Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 2 p.m.
(240 minutes).
Get ready to leap into the wild world of Windows shellcode! This fast-paced workshop covers how to analyze and create shellcode, using state-of-the-art tools. Intended for those with intermediate knowledge, this workshop will review x86 assembly; you will learn Windows internals, and advanced shellcoding techniques. You’ll learn how to dissect shellcode with x32Dbg or WinDbg and how to use the SHAREM shellcode emulator for deep analysis and disassembly.
After analyzing several samples, we’ll build our own shellcode, starting simple and moving on to intermediate multi-API shellcode. You will learn how to encode your shellcode, for evasion, and how to incorporate Windows syscalls directly into your shellcode, for extra stealth. Finally, we will cover converting DLLs to shellcode.
Expect to be made privy to a variety of shellcoding tips and tricks.
By the end, you’ll be able to:
• Quickly read and debug obfuscated shellcode;
• Implement GetPC techniques in shellcode;
• Chain WinAPIs to pass handles/pointers;
• Add direct Windows syscalls for stealth to shellcode;
• Convert DLLs to shellcode with sRDI.
Prep: Study x86 assembly and basic Windows debugging. We recommend a Windows VM with Windows Defender disabled, plus NASM, x32Dbg, WinDbg (classic), SHAREM, and ShellWasp.
Presenters:
-
Bramwell Brizendine
- Director at VERONA Lab
Dr. Bramwell Brizendine has a Ph.D. in Cyber Operations and is the Director of the VERONA Lab. Bramwell has regularly spoken at DEFCON and presented at all regional editions of Black Hat (USA, Europe, Asia, MEA), as well as at Hack in the Box Amsterdam and Wild West Hackin' Fest. Bramwell received a $300,000 NSA research grant to create the SHAREM shellcode analysis framework, which brings unprecedented capabilities to shellcode analysis. He has additionally authored ShellWasp, which facilitates using Windows syscalls in shellcode, as well as two code-reuse attack frameworks, ROP ROCKET and JOP ROCKET. Bramwell has previously taught undergraduate, master's, and Ph.D. courses on software exploitation, reverse engineering, offensive security, and malware analysis. He currently teaches cybersecurity courses at the University of Alabama in Huntsville.
-
Logan Cannan
- Ph.D. Candidate, University of Alabama in Huntsville
Logan Cannan received the B.S. and M.S. degrees in Computer Engineering and Cybersecurity from the University of Alabama in Huntsville. He is currently a Ph.D. candidate for a degree in Computer Engineering in a joint degree program with the University of Alabama at Birmingham and the University of Alabama in Huntsville. After spending time at Idaho National Laboratory, working in both ICS vulnerability analysis and machine learning assisted code analysis, he focused his dissertation research on optimization for machine learning on binary analysis and reverse engineering tasks.
-
Austin Norby
- Director of Internal Research and Development at Bogart Associates
Dr. Austin Norby is a seasoned cybersecurity professional with over a decade of experience supporting the Department of Defense. He earned his bachelor's degrees in mathematics and computer science from the University of Minnesota, a master's degree from the Naval Postgraduate School, and a Doctorate in Cyber Operations from Dakota State University, specializing in anti-debugging techniques. Currently, Dr. Norby serves as the Director of Internal Research and Development at Bogart Associates, where he is responsible for spearheading the creation of advanced cybersecurity solutions for government use. His technical proficiencies include reverse engineering, malware analysis, and software engineering, with a strong focus on developing robust cyber capabilities in C, C++, Intel assembly, and Python.
Similar Presentations: