skip to main content

DEF CON China Hacking Conference



English | 中文








UAC 0day, all day!

Ruben Boonen

This workshop is available to attendees of all levels, however, a basic familiarity with Process Monitor and the Windows API are recommended. The workshop will provide the required knowledge to find, analyze and exploit process workflows which allow an attacker to elevate their privileges from Medium to High integrity. The workshop is divided into the following sections.


  • Identifying auto-elevating processes
  • Analyzing process workflows
  • Finding UAC bypass targets

Auto-Elevation>Elevated File Operations:

  • Using the IFileOperation COM object
  • Tricking the Process Status API (PSAPI)

Auto-Elevation>Getting UAC 0day (Pre Windows RS2):

  • Analysis of known UAC bypasses
  • Understanding the Windows Side-By-Side Assembly
  • Creating proxy DLL's
  • Using the Bypass-UAC framework (
  • Dropping 0day(s)!

Auto-Elevation>Triaging Windows RS2:

  • Environment variables
  • Registry abuse
  • COM objects
  • Process tokens

The workshop has intense hands-on labs where attendees will put the theory into practice. After attending, you will immediately be able to apply this knowledge in the field. The next time someone tells you the default UAC settings are sufficient you will be able to set them straight!

My name is Ruben Boonen (@FuzzySec), I have been working in InfoSec since 2012. I have a well-rounded skill set, having taken on many application, infrastructure and bespoke engagements.​ I have however developed a special interest for Windows: Domain hacking, exploit development, client-side attacks, restricted environments, privilege escalation, persistence, post-exploitation and PowerShell!

I love breaking stuff but it is equally important to me to share that knowledge with the wider community. I have previously been a trainer at Black Hat, Def Con and various BSides events in the UK. Additionally, I maintain a InfoSec blog ( where I publish research on a variety of topics!

Max Class Size: 70
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: To participate in the hands-on sections, attendees need to bring a laptop with 2 GB RAM which can be dedicated to a virtual machine. Both VirtualBox and VMware player can be obtained for free. Two virtual machines and all necessary tools will be provided during the workshop!

Practical Malware Analysis: Hands-On

Sam Bowne
Devin Duffy-Halseth
Dylan Smith

Learn how to analyze Windows malware samples, with a hands-on series of projects in a fun, CTF-style environment. There are four levels of analysis challenges.

  • 1. Basic static analysis with file, strings, PEiD, PEview, Dependency Walker, and VirusTotal
  • 2. Basic dynamic analysis with Process Monitor, Process Explorer, RegShot, and Wireshark
  • 3. Advanced static analysis with IDA Pro Free and Hopper
  • 4. Advanced dynamic analysis with Ollydbg and Windbg

The first challenges are easy enough for beginners, and the later ones get difficult enough to interest intermediate security professionals. We will demonstrate the challenges, discuss the technologies and techniques, and help participants get through them as needed.

These challenges use harmless malware samples from the "Practice Malware Analysis" book by Michael Sikorski and Andrew Honig.

All materials and challenges are freely available at, including slide decks, video lectures, and hands-on project instructions. They will remain available after the workshop ends.

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEFCON, HOPE, RSA, B-Sides SF, B-Sides LV, and many other cons. He has a PhD and a CISSP and a lot of T-shirts.

Dylan James Smith Dylan James Smith is a system consultant that now studies and assists with classes as a tutor and TA for Sam Bowne, helping facilitate hands-on workshops at conferences including: BSidesLV/SF, DEF CON, and RSA. Currently tearing things apart and putting them back together while seeking opportunities to practice and teach hacking, or "the cybers" depending on the crowd.

Devin Duffy has assisted Sam Bowne with a hands-on workshop at RSA and other conferences. He's a Script kiddie 4 lyfe.

Max Class Size: 80
Prerequisites for students: Participant should be familiar with basic C programming. Experience with developing Windows applications, assembly language, and debuggers is helpful but not necessary.
Materials or Equipment students will need to bring to participate: Participants must bring a laptop (any OS) with VMware or VirtualBox installed on it. Each participant will need a 32-bit Windows virtual machine to run malware samples. USB sticks with a Windows Server 2008 VM will be available for students to copy. Some projects also use a Kali Linux VM to simulate the Internet, but that's not required.

Ncrack and Nmap NSE development for offense and defense

Paulino Calderon

This workshop will teach participants how to use Nmap, the Nmap Scripting Engine (NSE) and Ncrack to extend the power and capabilities of Nmap. It will cover the basics of the Nmap usage, NSE, and the Lua programming language before diving into how to solve problems by writing custom scripts and modules. By the end of the workshop, you will have in depth knowledge of Nmap, Ncrack, the Nmap Scripting engine and how to develop NSE scripts and Ncrack modules for offensive and defensive tasks. Participants will be provided with a virtual machine that they can use during the training.

