The Corelan “HEAP” exploit development MASTERCLASS is a fast-paced, mind-bending, hands-on course where you will learn advanced heap manipulation and exploit development techniques from an experienced exploit developer.

During this 5-day class, students will have the opportunity to learn how to write heap exploits for the Windows platform, using Windows 7, Windows 10, and Windows 11 as examples, with a primary focus on learning and applying generic techniques that can be applied to other operating systems and heap implementations.

We will discuss the differences between Windows 7 and Windows 10/Windows 11, and explore previously undocumented techniques to achieve necessary exploitation primitives in Windows 10 and Windows 11. The trainer will share his “notes from the field” and various tips & tricks to become more effective at writing exploits.

Why take this course?

• Are you familiar with the basics of exploit development? Do you know how to write exploits for saved return pointer overwrites and abuse SEH records with your eyes closed? Are you interested in understanding how heap spraying works and why it works? Is heap exploitation still a mysterious black box for you? Are you now ready for the next step?
• Have you taken the Bootcamp or other commercial courses on exploit development and want to move to the next phase?
• Do you want to learn modern techniques to exploit heap-related memory corruptions on Windows 7 and Windows 10/11?
• Do you want to learn the fine art of writing exploits for heap-related corruptions in complex applications?
• Do you want to learn the skills to investigate heap managers on modern Windows versions (Win7, Win10, Win11) and how to look for your own exploitation primitives?
• Would you like to know what (generic) questions to ask (rather than being spoon-fed exploit-specific solutions & answers)
• Would you like to know how to approach fuzzing/bug hunting in complex applications, how to recognise and determine exploitability for heap-based corruptions?
• Are you involved in malware research or do Incident Response & interested in understanding how exploits work?
• Would you like to understand better how to detect exploits and how to protect against them?
• Would you like to get a basic view on common development mistakes, how to avoid them, and how compiler options can help?
• Are you able to write ROP chains blindfolded? (It is fundamentally important that you have practical experience with constructing/writing your own ROP chain!)
• Are you willing to suffer and bleed, absorb new knowledge fast and not intimidated by debuggers and assembly instructions…
• …then this course is exactly what you need!

Target audience

• Exploit Developers ready to take the next step
• Red Teamers
• SOC Analysts
• Malware Researchers
• Digital Forensic Analysts
• Military/Law Enforcement/Intelligence Service Operators
• C/C++ Software Developers
• People interested in fuzzing/researching memory corruption vulnerabilities
• Anyone who prefers to learn content via in-person classes (as opposed to static guides & videos)

Course contents

ASLR & DEP Refresher

• Bypassing ASLR
• Bypassing DEP

WinDBG classic / WinDBGX

• WinDBG classic and WinDBGX fundamentals
• Symbols
• Breakpoints, logging breakpoints
• Using WinDBG(X) to explore Windows Heap data structures in Windows 7, Windows 10 and Windows 11

Windows Heap Management

• Terminology & building blocks
• Windows 7 Heap, Windows 10 (and Windows 11) Heap (“NT” and “Segment” heap)
• Front-End-Allocator and Back-End-Allocator
• Differences between Windows 7 & Windows 10 / Windows 11
• Heap manipulation and exploitation primitives
• Advanced BEA feng shui
• Learn how to do your own heap-related research, what to look for

Heap Spraying

• Basic mechanisms
• Data & object spraying
• Precise heap spraying

Heap Exploitation

• Use-After-Free
• Linear & non-linear overflows / controlled write
• Double Free
• Type confusion
• Use of uninitialized memory
• Crash analysis & classification
• Memory leaks / Information Disclosure
• Heap Manipulations and heap primitives
• How to avoid heap sprays
• How to get better at finding bugs

Intro to x64 heap exploitation

• x64 processes, memory map, registers
• Functions & calling conventions
• Structured Exception Handling
• ASLR
• Stack Buffer Overflows
• Heap exploitation primitives on x64

What’s next

• Overview of memory protection evolutions

For an up-to-date description of the course, please visit https://www.corelan-training.com/index.php/heap