{"id":9181,"date":"2012-05-24T11:17:09","date_gmt":"2012-05-24T09:17:09","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9181"},"modified":"2012-05-24T11:17:09","modified_gmt":"2012-05-24T09:17:09","slug":"hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/","title":{"rendered":"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security"},"content":{"rendered":"<h3>WinRT : The Metro-politan Museum of Security<\/h3>\n<p>S\u00e9bastien Renaud and K\u00e9vin Szkudlpaski start their talk by introducing themselves. \u00a0They both work as Security Researcher at Quarkslab, focusing on reverse engineering, dissecting network protocols and file formats. They will talk about the Windows Runtime, the foundation for the Metro platform in Windows 8.<\/p>\n<p>The agenda for this talk contains the following items.<\/p>\n<ul>\n<li>Windows 8<\/li>\n<li>WinRT - Applications &amp; Components<\/li>\n<li>WinRT - Internals<\/li>\n<li>Windows Store<\/li>\n<li>Sandbox<\/li>\n<li>Conclusions<\/li>\n<\/ul>\n<h4>Windows 8<\/h4>\n<p>S\u00e9bastien explains that their research started out of curiosity for the new Windows 8 operating system. They wanted to look at the Windows 8 and diff the Windows 7 RTM kernel versus the Windows 8 DP (Developer Preview) Kernel. \u00a0During the research, they discovered an interesting new API.<\/p>\n<p>Windows 8 has a new UI, called Metro. \u00a0The start button has disappeared in the Windows 8 Desktop. \u00a0 WinRT is the backbone of Metro apps and introduces a new programming model.<\/p>\n<p>Metro apps, S\u00e9bastien continues, are only distributed through the Windows Store. \u00a0 They are executed in an \"App Container\", which means:<\/p>\n<ul>\n<li>secured through a sandbox<\/li>\n<li>severely limited resources access, and explicit permissions needed<\/li>\n<li>Uses a restricted subset of .Net and Win32 API's.<\/li>\n<\/ul>\n<h4>WinRT - Applications &amp; Components<\/h4>\n<p>Windows 8 provides a layered approach to develop and run applications. \u00a0There's a variety of development environments and languages you can use for Metro applications.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"20120524_103811.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg\" alt=\"20120524 103811\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>Applications get installed per user. You don't need to have administrative privileges to install\/run those applications. \u00a0They are packaged (*.appx) for deployment. The package is signed, compressed, contains ALL needed files and can target multiple platforms (x86, x64, ARM).<\/p>\n<p>To install an application, you'll need to visit the Windows Store. Inside the package, there's an AppxManifest.xml file, which describes the application registration, including Application, Capablities and Extensions definitions. \u00a0The manifest contents get mapped into registry keys, stored under HKCU. The application itself gets stored somewhere under the Windows.Launch extension.<\/p>\n<p>Capabilities define what the app can do or what it needs to access:<\/p>\n<ul>\n<li>Network: Enterprise auth, client, server &amp; client, Intranet, Text Messaging, etc<\/li>\n<li>File System: Document, Pictures, Music, Video<\/li>\n<li>Devices: Location (GPS), Mic, Proximity, Removable Storage<\/li>\n<\/ul>\n<p>Class &amp; Extension are basically \"Catalogs\"<\/p>\n<ul>\n<li>Extension : \"I implement this contract\" (e.g. Launch)<\/li>\n<li>Class: describes the WInRT classes (a concrete implementation)<\/li>\n<\/ul>\n<h4>WinRT - Internals<\/h4>\n<p>An Application automatically implements the \"Launch contract\".<\/p>\n<p>System queries the extension catalog to find the right extension.\u00a0Explorer.exe queries the extensions catalog, checks if it's \u00a0the right object to activate, and activates it. \u00a0Activation means : a request is sent to RPCS, which checks if the process is already running or not, sends request to DCOM launch service (which runs as System) and the app is started.<\/p>\n<p>S\u00e9bastien explains how the WinRT base works and that is has a couple of layers before projecting itself into a language. He shows a sample C++ application that uses \u00a0WinRTComponent() and shows the various methods and vtable breakdown that is part of objects used in the sample application. \u00a0He moves to the asm listing for the application and shows the instructions used to reference virtual function pointers from the vtable.<\/p>\n<h4>Windows Store<\/h4>\n<p>Kevin jumps in and explains the purpose of the Windows Store. \u00a0 Microsoft decided to force you to go through the store to download WInRT applications. \u00a0 Signing is mandatory, so Microsoft will control all apps. \u00a0 When an app is verified by MS, you need to make sure<\/p>\n<ul>\n<li>it is linked with SAFESEH, DYNAMICBASE and NXCOMPAT<\/li>\n<li>it doesn't hang or crash<\/li>\n<li>doesn't use any forbidding API.<\/li>\n<\/ul>\n<p>Of course, you can use shell coding tricks to find the base of an API and call it that way. \u00a0Even if you can execute code (CreateProcess for example), everything still runs within the AppContainer context. \u00a0It's also important to know that you can't prevent syscalls from being executed.<\/p>\n<p>The AppContainer uses an additional PE flag.<\/p>\n<h4>Sandbox<\/h4>\n<p>A sandbox is a mechanism to isolate untrusted processes, Kevin explains. \u00a0 In most implementations, it will isolate a process that runs with limited rights, uses a broker that will execute specific actions for the isolated process. \u00a0Sandboxing techniques use Restricted Tokens, Jobs, multiple Desktop\/Workstations, and Low integrity levels (available since Windows Vista), preventing you to write to a higher-level integrity process and to change your privileges.