Advanced Windows Exploitation (AWE) Training in Germany

  • Learn via: Classroom / Virtual Classroom / Online
  • Duration: 5 Days
  • Level: Expert
  • Price: From €11,310+VAT
We can host this training at your preferred location. Contact us!

Modern exploits for Windows-based platforms require modern bypass methods to circumvent Microsoft’s defenses. In Advanced Windows Exploitation (EXP-401), OffSec challenges students to develop creative solutions that work in today’s increasingly difficult exploitation environment.

The case studies in AWE are large, well-known applications that are widely deployed in enterprise networks. The course dives deep into topics ranging from security mitigation bypass techniques to complex heap manipulations and 64-bit kernel exploitation.

AWE is a particularly demanding penetration testing course. It requires a significant amount of student-instructor interaction. Therefore, we limit AWE courses to a live, hands-on environment.

This is the hardest course OffSec offer and it requires a significant time investment. Students need to commit to reading case studies and reviewing the provided reading material each evening.

Students should be experienced in developing windows exploits and understand how to operate a debugger. Familiarity with WinDBG, x86_64 assembly, IDA Pro and basic C/C++ programming is highly recommended. A willingness to work and put in real effort will greatly help students succeed in this security training course.

  • Bypass and evasion of user mode security mitigations such as DEP, ASLR, CFG, ACG and CET
  • Advanced heap manipulations to obtain code execution along with guest-to-host and sandbox escapes
  • Disarming WDEG mitigations and creating version independence for weaponization
  • 64-Bit Windows Kernel Driver reverse engineering and vulnerability discovery
  • Bypass of kernel mode security mitigations such as kASLR, NX, SMEP, SMAP, kCFG and HVCI

1 Introduction

2 Custom Shellcode Creation

  • 2.1 64-bit Architecture
    • 2.1.1 64-bit Memory Enhancements
    • 2.1.2 Calling Conventions
    • 2.1.3 Win32 APIs
  • 2.2 Writing Exploit Code
    • 2.2.1 Position-Independent-Code
    • 2.2.2 Visual Studio
  • 2.3 Shellcode Framework Creation
    • 2.3.1 Finding KERNEL32.DLL Base Address: PEB Method
    • 2.3.2 Resolving Symbols: Export Directory Table Method
    • 2.3.3 Fetching Function’s VMA
  • 2.4 Reverse Shell
    • 2.4.1 Create a Connection
    • 2.4.2 Launch the Shell
  • 2.5 Wrapping Up

3 VMware Workstation Guest-To-Host Escape

  • 3.1 Vulnerability Classes
  • 3.2 Data Execution Prevention (DEP)
    • 3.2.1 DEP Theory
    • 3.2.2 Ret2Lib Attacks and Their Evolution
    • 3.2.3 Return Oriented Programming
    • 3.2.4 Locating Gadgets: rp++
  • 3.3 Address Space Layout Randomization
  • 3.4 VMware Workstation Internals
    • 3.4.1 VMware Backdoor RPC Guest-to-Host Communication
    • 3.4.2 Backdoor_InOut
    • 3.4.3 Opening a RPC Communication Channel
    • 3.4.4 Sending the Command Data
    • 3.4.5 Receiving the Reply
    • 3.4.6 Closing the RPC Communication Channel
  • 3.5 UaF Case Study: VMware Workstation Drag & Drop Vulnerability
  • 3.6 The Windows Heap Memory Manager
    • 3.6.1 Front-End Allocator
    • 3.6.2 Back-End Allocator
  • 3.7 Low Fragmentation Heap
    • 3.7.1 LFH Architecture
    • 3.7.2 LFH Logic
  • 3.8 UaF Case Study: Triggering the Bug
  • 3.9 UaF Case Study: A Deeper Look at the Bug
  • 3.10 UaF Case Study: Reallocation Control
    • 3.10.1 guest.upgrader_send_cmd_line_args
    • 3.10.2 The NULL Byte Issue
  • 3.11 UaF Case Study: Fake Virtual Table
  • 3.12 UaF Case Study: ROP Storage
    • 3.12.1 unity.window.contents.start : Locating the Function
    • 3.12.2 unity.window.contents.start : Arg Processing
    • 3.12.3 unity.window.contents.chunk : Expanded Data Storage
  • 3.13 UaF Case Study: Bypassing ASLR
    • 3.13.1 Hunting for Pointers
  • 3.14 UaF Case Study: Stack Pivoting
  • 3.15 UaF Case Study: Defeating DEP
    • 3.15.1 GetModuleHandle ROP Chain
    • 3.15.2 GetProcAddress ROP Chain
    • 3.15.3 WriteProcessMemory ROP Chain
  • 3.16 Restoring the Execution Flow
  • 3.17 Executing Shellcode
  • 3.18 Windows Defender Exploit Guard
  • 3.19 Testing the WDEG Protections
    • 3.19.1 The Ghost of ASLR Returns
  • 3.20 ROP Mitigations
    • 3.20.1 Disarming WDEG: Theory
    • 3.20.2 Disabling WDEG: Practice
    • 3.20.3 Defeating EAF
  • 3.21 Wrapping Up

