runtime
      
   2. Building .NET Apps in Visual Studio
      
   3. Reversing .NET apps with .NET Reflector and other tools
9. Assembly language coding
   1. Basic coding
      
   2. Printing and simple debugging
      
   3. Using ASCII
      
   4. Debugging with gdb
      
   5. Using files
      
   6. Encryption with the Caesar cipher
      
   7. XOR encoding
      

Difficulty Level:

Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

Previous experience with C and assembly language is helpful but not required.

What Students Should Bring:

A laptop computer capable of running VMware virtual machines, with at lease 40 GB of available storage. A second monitor is helpful but not necessary.

What the Trainer Will Provide:

All course materials are freely available online and will remain so after the workshop ends.

Trainer(s) Bio:

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.

Elizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to cripting languages in cybersecurity competitions, hackathons,and CTFs.

Kaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.

Irvin Lemus, CISSP is the Director of Education and Training for Latin America at By Light IT Professional Services. Irvin has been in the field since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He has been teaching at community colleges since 2014. He describes himself as, "A professional troublemaker who loves hacking all the things."

Proficiency Exam Option:

This course has the option for a proficiency certificate add-on. 

Students who earn 500 points on the CTF scoreboard will be eligible to receive a Certificate of Proficiency, demonstrating a deep understanding of memory usage, Windows internals, and raw binary code.

Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.