<\/p>\n<h5>Chrome vs WinRT<\/h5>\n<p>Kevin continues by explaining why comparing both sandboxes is interesting. The Chrome sandbox is designed for security only, and the WinRT AppContainer is made for running applications.<\/p>\n<p>Chrome uses a restricted SID, most of the SID groups are disabled and isolation relies on job and desktop (Windows XP) and integrity level (vista and up). Microsoft uses LowBox, which is a modified _TOKEN structure, and uses a new syscall NtCreateLowBoxToken to create a very limited token. \u00a0 The SepAccessCheck API was slightly modified to support the changed structure.<\/p>\n<p>Chrome implements the broken and isolated processes within the same executable (chrome.exe) \u00a0It uses some kind of fork() to differentiate, and implements its own access policies. LowBox, the MS implementation, uses COM.<\/p>\n<p>From an IPC point of view,\u00a0Chrome uses API hooking to easily sandbox a process (thru a closed source plugin) and performs checks on the parameters. \u00a0The broker and the sandboxed process uses some shared memory. \u00a0In LowBox,\u00a0each request is a COM object and uses an ALPC port to transport marshaled COM objects (NtAlpcSendWaitReceive)<\/p>\n<h4>Conclusions<\/h4>\n<p>WinRT has a new design and new API. \u00a0The technique relies on COM technology. \u00a0The AppContainer provides some level of isolation, transparent to users &amp; developers (implement ed inside the kernel), and the isolation is implemented in the kernel as well, which makes it easy to implement.<\/p>\n<p>Interesting talk, good to see Microsoft is stepping up and providing easy ways to implement sandboxes in Windows 8.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WinRT : The Metro-politan Museum of Security S\u00e9bastien Renaud and K\u00e9vin Szkudlpaski start their talk by introducing themselves. \u00a0They both work as Security Researcher at Quarkslab, focusing on reverse engineering, dissecting network protocols and file formats. They will talk about the Windows Runtime, the foundation for the Metro platform in Windows 8. The agenda for &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2250],"tags":[2983,2775,2761,2339,316],"class_list":["post-9181","post","type-post","status-publish","format-standard","hentry","category-cons-seminars","tag-kernel","tag-hitb","tag-sandbox","tag-rop","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"WinRT : The Metro-politan Museum of Security S\u00e9bastien Renaud and K\u00e9vin Szkudlpaski start their talk by introducing themselves. \u00a0They both work as Security Researcher at Quarkslab, focusing on reverse engineering, dissecting network protocols and file formats. They will talk about the Windows Runtime, the foundation for the Metro platform in Windows 8. The agenda for &hellip; Continue reading &quot;HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2012-05-24T09:17:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security\",\"datePublished\":\"2012-05-24T09:17:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/\"},\"wordCount\":958,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120524_103811.jpg\",\"keywords\":[\"kernel\",\"hitb\",\"sandbox\",\"rop\",\"windows\"],\"articleSection\":[\"Cons and Seminars\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/\",\"name\":\"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120524_103811.jpg\",\"datePublished\":\"2012-05-24T09:17:09+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120524_103811.jpg\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/20120524_103811.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/24\\\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HITB2012AMS Day 1 &#8211; WinRT The Metro-politan Museum of Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/","og_locale":"en_US","og_type":"article","og_title":"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"WinRT : The Metro-politan Museum of Security S\u00e9bastien Renaud and K\u00e9vin Szkudlpaski start their talk by introducing themselves. \u00a0They both work as Security Researcher at Quarkslab, focusing on reverse engineering, dissecting network protocols and file formats. They will talk about the Windows Runtime, the foundation for the Metro platform in Windows 8. The agenda for &hellip; Continue reading \"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security\"","og_url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2012-05-24T09:17:09+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security","datePublished":"2012-05-24T09:17:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/"},"wordCount":958,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg","keywords":["kernel","hitb","sandbox","rop","windows"],"articleSection":["Cons and Seminars"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/","url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/","name":"HITB2012AMS Day 1 - WinRT The Metro-politan Museum of Security - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg","datePublished":"2012-05-24T09:17:09+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120524_103811.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/24\/hitb2012ams-day-1-winrt-the-metro-politan-museum-of-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"HITB2012AMS Day 1 &#8211; WinRT The Metro-politan Museum of Security"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":2359,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9181","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=9181"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9181\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=9181"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=9181"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=9181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}