{"id":9871,"date":"2013-03-15T15:44:04","date_gmt":"2013-03-15T14:44:04","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9871"},"modified":"2013-03-15T15:44:04","modified_gmt":"2013-03-15T14:44:04","slug":"blackhateu2013-day2-advanced-heap-manipulation-in-windows-8","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/","title":{"rendered":"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8"},"content":{"rendered":"<p>Good afternoon everyone,<\/p>\n<p>The next talk I will be covering today is presented by <a href=\"http:\/\/www.blackhat.com\/eu-13\/briefings.html#Liu\">Zhenhua 'Eric' Liu<\/a>, Senior Security researcher at Fortinet.<\/p>\n<h3><b>Why doing this type of research.<\/b><\/h3>\n<p>Facts : Exploiting memory corruption vulnerabilities are more difficult today, because of OS security improvements and Sandboxing techniques implemented into various applications. \u00a0 Bypassing sandboxes often rely on techniques to break the integrity of the underlying OS.<\/p>\n<p>The patched Windows 7 kernel includes<\/p>\n<ul>\n<li>null dereference protection<\/li>\n<li>kernel pool integrity checks<\/li>\n<li>non-paged pool NX<\/li>\n<li>enhanced ASLR<\/li>\n<li>SMPE\/PXN<\/li>\n<\/ul>\n<p>The Windows 8 User Heap includes measures to decrease determinism.<\/p>\n<p>All of this makes it increasingly more difficult to exploit memory corruption bugs. Even if you find a way to attack application data and gain control over EIP, you'll have to take multiple hurdles to build a working exploit. \u00a0Eric also mentions that applications that use custom heap management routines or allocators might be interesting because they might not be protecting the metadata and\/or take care of decreasing the level of determinism in their implementation.<\/p>\n<p>With application specific attacks you need to find a way to place \"parts\" in a specific way, in a specific order, at a specific location in memory, Eric continues. \u00a0Ideally they would be adjacent so you could overflow from the vulnerable object into the adjacent chunk. \u00a0 It is clear that modern Heap Feng Shui, which defeats randomisation, would be very valuable.<\/p>\n<p>Defragmentation of the heap is key, Eric says. \u00a0if you can remove the noise, you have a better chance at placing your chunks in the desired order. \u00a0The problem is that the traditional defragmentation allocation sequences will trigger the LFH. \u00a0This needs to be avoided because all subsequent allocations may not be placed where you want them to be.<\/p>\n<p>The challenges are: How can we place a desired object just behind the vulnerable buffer ? \u00a0Can we place something else than an object just behind the vulnerable buffer ?<\/p>\n<h3><b>Concepts &amp; Techniques<\/b><\/h3>\n<p>Before looking at the solution, Eric covers some heap basics. \u00a0FreeLists consists of doubly linked lists and is used for fast allocation &amp; free. \u00a0Chunks are handled in a LIFO manner. \u00a0 FreeLists are still used in both kernel pool and user heap in Windows 8. FreeLists contain metadata and this metadata could still be an interesting target.<\/p>\n<p>There are 3 ways to put something on the FreeLists:<\/p>\n<ul>\n<li>Direct free<\/li>\n<li>Split a big chunk when an allocation happens (calculated free lists). \u00a0The unused fragment after allocation will be put on the Freelists. To know where it can be placed, a \u201csearch\u201c needs to happen<\/li>\n<li>coalescing when freeing (calculated fre lists)<\/li>\n<\/ul>\n<p>By making a series of allocations, frees, of specific sizes, you can get larger chunks to split into pieces. \u00a0When you then reallocate the ones that end up on the FreeLists, you might still be able to control the contents of all chunks. By then playing with frees again, you can create holes in the heap layout, which is perfect to make sure your arbitrary object will be placed where you want it to be placed.<\/p>\n<p>Example : Let's say your vulnerable buffer is 64bytes and you want to place a Directory object behind it. \u00a0The approach would be to allocate chunks of 808 bytes from 0x1000 byte pages. Next, allocate chunks of 4d8 bytes, so you would get holes of 320 bytes. By continue to use frees and allocs, you can create the necessary holes in the heap layout of a desired size.<\/p>\n<h3><b>Implementation in the Kernel Pool<\/b><\/h3>\n<p>In general, requests for allocations will be handled based on the size of the allocation.<\/p>\n<p>The required primitives to use this technique are : We need to be able to allocate a buffer of an arbitrary size, we must be able to free a buffer of an arbitrary size, and do so using User Code. \u00a0One possible solution is to use an Allocation Proxy and Free Proxy. \u00a0Allocations could use the routine to create a symbolic link. \u00a0To Free, you could use ExAllocatePoolWithTag(). \u00a0When a FreeList search fails, allocations will come from a new page. \u00a00x1000h in the ExAllocaePoolWithTag() function is hard code to make sure allocations are aligned by 0x1000. \u00a0The search process uses a bitmap. \u00a0if the search fails, the pool will be extended.<\/p>\n<p>The picking sequence when splitting is interesting too, Eric explains. \u00a0The first allocation comes from the start of a free empty page. \u00a0Additional allocations will be taken from the end of the remaining part, effectively leaving a hole in the original chunk, which is perfect for future allocations.<\/p>\n<p>To utilize a Windows object in a kernel exploit, we need to find some kind of function pointer and overwrite it. \u00a0In Windows 7, the TypeIndex in an object header is a nice target. \u00a0When you call CloseHandle() on that object, the pointer might get called. \u00a0In Windows 8, you might be able to use a function pointer in the Timer object. \u00a0Of course, you need to use the allocation\/free primitives, based on FreeLists behaviour, to create the correct heap layout and place your vulnerable buffer + the desired object in the correct order.<\/p>\n<p>The next challenge is to place the buffers at predictable addresses. \u00a0The common technique in User Land is to use a heap spray.