Reverse engineering and ROP gadget, how to take the control of the system
WORKSHOP OBJECTIVE
During the workshop, we see how different mistakes can be exploited to impact the integrity of a program by hijacking its execution flow of the process. We are dealing with processes compiled with last security options, i.e.: Security Cookie, ASLR (Address Random Layout Randomization), DEP (Data Executive Prevention) and CFG (Control Flow Guard).
By using Return Oriented Programming (ROP) method in different context, we will learn how to bypass efficiently all these different security options. This technique does not rely on injection of a new code which makes it is really difficult to detect it.
This workshop aims to propose two intensive training days. The first is dedicated in Windows internal presentation and reminds of main reverse-engineering procedures. The second day is about the ROP teaching and advanced techniques to exploit it in different situations. In both days, theory, demo and technical practice are the main line of the course
COURSE CONTENT (TOC):
- Presentation of Windows 10 system and how it works
- Presentation of the security provided by Windows
- New technical details about Windows 11
- Reminds about reverse-engineering, assembly language and debugging techniques
- Introduction about vulnerabilities and exploitation
- Presentation of the different compilation protections provided by Visual Studio Compiler
- Have practice about examples of control flow hijacking with ROP
PRE-REQUISITE:
Hardware
- A laptop with enough memory in RAM ( > 4 Go) to be efficient and enough disk space (> 4 Go)
- Intel or AMD processors (x64). If you have a x86 system, some challenges can’t be solved
Software (ideally pre-installed):
- Windows 10 operating system
- Ghidra or IDA software (free version or a commercial one for a better use)
- Windbg Preview (available from the Windows 10 store)
Participants Requirements:
There is no requirement here; basic level in computer science will be enough. Nonetheless, in case of doubts:
- Basic knowledge in programming (mastering C would be perfect)
- Basic knowledge in mathematics and algebra
- Basic reverse engineering experience
WHO SHOULD ATTEND
- Students in IT and especially in security
- Security and software engineers
- Malware analysts
- Anyone curious about how operating system work is welcomed
WHAT TO EXPECT:
- Get a good knowledge about how things work in Windows and more generally in the operating system world
- Get practice with reversing software
- Understand the purposes and the use of static and dynamic analysis
- Understand different ways to hijack the control flow of a process with the ROP in different environments
- Discover new tools provided by Microsoft and Intel to protect the executables from a control flow hijacking
- Understand better how tedious bugs in software can lead to real and high consequences
- Good stories and culture about Windows
- Practice, practice and practice… This is the only way to progress in reverse engineering and in IT in general
WHAT NOT TO EXPECT:
- Disclosure about vulnerabilities not corrected, patents or cracking protection of commercial software. It is not legal in addition not to be moral
- Reverse engineering of software written in C# or C++ (it is out of scope even if tools would be presented to proceed if attendees desire to do so)
- Have a universal way to hijack an executable. The possibilities to take the control of a program are mainly related to the implementation quality
SPEAKER PROFILES:

DAVID Baptiste is an independent researcher. His research is mainly focused on malware analysis, security under Windows operating system, networks, kernel development and vulnerabilities. Sometimes math, physic or anything cool from that stuff is perfect for him to enhance everyday life. He also likes good food and good vine (we never change), but he is okay if you offer him beers. He has already made several conferences including: iAwacs, c0c0n, Ground zero summit, EICAR, ECCWS, Defcon, Black Hat USA.