4 Microsoft Edge Type Confusion

  • 4.1 Edge Internals
    • 4.1.1 JavaScript Engine
    • 4.1.2 Chakra Internals
    • 4.1.3 JIT and Type Confusion
  • 4.2 Type Confusion Case Study
    • 4.2.1 Triggering the Vulnerability
    • 4.2.2 Root Cause Analysis
  • 4.3 Exploiting Type Confusion
    • 4.3.1 Controlling the auxSlots Pointer
    • 4.3.2 Abuse AuxSlots Pointer
    • 4.3.3 Create Read and Write Primitive
  • 4.4 Going for RIP
    • 4.4.1 Vanilla Attack
    • 4.4.2 CFG Internals
  • 4.5 CFG Bypass
    • 4.5.1 Return Address Overwrite
    • 4.5.2 Intel CET
    • 4.5.3 Out-of-Context Calls
  • 4.6 Data Only Attack
    • 4.6.1 Parallel DLL Loading
    • 4.6.2 Injecting Fake Work
    • 4.6.3 Faking the Work
    • 4.6.4 Hot Patching DLLs
  • 4.7 Arbitrary Code Guard (ACG)
    • 4.7.1 ACG Theory
    • 4.7.2 ACG Bypasses
  • 4.8 Advanced Out-of-Context Calls
    • 4.8.1 Faking it to Make it
    • 4.8.2 Fixing the Crash
  • 4.9 Remote Procedure Calls
    • 4.9.1 RPC Theory
    • 4.9.2 Is That My Structure
    • 4.9.3 Analyzing the Buffers
    • 4.9.4 Calling an API
    • 4.9.5 Return of Mitigations
  • 4.10 Perfecting Out-of-Context Calls
    • 4.10.1 Come Back to JavaScript
    • 4.10.2 Return Value Alignment
    • 4.10.3 Call Me Again
  • 4.11 Combining the Work
    • 4.11.1 NOP’ing CFG
    • 4.11.2 Call Arbitrary API
  • 4.12 Browser Sandbox
    • 4.12.1 Sandbox Theory Introduction
    • 4.12.2 Sandbox Escape Theory
    • 4.12.3 The Glue That Binds
  • 4.13 Sandbox Escape Practice
    • 4.13.1 Insecure Access
    • 4.13.2 The Problem of Languages
  • 4.14 The Great Escape
    • 4.14.1 Activation Factory
    • 4.14.2 GetTemplateContent
    • 4.14.3 What Is As?
    • 4.14.4 Loading the XML
    • 4.14.5 Allowing Scripts
    • 4.14.6 Pop That Notepad
    • 4.14.7 Getting a Shell
  • 4.15 Upping The Game - Making the Exploit Version Independent
    • 4.15.1 Locating the Base
    • 4.15.2 Locating Internal Functions and Imports
    • 4.15.3 Locating Exported Functions
  • 4.16 Wrapping Up

5 Driver Callback Overwrite

  • 5.1 The Windows Kernel
    • 5.1.1 Privilege Levels
    • 5.1.2 Interrupt Request Level (IRQL)
  • 5.2 Kernel-Mode Debugging on Windows
    • 5.2.1 Remote Kernel Debugging Over TCP/IP
    • 5.2.2 Remote Kernel Debugging Over Serial Ports
    • 5.2.3 Local Kernel Debugging Through VMware (VirtualKD)
  • 5.3 Communicating with the Kernel
    • 5.3.1 Native System Calls
    • 5.3.2 Device Drivers
  • 5.4 Windows Kernel Security Mitigations
  • 5.5 Vulnerability Classes
  • 5.6 Kernel-Mode Shellcode
    • 5.6.1 Token Stealing
    • 5.6.2 ACL NULL-ing / Editing
    • 5.6.3 Rookits
  • 5.7 Vulnerability Overview and Exploitation
    • 5.7.1 Triggering the Vulnerability
    • 5.7.2 Controlling the Callback Context
    • 5.7.3 Redirecting Execution to Usermode
    • 5.7.4 SMEP Says Hello
    • 5.7.5 Introduction to Memory Paging and Structures
    • 5.7.6 The PML4 Self-Reference Entry
    • 5.7.7 PML4 Self-Reference Entry Randomization
  • 5.8 ROP-Based Attack
    • 5.8.1 Stack Pivoting
    • 5.8.2 Kernel Read/Write Primitive
    • 5.8.3 Restoring the Execution Flow
    • 5.8.4 Leaking Virtual PTE Start
    • 5.8.5 Flipping U/S Bit
    • 5.8.6 Meltdown and KVA Shadow
    • 5.8.7 Flipping the PML4 EXB Bit
    • 5.8.8 Token Stealing
  • 5.9 Version Independence
    • 5.9.1 Dynamic Gadget Location
  • 5.10 Wrapping Up

