Expert Penetration Testing:

Writing Windows Exploits


Master the latest advanced level methodologies, tools, and manual techniques used by ethical hackers to enter the top 10% of security professionals in terms of skill.

Expert Penetration Testing Course Overview


The InfoSec Institute Expert Hacking course provides an in-depth and hands-on review of the most current exploit development strategies and techniques for the Microsoft Windows platform.

This course is designed to provide a hands-on, interactive learning experience. To the end, the course includes approximately 30 minutes of lab work after each hour of lecture and Q&A time. Lab sessions are generally run four times per day. The lab sessions are a crucial learning component of the class, and are strongly recommended.

The labs ask students to reverse engineer sample programs as well as real production software to discover vulnerabilities. In addition to static analysis methods, various runtime vulnerability discovery methods such as fuzzing and runtime analysis in a debugger will be used.

Later exercises demonstrate more advanced concepts and tools – such as exploiting SafeSEH, the new ASLR protections found in Vista and Windows 7, and many others.



  • Gain the in-demand career skills of a highly skilled and specialized penetration tester.

  • Master the latest advanced level methodologies, tools, and manual techniques used by ethical hackers to enter the top 10% of security professionals in terms of skill.

  • Move beyond the most well known ethical hacking techniques and into the realm of an expert penetration tester.

  • More than interesting theories and lecture, get your hands dirty in our dedicated hacking lab.

  • Learn hands-on skills that are difficult to gain in a corporate or government working environment, such as compromising border routers and testing your own buffer overflow exploits.

  • Taught and created by industry leaders
  • Over $1800 in tools & software(details)
  • Intimiate Learning Setting not found from competitors
"I was blown away by the instructor's knowledge and expertise. ... Would recommend to anyone thinking about being a pen tester"

Connie Brown

United States Air Force

What You'll LEARN

Some of the topics you will learn to master during the course:

Module 1: Primer on Windows Internals

• A primer on windows internals
• Windows architecture
• Windows internals from the ground up
• Windows sockets
• Threads and Processes
• File handling
• File formats
• Process injection and remote thread injection
• Understanding exploit development across different windows versions

Module 2: Stack Overflows

• Understanding modularity of code and how it can lead to a stack overflow situation
• Typing stack overflows
• Functions and Prologs
• Controlling EIP through RET
• Returning to shellcode on the stack
• Shellcode strategies
• Generating shellcode
• Exploiting real world vulnerabilities

Module 3: Understanding Windows Shellcode

• Understanding shellcode concepts
• Important X86 assembler concepts for shellcode
• System Calls
• Finding Kernel32.dll
• Using hash searching instead of string searching
• PEB vs. SEH Methods
• Resolving Symbol Addresses with find_function
• Using LoadLibraryA to load additional libraries
• Creating processes with CreateProcessA
• Exiting processes with ExitProcessA
• Writing Connect Back shellcode
• Portbind shellcode

Module 4: Dynamic Vulnerability Analysis

• Dynamic concepts
• Pros and Cons vs. static analysis
• Instrumented analysis with a debugger
• Using INT3 with shellcode injection
• Fuzzing basics
• Good fuzzers vs. bad fuzzers
• Content and protocol awareness
• Block-based fuzzing
• File format fuzzing
• Fuzzing with a debugger
• Crashes or exploitable bugs?
• Back tracing
• Using Pei mei and bin navi

Module 5: Heap Overflows

• Heap management on XP SP1 and earlier
• Heap management on XP SP2 and newer
• Understanding the heap memory manager
• Chunks and logically contiguous memory
• Flink, Blink pointers
• Manipulating heap headers
• Fake chunk creation
• Unlinking and the 4 byte memory overwrite
• Overwriting a SEH handler

Module 6: Advanced Windows Shellcode

• HTTP download and execute shellcode
• Using the InternetAPI functions
• InternetOpen, InternetOpenURL, InternetReadFile
• Staged Loading Shellcode
• Dynamic file Descriptor Reuse
• First stage loaders for size limitations
• Searching processes for injected shellcode
• Egghunt shellcode
• Using the syscall version of Egghunt
• IAT connectback



Module 7: Exploiting /GS stack canary protected programs

• Understanding /GS in Visual Studio
• Stack Cookies
• Variable Reordering
• strict_gs_check
• /GS and its relation to SEH
• /GS and string buffers
• Bypassing the stack cookie
• Reading stack cookie values
• Defeating /GS application heuristics
• Understanding the exception dispatcher
• Using the exception handler to overwrite RET
• Difficulties with SafeSEH implementations