<\/p>\n<h3><b>Implementation in User Heap<\/b><\/h3>\n<p>In the User Heap, allocations depend on the size again. (Small\/Medium\/Large). Important values are 0x4000, 0x4000 - 0x7ffff and size &gt; 0x7ffff. \u00a0 When an allocation is done, the LFH will be checked to see if it's active for that size. If not, the back end allocator will be used. \u00a0 Eric explains that you might be able to attack non-protected metadata (_HEAP_USERDATA_HEADER), as documented by Chris Valasek. \u00a0 There are 2 challenges: If you allocate 18 chunks of a certain size, you'll activate the LFH (which is what you need to avoid), and guard pages will be used, making overflows painful.<\/p>\n<p>Eric explains that you could achieve defragmentation by using allocations of size 0x4000 - 0x7ffff, using the Back End Allocator and mandatory search. \u00a0A Free 0x70100 + Allocate of 0x70000, could make a 0x1000 hole (by splitting the chunks). \u00a0 The size of UserBlocks (total size) is fixed. \u00a0So if you then allocate UserBlocks of _HEAP_BUCKET for the desired size, you can allocate something into that hole.<\/p>\n<p>The most important primitives you need to use this approach are:\u00a0LFH should not be active yet for the desired sizes, so allocations would be taken from the backend allocator.,\u00a0Ability to allocate buffers of arbitrary size &amp; free buffers of arbitrary size. \u00a0Of course, after you gained control over EIP by using allocator primitives, you still need to figure out a way to get your shellcode to execute.<\/p>\n<p>Exploit process:<\/p>\n<ul>\n<li>Figure out the vulnerability<\/li>\n<li>Heap Feng Shui<\/li>\n<li>Trigger overflow, modify FirstAllocationOffiset<\/li>\n<li>Allocate new objects with proper size<\/li>\n<li>Modify new object content<\/li>\n<li>Control EIP<\/li>\n<\/ul>\n<h3><b>Practical Heap determining in IE10.<\/b><\/h3>\n<p>Eric demonstrates the use of HTML5 and a 2D Canvas object to control the CRT heap (malloc) and cause adjacent allocations at higher addresses. \u00a0You can then create holes to allocate the vulnerable buffer.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Good afternoon everyone, The next talk I will be covering today is presented by Zhenhua 'Eric' Liu, Senior Security researcher at Fortinet. Why doing this type of research. Facts : Exploiting memory corruption vulnerabilities are more difficult today, because of OS security improvements and Sandboxing techniques implemented into various applications. \u00a0 Bypassing sandboxes often rely &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2250],"tags":[3732,3121,2681,280,262],"class_list":["post-9871","post","type-post","status-publish","format-standard","hentry","category-cons-seminars","tag-heap-exploitation","tag-lfh","tag-blackhat","tag-internet-explorer","tag-corelan-team"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8 - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8 - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Good afternoon everyone, The next talk I will be covering today is presented by Zhenhua &#039;Eric&#039; Liu, Senior Security researcher at Fortinet. Why doing this type of research. Facts : Exploiting memory corruption vulnerabilities are more difficult today, because of OS security improvements and Sandboxing techniques implemented into various applications. \u00a0 Bypassing sandboxes often rely &hellip; Continue reading &quot;BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2013-03-15T14:44:04+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8\",\"datePublished\":\"2013-03-15T14:44:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/\"},\"wordCount\":1176,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"heap exploitation\",\"lfh\",\"blackhat\",\"internet explorer\",\"corelan team\"],\"articleSection\":[\"Cons and Seminars\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/\",\"name\":\"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8 - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2013-03-15T14:44:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2013\\\/03\\\/15\\\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BlackHatEU2013 &#8211; Day2 &#8211; Advanced Heap Manipulation in Windows 8\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8 - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/","og_locale":"en_US","og_type":"article","og_title":"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8 - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Good afternoon everyone, The next talk I will be covering today is presented by Zhenhua 'Eric' Liu, Senior Security researcher at Fortinet. Why doing this type of research. Facts : Exploiting memory corruption vulnerabilities are more difficult today, because of OS security improvements and Sandboxing techniques implemented into various applications. \u00a0 Bypassing sandboxes often rely &hellip; Continue reading \"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8\"","og_url":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2013-03-15T14:44:04+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8","datePublished":"2013-03-15T14:44:04+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/"},"wordCount":1176,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["heap exploitation","lfh","blackhat","internet explorer","corelan team"],"articleSection":["Cons and Seminars"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/","url":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/","name":"BlackHatEU2013 - Day2 - Advanced Heap Manipulation in Windows 8 - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2013-03-15T14:44:04+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2013\/03\/15\/blackhateu2013-day2-advanced-heap-manipulation-in-windows-8\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"BlackHatEU2013 &#8211; Day2 &#8211; Advanced Heap Manipulation in Windows 8"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":7180,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=9871"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9871\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=9871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=9871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=9871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}