Vulnerability Research & Fuzzing
A complete introduction to 0-day discovery for Windows targets, focusing on closed-source real-world software, including kernel modules and user code.
Learn about snapshot-fuzzing real-world Windows targets & finding logic 0-days.
Who should take this course?
Anyone looking to get into Windows vulnerability research and fuzzing, although many of the concepts and approaches taught can be used for fuzzing on other platforms (MacOS/Linux, etc), all the exercises will focus on Windows. Also useful for red-teamers looking to add zero-days to their arsenal (with a dedicated section on finding quick 0-days on time-limited engagements).
Most topics are beginner friendly and assume limited or no prior experience with modern fuzzing approaches and Windows vulnerability research, with advanced topics (hypervisors & emulators, for example) presented in an easy-to-understand manner.
At completion of the training, you should be familiar with modern bug classes (logic vulnerabilities, TOCTOU, buffer overflows, file system related, double-fetch, etc) and how to discover 0-day vulnerabilities in both userland and kernel components via manual approaches (involving both static and dynamic analysis), and state-of-the-art fuzzing techniques using both public and custom tooling. You will also have practical experience finding vulnerabilities in closed-source binaries (with real 0-day hunting exercises, and multiple 0-days demonstrated during training).
Students will also be provided with advanced custom tooling developed and used by the author to assist with vulnerability research.
Basic programming skills (C/C++) are preferred to get the most out of the course, but not required.
A disassembler/decompiler (Binary Ninja, IDA, Ghidra).
Two Windows 11 instances (Host & Guest, for remote kernel debugging).
WinDBG (Preferable WinDBG Preview available on the Windows App Store).
Virtualization software (VMWare or Hyper-V or VirtualBox).
Visual Studio Community 2019+ with the “Desktop development with c++” and “.NET desktop development” packages installed, and the “Windows 11 WDK” (instructions).
Multiple hands-on exercises for each section, including cheat sheets for tool usage and tips.
Exercises targeting real software to demonstrate finding real 0-days in code (with live 0-days demonstrated against some target software).
Windows internals explained relating to the windows kernel, hypervisors, user-land components (IPC, named pipes, shared memory, + more).
Practical experience leveraging fuzzing on real targets, with the ability to target arbitrary software with fuzzing techniques (file parsers, network protocols, kernel drivers, etc), there will also be exercises where the student can fuzz and find vulnerabilities in targets of their own choosing (user-land or kernel-land targets).
Develop custom tooling to assist with vulnerability research on Windows.
Learn the internal workings and usage of standard public tooling for vulnerability research (and understand any deficiencies).
Use kernel debugging and driver reverse engineering techniques to find and debug vulnerabilities in kernel code.
Exercises with crash triaging techniques and program analysis concepts including taint analysis to root-cause vulnerabilities.
Students will also be provided custom tooling to assist with vulnerability research, including custom kernel drivers to demonstrate advanced techniques.
Touch on advanced, state-of-the-art fuzzing techniques against hard targets (e.g. Hypervisors, iOS, Android) such as snapshot fuzzing techniques, custom hypervisors / kernels for fuzzing, and custom emulators. This introduction to advanced topics will serve as further study for students after training.
Course Syllabus
Core Windows Internals & Fuzzing Theory (Key Knowledge):
- Static vs Dynamic Techniques
- Terminology (harnesses, coverage, mutations, grammars, etc)
- Paging (page tables, faults, exception types, exception handlers)
- Symbolic Execution & Related Techniques
- Integrity Levels, Rings, Privileges
- Attack Surfaces (Files, Named Pipes, RPC, TCP/UDP, Mapped Memory, Device Drivers, etc)
- Analyzing Attack Surfaces with Tools
- Intro to Analyzing Kernel Targets
Introductory Hands-On Fuzzing
- Persistent Fuzzing with WinAFL
- Harness Optimization Techniques (Reducing I/O, Context Switching, etc)
- Utilizing Coverage Guidance
- Research Techniques & Target Optimization
Debugging & Crash Analysis (Bug Analysis):
- Triaging Crashes with WinDBG
- Time-Travel Tracing & Time Slicing
- Taint Analysis
- Utilizing Coverage Traces & Coverage Diffs
Advanced Fuzzing w/ Real Targets
- Identifying Targets (Modules & Non-Exported Functions)
- Argument & Structure Recovery via Reverse Engineering
- Calling Internal Functions w/ Custom Pointer Arithmetic & Modeling Structures
- Debugging Issues & Overcoming Limitations via Hooking & Target Manipulation (e.g. Fuzz an RPC Target Directly, Bypassing the RPC Protocol)
- Handling Initial Argument State Setup (Locating & Calling Private C++ Constructors, Modeling & Parsing VTables)
- Initializing Globals & Resetting State for Persistent Fuzzing (Intercepting Access Violations, Reversing Globals, Detecting & Resetting Modified State between Fuzz Sessions)
Advanced Fuzzing Continued (Snapshots, Custom Techniques)
- Full-System Snapshot Fuzzing Theory
- Custom Code to Remove Device I/O (e.g. Hooking All File I/O With our Custom Userland MemDisk Implementation)
- Snapshot Fuzzing our Real Target w/ what-the-fuzz
- Snapshot Fuzzing our Real Target w/ kAFL & Nyx
- Comparing Approaches & Requirements (Device Handling, Limitations, Use-Cases)
Fast 0-days & Logic Bugs (Bug Discovery):
- Tools and Techniques (Incl. Custom Tooling) to Quickly Find Exploitable 0-Days in Time-Limited Engagements (e.g. Red Teams)
- Common Vulnerable Patterns in Windows Code
- Identifying & Analyzing a Real Kernel Driver Logic (0-Day) Bug (+ Developing Our Own Exploitation Code)
- Additional Logic (Real Target) 0-Day Challenges + Walkthroughs
This course is a complete introduction to finding 0-days on Windows, covering static & dynamic manual approaches alongside state-of-the-art snapshot fuzzing techniques with multiple walkthroughs of real live 0-days. Includes both memory corruption style bugs & logic bugs.
Course Benefits
Beginner & Advanced Content with Live Demonstrations
Community Environment to Engage in Discussions with Peers & Instructor
Live Q&A Sessions & Ongoing Support After the Course
Frequently Updated Content with the Latest Techniques & Tools
Custom Code Developed by Signal Labs for Students
(Optional) Assessments & Completion Certificates
A firsthand look at our innovative self-paced course content.
Self-Paced Training
$3,100.00 USD
- 12-month access to the course.
- Multiple hands-on exercises for each section.
- Includes both memory corruption style bugs & logic bugs.
- Advanced custom tooling, including custom kernel drivers.
- Exercises with crash triaging techniques and program analysis concepts.
- Dedicated area for 1:1 discussions with instructors.
- (Optional) Assessments & completion certificates.
- Note: Training platform access supports Windows and MacOS machines only.
*For larger business teams, reach out for custom packages.
Instructor
Christopher Vella has extensive experience with vulnerability research and has found vulnerabilities in a range of high-profile software (Hyper-V Hypervisor, Adobe PDF, Windows OS & Kernel). Public vulnerabilities discovered by Christopher include (CVE-2020-17414, CVE-2020-24559, CVE-2021-25250, CVE-2020-24557, CVE-2020-24556, CVE-2020-24558, + more) alongside multiple non-public vulnerabilities.
Strong Signals