Module 8: Exploiting SafeSEH protected programs

• Exception handler validation
• Exception chain validation under Server 2008
• Executing anywhere but the stack
• Placing SEH handlers on the heap
• DEP enabled SafeSEH issues
• Exploiting linked modules without SafeSEH
• ATL.DLL example

Module 9: Defeating safe unlinking and safe lookaside lists

• Understanding the Safe Unlink changes
• Heap metadata cookies
• Heap header encryption under Vista
• Understanding the lookaside list
• Exploiting the lookaside list in XP
• Process termination heap vulnerabilties

Module 10: Understanding Data Execution Prevention (DEP)

• Windows paging theory
• Introduction to DEP
• DEP Model
• Hardware support with NX
• Software DEP
• DEP Polices in boot.ini
• Setting policies at runtime

Module 11: Exploiting Data Execution Prevention (DEP)

• Attacking DEP-incompatible applications
• Exploiting RWX mappings
• Leveraging the JVM for RWX exploitation
• Code reuse
• Returning to a page mapping/protection routine
• System command/process creation routines
• Security policy violations

Module 12: Understanding Address Space Layout Randomization (ASLR)

• Address randomization theory
• Image randomization
• Rebasing requirements for executable modules
• Executable randomization
• The Vista randomization bug
• DLL randomization
• RTLHeapCreate randomization
• Stack randomization

Module 13: Exploiting Address Space Layout Randomization (ASLR)

• Exploiting statically positioned DLLs and executables
• Instantiating ActiveX controls
• Growing heap size with user controlled data
• Heap spraying
• Calculating heap spraying effectiveness
• Partial overwrites
• Memory information leaks

Dates & Locations

The best in the world come train with us

See what our students are saying

  • Aaron Bento

    IBM Global Services

    "hands-on experience in real world pen-testing was invaluable"

    "The class was great! The instructor knew his his information very well. It was nice to have someone who is more than just book knowledge, someone who is just giving you the info for the cert test. His hands on experience in real world pen-testing was invaluable, as it gave a touch-stone to how the methods learned in class can be extended to real pen-testing."

    Find out more
  • Lena Smart

    New York Power Authority

    "look forward to taking the advanced course!"

    ""Jack is an excellent instructor. I was very happy with the course and look forward to taking the advanced course!"

    Find out more
  • Ask The Expert

    Search Security

    "sharpen your pen testing skills"

    "If you want to dig deeply into the subject matter and sharpen your pen testing skills, the InfoSec Institute will give you more of a chance to do just that."

    Find out more
  • "hands on lab exercises was the most enjoyable part"

    "Instructor was very knowledgeable and was able to explain a huge amount of information in a very short period of time. The course was very informative; doing the hands on lab exercises was the most enjoyable part of the course, as I found it to be the best way to learn."

    Find out more


Call (866)-471-0059 or fill out this short form for current pricing


  • $1900 worth of tools
    and software!

    InfoSec's Custom Advanced Hacking Tools CD-ROM, includes every program covered in the course for at home study. (798 Tools). Advanced Hacking Tools Enterprise Suite available for individual purchase for only $1,899! Note: You must complete a background check prior purchasing this software package.

  • Course Materials, Test Fees and Class Guarantees!

    3 Days of Expert Instruction from an instructor with real-world penetration testing and ethical hacking experience with deep knowledge of course content.

    Guaranteed small class size (less than 10-16 Students), you get an intimate learning setting not offered at any of our competitors.

    Bootcamp style training --- our instructors are teaching from 8am to 10:30pm every day . Course runs from 8am to 5pm daily with optional capture the flag exercises to 10:30pm.

    All meals, snacks and refreshments included.

    Lecture, Lab Exercise and Text book --- Deliver penetration testing training your friends and co-workers!

Other Related Tools & Resources For Our Students

Be sure to check out our R&D site. We post tutorials, labs, white papers and articles to help you in your continued education. There are frequently forensics videos available. If you haven't taken a course with us yet, check out some of the types of thigns you'll be doing and learning about in class.

InfoSec Institute has an excellent instructor and this is the best IT security class I have ever taken. His knowledge and method of teaching are unsurpassed.