Paulino Calderon (@calderpwn) has been in Information Security for more than 10 years. He is the co-founder of Websec, a company offering information security consulting services based in Mexico and Canada. He loves learning new technologies, conducting big data experiments, and developing and destroying software. In 2011 Paulino joined the Nmap team during the program Google Summer of Code to work on the project as a NSE developer. He focused on improving the web scanning capabilities of Nmap and has kept on contributing to the project since then. He has also published ‘Nmap 6:Network Exploration and Security Auditing Cookbook’ and ‘Mastering the Nmap Scripting Engine’ covering practical tasks with Nmap and NSE development. He loves attending information security conferences and has given talks and workshops in over 30 events in Canada, United States, Mexico, Colombia, Peru, Bolivia and Curacao.

Max Class Size: 50
Prerequisites for students: No prerequisites required - Participants should be familiar with the command line, basic TCP/IP networking, general security concepts, and basic Nmap usage. Previous programming experience would be helpful but isn’t required.
Materials or Equipment students will need to bring to participate: Participants will need a computer with VMware Player, VMware Fusion, or VirtualBox. USB thumbdrives with the target virtual machine images will be available.

Decentralized Hacker Net


As hackers, sometimes we need to send data without anybody knowing anything. We don't want anybody to know what we're sending, so we use encryption. That's the easy part. We also don't want anybody to know that we're sending any data. That's the hard part. The observation of our presence on the network could be enough to get us in trouble. And that's just not acceptable. We need to figure out a way to hide in plain sight.

Creating an environment where data can be sent securely and our presence on the network is hidden, is not an easy thing to do. We can't rely on centralized technologies, which means we need to build a decentralized network. The network should be adaptive and flexible enough to send any type of data to any number of users. But how do we inject anonymity into a network while still supporting the verification of identity between parties? Can we establish trust without having to trust?

This workshop takes you through the process of creating a decentralized network that allows you to circumvent detection by governments and corporations. You'll be able to securely communicate and share data while masking your online identity. You'll create an adaptive, node-based infrastructure where data is shared via Distributed Hash Tables (DHT) backed by real-time asymmetric Elliptic-curve cryptography (ECC). If you've ever wanted to punch a hole through a great (or not-so-great) firewall, this workshop is for you.

Please note that this is a medium-level, technical workshop and requires that attendees have prior experience in at least one programming language, preferably C or C++. Bring your laptop, a USB flash drive, and your favorite C/C++ 11 compiler (>= gcc/g++ 4.9.2 or msvc 2015).

Eijah is the founder of Promether and has 20+ years of software development and security experience. He is also the creator of Demonsaw, an encrypted communications platform that allows you to chat, message, and transfer files without fear of data collection or surveillance. Before that Eijah was a Lead Programmer at Rockstar Games where he created games like Grand Theft Auto V. He has been a faculty member at multiple colleges, has spoken about security and development at DEFCON and other security conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Max Class Size: 80
Prerequisites for students: Previous experience in at least one programming language is required. Previous experience with C/C++ and cryptography is helpful, but not required.
Materials or Equipment students will need to bring to participate: Laptop with Windows, Linux, or OSX. USB flash drive for saving their progress.

Scanning the Airwaves: building a simple radio scanning system using SDR

Richard Henderson

Every second of every day, radio communications are flying through the air: shortwave radio, broadcast AM, FM and television, ham radio users. Taxi drivers, buses, parents using small toy radios to keep in touch in amusement parks. Have you ever wondered what's being said over the air? Many of these systems are easily listenable with some basic software and very inexpensive hardware dongles originally designed for capturing over-the-air television broadcasts. This workshop will walk you through the basics of radio systems, how they work, and how you can set up a listening post to decode these systems and listen in. We'll also cover the legalities of listening in, and where to find information online about popular frequencies to listen in on. If you have an SDR stick, please bring one. A number of sticks will be available to borrow for those without.

Richard Henderson is a writer, researcher, and ham radio/electronics nerd who has worked in infosec and technology for well over a decade. Richard is currently co-authoring a book on cybersecurity for ICS/Scada systems.

Max Class Size: 50
Prerequisites for students: No prerequisites required - only a desire to want to listen in on the radio systems around you, a basic understanding of radio might help, but is not essential.
Materials or Equipment students will need to bring to participate: Laptop with Windows installed (no guarantees a VM will work with the hardware, so set up proper dual boot on your MacBooks and Linux machines, please - also note that previous students have struggled with devices such as Microsoft Surface tablets) Notepad, pen. No fees are required. A small capacity USB drive with all the class notes/handouts, frequency lists, and software will also be provided.