6 Unsanitized User-mode Callback

  • 6.1 Windows Desktop Applications
    • 6.1.1 Windows Kernel Pool Memory
    • 6.1.2 Creating Windows Desktop Applications
    • 6.1.3 Reversing the TagWND Object
    • 6.1.4 Kernel User-mode Callbacks
    • 6.1.5 Leaking pWND User-Mode Objects
  • 6.2 Triggering the Vulnerability
    • 6.2.1 Spraying the Desktop Heap
    • 6.2.2 Hooking the Callback
    • 6.2.3 Arbitrary WndExtra Overwrite
  • 6.3 TagWND Write Primitive
    • 6.3.1 Overwrite pWND[0].cbWndExtra
    • 6.3.2 Overwrite pWND[1].WndExtra
  • 6.4 TagWND Leak and Read Primitive
    • 6.4.1 Changing pWND[1].dwStyle
    • 6.4.2 Setting The TagWND[1].spmenu
    • 6.4.3 Creating a fake TagWND[1].spmenu
    • 6.4.4 GetMenuBarInfo Read Primitive
  • 6.5 Privilege Escalation
    • 6.5.1 Low integrity
  • 6.6 Virtualization-Based Security
    • 6.6.1 Windows Hypervisor Theory
    • 6.6.2 Windows Hypervisor Debugging
    • 6.6.3 Data Only Attack
    • 6.6.4 Restoring The Execution Flow
  • 6.7 Executing Code in Kernel-Mode
    • 6.7.1 Leaking Nt and Win32k Base
    • 6.7.2 NOP-ing kCFG
    • 6.7.3 Hijacking a Kernel-Mode Routine
    • 6.7.4 Wrapping Up

Certification Process

The OSEE is the most difficult exploit development certification you can earn. We recommend completing the 300-level certifications before registering for this course.

Students who complete EXP-401 and pass the exam will earn the Offensive Security Exploitation Expert (OSEE) certification. The OSEE exam assesses not only the course content, but also the ability to think laterally and adapt to new challenges.

The virtual lab environment has a limited number of target systems. The software within contains specific, unknown vulnerabilities. Students have 72 hours to develop and document exploits. The exam requires a stable, high-speed internet connection.

You must submit a comprehensive penetration test report as part of the exam. It should contain in-depth notes and screenshots detailing the steps taken and the exploit methods used.

Learn more about the OSEE Exam here.

REAL-WORLD BENEFITS

OSEEs can analyse vulnerable software, find problematic code, and develop a functioning exploit for various modern Windows operating systems.



Contact us for more detail about our trainings and for all other enquiries!

Upcoming Trainings

Join our public courses in our Germany facilities. Private class trainings will be organized at the location of your preference, according to your schedule.

Classroom / Virtual Classroom
26 November 2024
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
26 November 2024
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
26 November 2024
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
26 November 2024
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
16 Januar 2025
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
16 Januar 2025
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
18 Januar 2025
Berlin, Hamburg, Münih
5 Days
Classroom / Virtual Classroom
10 Februar 2025
Berlin, Hamburg, Münih
5 Days

Related Trainings

Advanced Windows Exploitation (AWE) Training Course in Germany

The Federal Republic of Germany is the second most populous country in Europe and is located in Central Europe. The official language of the country is German. Germany is one of the richest countries in the world. The main exports of the country include motor vehicles and iron and steel products.

Here are some fun facts about Germany:
The fairy tale writer, the Brothers Grimm, came from Germany and wrote many famous stories such as Cinderella, Snow White, and Sleeping Beauty.
Germany is home to the largest theme park in Europe, the Europa-Park.
The famous composer Ludwig van Beethoven was born in Germany.
The Autobahn, the German highway system, is known for having no general speed limit.


Berlin was divided by the Berlin Wall from 1961 to 1989. Known for its street art, Berlin has many colorful murals and graffiti throughout the city. Also, Berlin is home to many famous museums, such as the Pergamon Museum and the Museum Island. Many clubs and bars stay open until the early hours of the morning in this big city.

Another popular city is Munich, which is famous for its Oktoberfest beer festival that attracts millions of visitors every year. Munich is also home to many historic buildings, including Nymphenburg Palace and the Marienplatz town square.

The country's capital and largest city is Berlin, however Frankfurt is considered to be the business and financial center of Germany. It is home to the Frankfurt Stock Exchange, the European Central Bank, and many other financial institutions. Because of its central location within Europe and its status as a major financial hub, Frankfurt is often referred to as the "Mainhattan," a play on the city's name and its association with the Manhattan financial district in New York City.

Frankfurt is also a major transportation hub, with the largest airport in Germany and one of the largest in Europe, Frankfurt Airport. Additionally, it is a popular destination for tourists, with its historic city center, beautiful parks, and vibrant cultural scene.

Some of the top German technology companies like Siemens AG, Bosch, SAP SE, Deutsche Telekom, Daimler AG and Volkswagen has business centers in Frankfurt. The country has a strong tradition of engineering and innovation, and is home to many other world-class technology companies and research institutions.

Tailored to meet the specific needs of Germany, Bilginç IT Academy combines cutting-edge training methodologies with our comprehensive range of Certification Exam preparation courses and accredited corporate training programs. Experience a transformative approach to IT training that will redefine your expectations.
By using this website you agree to let us use cookies. For further information about our use of cookies, check out our Cookie Policy.