Training Hub

Training

in partnership with Applied technology academy

OffSec  EXP-301: Windows User Mode Exploit Development (OSED) 

NOW 20% OFF YOUR FIRST COURSE

USE CODE : WELCOME-20 at checkout to redeem!

Flexible Scheduling

Courses around your availability

Instructor-Led Course

LIVE Sessions with Expert Guidance

Learn from Anywhere

Our Courses are Virtual

Proven Success

Participants say classes provide the tools and confidence to earn certification

Course Overview

Windows User Mode Exploit Development (EXP-301) is a course that teaches learners the basics of modern exploit development. Despite being a fundamental course, it is at the 300 level because it relies on substantial knowledge of assembly and low level programming. It begins with basic buffer overflow attacks and builds into learning the skills needed to crack the critical security mitigations protecting enterprises. Learners who complete the course and pass the exam earn the OffSec Exploit Developer (OSED) certification. The OSED is one of three certifications making up the OSCE³ certification along with the OSEP for advanced penetration testing and OSWE for web 

Target Audience

  • Penetration Testers 
  • Exploit Developers 
  • Security Researchers 
  • Malware Analysts 
  • Software Developers Working On Security Products 

Course Objectives

  • Learn the fundamentals of reverse engineering 
  • Create custom exploits 
  • Develop the skills to bypass security mitigations 
  • Write handmade Windows shellcode 
  • Adapt older techniques to more modern versions of Windows 

Prerequisites

  • Familiarity with debuggers (ImmunityDBG, OllyDBG) 
  • Familiarity with basic exploitation concepts on 32-bit 
  • Familiarity with writing Python 3 code 
  • Ability to read and understand C code at a basic level 
  • Ability to read and understand 32-bit Assembly code at a basic level 

 Duration 

5 days

Certifications 

OSED

Register For This Course By Filling Out The Form Below:

Course Outline

Windows User Mode Exploit Development: General Course Information

About the EXP301 Course

Provided Materials

Overall Strategies for Approaching theCourse

About the EXP301 VPN Labs

About the OSED Exam

Wrapping Up

WinDbg and x86 Architecture

Introduction to x86 Architecture

Introduction to Windows Debugger

Accessing and Manipulating Memoryfrom WinDbg

Controlling the Program Execution inWinDbg

Additional WinDbg Features

Wrapping Up

Exploiting Stack Overflows

Stack Overflows Introduction

Installing the Sync Breeze Application

Crashing the Sync Breeze Application

Win32 Buffer Overflow Exploitation

Wrapping Up

Exploiting SEH Overflows

Installing the Sync Breeze Application

Crashing Sync Breeze

Analyzing the Crash in WinDbg

Introduction to Structured ExceptionHandling

Structured Exception HandlerOverflows

Wrapping Up

Introduction to IDA Pro 

IDA Pro 101

Working with IDA Pro

Wrapping Up

Overcoming Space Restrictions: Egghunters

Crashing the Savant Web Server

Analyzing the Crash in WinDbg

Detecting Bad Characters

Gaining Code Execution

Finding Alternative Places to StoreLarge Buffers

Finding our Buffer – The EgghunterApproach

Improving the Egghunter PortabilityUsing SEH

Wrapping Up

Creating Custom Shellcode

Calling Conventions on x86

The System Call Problem

Finding kernel32.dll

Resolving Symbols

NULLFree Position-IndependentShellcode PIC

Reverse Shell

Wrapping Up

Reverse Engineering for Bugs

Installation and Enumeration

Interacting with Tivoli StorageManager

Reverse Engineering the Protocol

Digging Deeper to Find More Bugs

Wrapping Up

Stack Overflows and DEP Bypass

Data Execution Prevention

Return Oriented Programming

Gadget Selection

Bypassing DEP

Wrapping Up

Stack Overflows and ASLR Bypass

ASLR Introduction

Finding Hidden Gems

Expanding our Exploit ASLR Bypass)

Bypassing DEP withWriteProcessMemory

Wrapping Up

Format String Specifier Attack Part I

Format String Attacks

Attacking IBM Tivoli FastBackServer

Reading the Event Log

Bypassing ASLR with Format Strings

Format String Specifier Attack Part II

Write Primitive with Format Strings

Overwriting EIP with Format Strings

Locating Storage Space

Getting Code Execution

Wrapping Up

Trying Harder: The Labs

Challenge 1

Challenge 2

Challenge 3

Wrapping Up

Benefits of Training with us

  • Support a Mission – As a nonprofit, your purchase funds cyber community programs and STEM initiatives.
  • Strengthen National Security – Help combat cyber threats alongside the DoD and critical industries.
  • Access Our Network – Gain exposure to 1,000+ partners for internships, careers, and mentorship.

Boost Certification Success

Higher Pass Rate
60 %

Students who take our comprehensive bootcamp or guided training have an 80-90% higher chance of passing their certification exams compared to those who study alone.

Improve Your Job Performance and Skill Mastery
72% of IT professionals believe that certifications have a positive impact on their job performance
Increase Your Earning Potential
The average salary for certified professionals is often higher, with certified IT workers earning $12,000 to $20,000 more per year than their non-certified counterparts
Meet Industry Demands for Certifications
According to a Global Knowledge survey, 91% of organizations say certifications are either “important” or “very important” for their cybersecurity and IT teams, as certifications indicate a certain level of expertise and competence.

Student Feedback

Jessica B
Excellent professional team and the class was great. ​
MDP
Great classes for IT advancement with outstanding instructors. ​
Brett F
Experts in the field that tailor the delivery of the overwhelming abundance of material and somehow make it digestible!​
View All Upcoming Training Courses
View All

We use cookies to ensure the best browsing experience possible

Accept