On This Page

The Shellcode Lab

Threat Intelligence Pty Ltd | July 30-31 & August 1-2


The Shellcode Lab is the training that takes your penetration testing and low level technical skills to the next level! With 16 multi-part hands-on labs and over 150 slides of hard core technical content, you will learn the inner workings of how to develop payloads for Linux, Mac and Windows and integrate them into public exploits and the Metasploit exploit framework.

We will take you from zero to 100 in less than 2 days! You will learn everything from memory management and assembly, to compiling and extracting shellcode, to using syscalls and dynamically locating functions in memory. You will develop a wide range of backdoors from 32-bit Command Execution to tiny Egg Hunters to 64-bit Port Bind payloads, and then use your custom payloads to exploit systems.

What people are saying:

  • "By far the best course I've taken at Black Hat."
  • "This is the BEST class I have attended in my 17 year professional career."
  • "One of the most well-organized, well paced courses I've ever attended at Black Hat."
  • "Best course ever. Thanks. I learned a lot."
  • "I loved it!"
  • "Great explanations and worked with individual student to make sure no one was left behind."
  • "Excellent job! I would recommend this course."
  • "Extremely organized and would recommend to colleague. Thank you."

You will also be provided with a "Virtual Shellcode Development Environment" that is designed to enable shellcode development and testing across multiple platforms.

Day 1:

  • Shellcode and Exploitation Introduction
  • Memory Management
  • Introduction to Assembly
  • 32-bit and 64-bit Registers
  • Tiny Shellcode Techniques
  • Virtual Shellcode Development Environment
  • Shellcoding Tools
  • Disassembling Binaries
  • Assembly Layout
  • Linux Syscalls
  • Compiling and Extracting Shellcode
  • Techniques to Removing Bad Characters
  • Debugging Shellcode Using Various Debuggers
  • Linux Shellcode and File Descriptors
  • Locating and Manipulating Strings in Memory
  • Reusing Shellcode Blocks
  • Learn an Easier Way to Compile and Extract Shellcode
  • Linux Command Execution Shellcode
  • Mac OS X 64-bit Shellcode
  • Tools and techniques to compile 64-bit Shellcode for Mac OS X
  • 64-bit Null Free Shellcode
  • Port Bind Shellcode
  • Write 64-bit portbind shellcode for OS X from scratch
  • Modify 64-bit OS X shellcode to be null free and small
  • Metasploit Shellcode Tools for Generation and Encoding

Day 2:

  • Windows 32-bit Memory Layout
  • Windows 64-bit Memory Layout and ASLR
  • Windows Library Layout Real Limits
  • Windows Shellcoding Techniques
  • Windows Shellcoding - 32-bit vs 64-bit
  • Locating memory addresses of functions in Windows DLLs
  • Debugging Windows Shellcode using various debuggers
  • Windows Shellcode Function Call Techniques
  • Windows Shellcode to Dynamically Locate Kernel32.dll
  • Windows 64-bit Command Exec Shellcode
  • Converting 32-bit Shellcode to 64-bit Shellcode
  • Windows Shellcode Networking
  • Connect Back Shellcode
  • Lab 12: Develop Connect Back Shellcode
  • Egg Hunter Shellcode
  • Windows System Calls
  • Implement your own Egg Hunter
  • Reviewing Public Exploits for Malicious Shellcode
  • Modifying Shellcode to Fit Into Exploits
  • Encoding Shellcode to Work In Exploits
  • Exploitation Using Your Custom Shellcode
  • Creating Metasploit Payload Modules
  • Integrating Shellcode into Metasploit
  • Staged Loading Shellcode
  • Protocol Tunnelling Shellcode
  • Kernel Level Shellcode Concepts
  • Kernel Level Shellcode Walkthrough

We will take your security skills to the next level. Register now to secure your spot!

Who Should Take this Course

  • Penetration Testers, Security Officers, Security Auditors, System Administrators and anyone else who wants to tune their elite security skills.

  • Anyone who is interested in shellcoding, exploitation, vulnerabilities or Metasploit are prime candidates for this course. Students will be taught from scratch everything they need to know to complete this course successfully and walk away with a thorough knowledge and practical skills on how to create shellcode.

  • This class is a great follow on course to "The Exploit Laboratory" and "The Exploit Laboratory: Black Belt". These students will have learned a lot about exploitation, but are still limited to pre-packaged shellcode. This course lets you create custom shellcode to maximize exploitation success rates.

  • Developers who want to learn low-level security development skills with shellcoding and assembly.

  • Managers who want to gain a more in depth understanding of how systems can be compromised, how security controls can be bypassed both at the operating system level and network level, and how network access controls and intrusion prevention systems play a big part in preventing shellcode successfully connecting back to the attacker, and the general risks associated with your network security.

Student Requirements

We will teach you everything you need to know from scratch! The course is designed to hold your hand at every step.

As long as you can "double-click" in Windows and use basic command line navigation in Linux, then we can take you from n00b to l33t in 2 days!

What Students Should Bring

  • A working laptop (Windows, Mac or Linux) to run 2 x VMware VMs
  • Wireless network adapter for internet access
  • 20 GB free Hard disk space
  • LATEST version of VMWare Player (or Workstation, Server, Fusion, etc.)

What Students Will Be Provided With

  • A "Virtual Shellcode Development Environment" that is designed to enable shellcode development across multiple platforms
  • The Shellcode Lab workbook
  • Lab instructions and solutions


Ty Miller is the Director of Threat Intelligence (www.threatintelligence.com) who are specialists in the area of penetration testing, cyber threat intelligence, and specialist security consulting. Ty developed and runs "The Shellcode Lab" each year at Black Hat USA, he presented at Black Hat on his development of "Reverse DNS Tunnelling Shellcode", and is the creator of the "Practical Threat Intelligence" course at Black Hat. He also presented at "Ruxcon" where he demonstrated his cutting edge attack technique to force your web browser to exploit internal servers from the Internet, and also developed the Core Impact Pro covert DNS Channel for Core Security. Ty Miller was a co-author of "Hacking Exposed Linux 3rd Edition" and was also involved in the design of the bootable CHAOS Linux cluster distribution. Ty is on the CREST Australia Board of Directors, runs the CREST Australia Technical Team and is a CREST Certified Tester and Assessor. Ty's experience not only covers penetration testing and specialist security, it also expands into traditional and cloud security architecture designs, regulations like PCI, developing and running industry benchmark accreditations, performing forensic investigations, as well as creating and executing a range of specialist security training. He is the creator of "Threat Analytics" (www.threat-analytics.com) that automatically identifies hackers on your websites, classifies and tracks them across the world, automatically responds, and alerts you to pending attacks against your websites before they have been launched.