Training


List of training sessions for Recon 2022:


Modern Binary Exploitation

This training will teach students without prior experience how to develop exploits for modern binary software, taking them from 1990s style buffer overflows through contemporary exploitation in programs protected by stack canaries, NX, RELRO, and ASLR. The training will focus on exploiting Linux user mode x86/x64 binaries, but the lessons learned from the class are widely applicable to other platforms and architectures. Students will learn to reason about the fundamental structures that give rise to software vulnerabilities and the various techniques used to exploit them..


The course is primarily hands-on-keyboard exercises rather than lecturing, but will introduce diagrams and theory as needed.

click here for more details


Program Analysis Training

This four-day course trains students to do sophisticated program analysis using Binary Ninja and the Binary Ninja Python API for the purpose of vulnerability research with the goal of improving auditing processes, improving ability to identify interesting code paths, and encoding bug primitives. In the class, students will learn Binary Ninja inside and out by extending its analysis capabilities to support a custom architecture which is difficult to analyze manually. Students will also leverage the Binary Ninja plugin architecture to identify vulnerabilities in a machine architecture independent way. After taking this course students will have experience working with the least intuitive and even some undocumented parts of Binary Ninja to create powerful program analysis tools which can be used across architectures.

click here for more details


Windows Internals for Reverse Engineers

Covering Windows 11 (21H2), the upcoming Windows 11 “Nickel” (22H2), and Server 2022, you’ll unravel how bootkits, software supply chain implants, backdoors, and other kernel and firmware malware work.. You’ll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it!  

You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage.

We’ll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), eXtended Control Flow Guard (XFG), and Kernel Control-flow Enforcement Technology (KCET), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We’ll go inside the Octagon and learn about System Guard Runtime Assertions and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.

click here for more details


Advance fuzzing and Crash Analysis

This class is designed to introduce students to the best tools and technology available for automating vulnerability discovery and crash triage with a focus on delivering a practical approach to finding vulnerabilities in real world targets.

Take a deep dive into fuzzing targeting real-world parsers, codecs, DOMs, and scripting engines used in the top web browsers and learn strategies for analyzing attack surface, writing grammars, and generating effective inputs. We will explore in detail the latest innovations such as harnessing code coverage for guided evolutionary fuzzing and symbolic reasoning for concolic fuzzing.

click here for more details


Hunting and Reversing UEFI Firmware Implants

This 4-day course introduces students to real-world attack scenarios on devices powered by UEFI firmware. The course starts from low-level internals of modern operating systems boot process from the perspective of a security researcher interested in bootkits analysis, detection/forensics and vulnerability research. After the OS boot process, the course going down to the firmware, and discuss UEFI architecture and internals with focus on security researcher needs (include common vulnerabilities and design mistakes). The second part of the course focused on UEFI firmware implants (from hardware and firmware perspective), it's cover threat modeling, attack surface, forensics, and reverse engineering. The course will build a mindset for hunting unknown firmware threats include the supply chain perspective.


Students will learn about UEFI internals from different perspectives such as firmware implant developer, malware and vulnerability researcher over the course. After the course, students will have knowledge about common firmware attacks, exploits, security feature bypasses and architectural mistakes in the firmware development process which can potentially lead successful implant installation. During the course, most part of exercises based on hardware-based challenges specially created to have the same environment as in real life.

click here for more details


Practical Web Browser Fuzzing

Web Browsers are one of the most used and critical software in the world. Using millions of lines of code, they are in charge of handling, sanitizing, and interpreting all kinds of (untrusted) data coming from the web. To be honest, It’s just impossible for developers to write such complex pieces of software (involving compilers, interpreters, and parsing libraries) without introducing any bugs .

click here for more details


Modern Malware OPSEC & Anti-Reverse Techniques Implementation and Reversing

This course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.

click here for more details


Software Deobfuscation Techniques

In this training, we get to know state-of-the-art code obfuscation techniques and have a look at how these complicate reverse engineering. Afterwards, we gradually become familiar with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.

click here for more details


Reversing with Ghidra

This is a hands-on course on using Ghidra for reverse engineering and vulnerability research. Exercises include Windows binaries, Linux binaries, and device firmware. Binaries will also be in a variety of architectures, including ARM, PowerPC, MIPS, x86, and x64. After completing this course, students will have the practical skills to use Ghidra in their day-to-day reversing tasks.

click here for more details


ARM Firmware reverse-engineering with Ghidra

In this training you will learn how to reverse a variety of types of ARM firmware with Ghidra!

click here for more details


The ARM IoT Exploit Laboratory

The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other "smart" appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.


The ARM IoT Exploit Laboratory is a brand new class. This class takes a closer look at the hardware and the firmware running on it. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills.

click here for more details

Advanced Smart Contract Security

Smart contracts are still a relatively new target surface area for vulnerability research with new bug classes and exploitation techniques. Smart contracts lack traditional protection mechanisms to hinder exploitation such as CFG, DEP, PXN, or different hypervisor protections/mitigations. With the growing popularity of DeFi and other dApps, smart contract security is one of the largest problems in the Ethereum space.

This course will do a deep dive into different bug classes and how to exploit and protect against them. Exploitation of blockchain fundamentals such as Maximum Extractable Value (MEV) or other types of bot activity will also be examined.

click here for more details

Advanced Malware Reverse Engineering

This 4 days course is a hands on training. We are going to reverse engineer samples and code our own scripts. A minimum number of slides will be provided when methotology is needed, but students will "learn by doing"

click here for more details

Hypervisor Development for Security Analysis

This course provides students the skills and knowledge to develop their thin hypervisors as UEFI modules using Intel VT-x. This is a hands-on heavy class and will spend about half of the time with excesses.

click here for more details

Risc-V Security Training

This training is designed to give students the knowledge and skills required to analyze, identify, target, and exploit flaws in both RISC-V processors, and applications and kernels written for the architecture. Not only will RISC-V application level exploitation be a focus of the training session, processor exploitation will also be a focus, providing students with insights into architectural design choices that make RISC-V more resilient to side channel attacks, “trustzone” escapes, and privilege “ring” escalation attacks.


Students will complete the class with a full understanding of the RISC-V architecture and its variants, how to identify/analyze a RISC-V processor, and how to target and exploit an application or kernel running on a RISC-V CPU. Students will learn how the architecture's formal definition differs from implementations of the processor specification, and will learn how to target subtleties in the specification that grant implementors the flexibility to introduce potential architecture flaws that can be exploited in order to cross privilege boundaries or leak/exfil privileged data.


Variations of RISC-V technology will be discussed, such as the “unhackable” Morpheus microarchitecture, production variants such as SiFive's product line, and security focused chips such as HexFive and LowRISC.

click here for more details