Mobile App Attack 2.0

Sneha Rajguru

This full-fledged advance hands-on workshop which will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms. The main objective of this workshop is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks. The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

This workshop will mainly focus on the following :

  • 1. Reverse engineer Dex code for security analysis.
  • 2. Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.
  • 3. Runtime analysis of the apps by active debugging.
  • 4. Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.
  • 5. Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.
  • 6. Hooking an application and learn to perform program/code modification.
  • 7. By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges.

The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.

Newly designed CTF challenges apps (both Android and iOS apps) will be distributed to the attendees to solve and practice for the mobile app's exploitation.

The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:
SSL Trust killer

Sneha works as Senior Security Consultant with Payatu Software Labs LLP. Her interests lies in web, mobile application security and fuzzing. She has discovered various security flaws within various open source applications such as PDFLite, Jobberbase, Lucidchart and more. She has spoken and provided trainings at various conferences such as DEFCON, BSides LV, BSidesVienna, OWASP AppSec USA, DeepSec, DefCamp, FUDCon, and Nullcon. Sneha is passionate about promoting and encouraging Women in Security and has founded an initiative called WINJA-CTF through which she hosts women-only CTFs and Workshops at conferences and other events. Sneha is also active in the local security community and hosts local security meetups in Pune. She leads the Pune chapter of null community.

Max Class Size: 30
Prerequisites for students: The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages (Java and C, and Python for scripting) will be an added advantage to grasp things quickly.
Materials or Equipment students will need to bring to participate:
Hardware Requirements:
Minimum 4GB RAM and more than 20 GB Free Hard Disk Space
Android device ( >=2.3)
iPhone/iPad >= 7.1.2 (preferable Rooted/Jailbreak)
Software Requirements:
Windows 7/8
Mac OS X 10.5
Administrative privileges on your machines
Virtualbox or VMPlayer
SSH Client
Xcode 6 or higher
Android Studio 1.3 or higher
Android SDK

** I will be providing the jailbreak iOS device to the attendees during the workshop.

Social Engineering Essentials

Valerie Thomas

Are you a penetration tester in need of social engineering training? Perhaps you just want an understanding of what social engineering is all about. This workshop has something for everyone. First we'll begin with the basics of social engineering and why it works, then dive into non-traditional topics such as spycraft, acting, pressure sales, and the psychology behind them. Next we'll build upon that knowledge to create social engineering attacks. We'll cover the steps of the social engineering process from planning to post-attack including real-world examples. We'll end the day with the basics of appearance hacking and utilizing social engineering in physical penetration testing.

Valerie Thomas is an Executive Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelor’s degree in Electronic Engineering, Valerie led information security assessments for the Defense of Defense before joining private industry. Her unique Defense and civilian background provides her with a solid understanding of intrusion detection, data loss prevention, and endpoint (in)security. Her electronic and RFID training became a crucial element of her physical security specialization. While some choose to focus on cyber of physical security, she has chosen to exploit the weaknesses of the combination of the two. As an ethical hacker and consultant, she holds multiple industry certifications. Valerie is the coauthor of “Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats” with Bill Gardner. Throughout her career, Valerie has conducted penetration tests, vulnerability assessments, compliance audits, and technical security training for executives, developers, and other security professionals. She has provided briefings and workshops for DEF CON, Derbycon, Blackhat, and multiple BSides events.

Max Class Size: 80
Prerequisites for students: None
Materials or Equipment students will need to bring to participate: Laptop not required

Hands-On Exploit Development

Georgia Weidman

This course will provide a hands-on foundation in discovering and exploiting memory corruption issues. Complex memory corruption issues are discovered in software by security researchers regularly, resulting in bug bounties and exploit sales. In this workshop we will discuss how memory corruption works and gain some experience using the tools of the trade for developing working exploits such as GDB, Immunity Debugger, and Participants will exploit beginner friendly examples of common memory corruption issues allowing students to get familiar with how memory corruption works without getting stuck behind all the latest and greatest anti-exploitation methods. Both Windows and Linux examples will be included. Students will be provided with target virtual machines with vulnerable software running as well as additional exercises for continued practice after class. By popular demand this course has moved to more modern operating systems, though the bugs used are still beginner friendly. Exploits will be written in the Python programming language but exploit skeletons will be provided for those unfamiliar with the language. This workshop prepares students for future study in vulnerability discovery and exploits development.

Shevirah founder and CTO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has presented or conducted training around the world including venues such as NSA, West Point, and Black Hat. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary and the nonprofit Digital Citizens Alliance and is a member of the CyberWatch Center's National Visiting Committee. She served as a judge for the FTC Home Inspector IoT security challenge.

Max Class Size: 40
Prerequisites for students: Some familiarity with using the Windows operating system and Linux command line. Background in assembly language and Python are helpful but not required
Materials or Equipment students will need to bring to participate: Laptop with at least 30 gigs of free space for virtual machines. A VMware or Virtual Box virtualization product (trial versions are fine)