top of page
BruCON-2022-102 (1).png

Corelan Heap

3-day in-person (long days, dinner included)

Corelan Heap doesn't just dive deep into the Windows heap, it teaches you how to do your own heap research. It covers precise heap manipulation (including Corelan's Memorigami), heap exploitation and the research of heap exploitation primitives and information leak strategies across a wide range of bug classes. Stuff that works on 32bit and 64bit. Widely regarded as the most advanced class on building a universal, research-driven understanding of heap management, heap exploitation and information leak strategies.

Course Overview

What will you learn !

Heap Research

Understanding Heap managers through research and experimentation

Heap Manipulation

Precise control over heap memory layouts.

From Spraying to Memorigami

Heap Exploitation

Solid techniques and strategies across bug classes.

32bit and 64bit

Information Leaks

Reliable strategies to disclose memory layouts and bypass ASLR

Course content

Refresher on ASLR & DEP

  • Bypassing ASLR

  • Bypassing DEP


WinDBG Classic & WinDBGX

  • WinDBG Classic & WinDBGX Basics

  • Symbols

  • Breakpoints & logging/monitoring breakpoints

  • Using WinDBG(X) to explore Windows Heap datastructures in Windows 7/10/11


Windows Heap Management & Manipulation

  • Terminology & building blocks

  • Windows 7 Heap, Windows 11 "NT" and "Segment" Heap Managers

  • Front-End Allocators and Back-End Allocators

  • Differences between Windows 7 and Windows 11

  • Heap manipulation & exploitation primitives

  • Heap Feng Shui

  • Corelan's very own "Memorigami" - Precise Heap Folding with the BEA on Windows 11

  • Dynamic Heap Tracing

  • Lean how to do your own heap research (Windows Heap as well as proprietary heap managers)


Heap Spraying

  • Basic Heap Spraying concepts and mechanisms

  • Data & Object Spraying

  • Precise heap spraying

  • Heap Spray limitations and techniques to avoid heap spraying on 32bit and 64bit


Heap Exploitation

  • Heap Exploitation Landscape, Bug Classes & Case Studies

  • Use-After-Free

  • Linear & non-linear heap overflows

  • Out-of-boundary read/write

  • Double Free

  • Type confusion

  • Controlled Read/Write (Read/Write "what" "where" primitives)

  • Use of uninitialized memory

  • Crash analysis & bug classification methodologies, manual and using AI

  • Advanced Heap Manipulations

  • Getting better at bug hunting & vulnerability research

  • Researching and documenting heap allocator primitives


Information Leaks

  • Information leak techniques & strategies

  • Universal approaches on creating information leaks with control & precision


Exploit development for x64 bit processes

  • x64 processes, memory map, registers, assembly

  • functions & calling conventions

  • Structured Exception Handling

  • ASLR

  • Stack Buffer Overflows

  • Shellcode & ROP chains

  • Heap exploitation on 64bit


Guided homework

  • A collection of carefully selected exercises

  • Verbose step-by-step guides

  • Details decrease as you progress through the exercises


Tons of extra information and homework

  • More than 30 additional use cases based on recent CVEs in 32bit and 64bit applications

  • Resources on additional mitigations, evolutions & bypasses


Why you should take Corelan Heap!

✅Modern and up-to-date — focused on current Windows heap implementations (Windows 11)

✅Fundamental knowledge — heap internals are critical for modern exploitation and mitigation bypasses

✅Where modern exploitation happens — the heap is the primary attack surface today

✅Research-driven skills — learn how to do heap research, not just apply known tricks

✅Universal exploitation techniques — precise heap manipulation across bug classes

✅Information leak strategies — a core requirement for reliable modern exploitation

✅Memorigami methodology — proprietary techniques to shape and control the Windows 11 BEA

✅Mindset transformation — students learn to reason, experiment, verify, research, monitor, ...

✅Get better at bug hunting — armed with fundamental insights, you'll be more effective at bug hunting

The deepest in-person Windows heap class available

✅Trusted worldwide — thousands trained, including military, intelligence & private sector

✅Real classroom experience — impossible to replicate with books or videos

Modern and up-to-date - built on the latest Windows 11 versions

✅The final step before CCED


Investment protection

Corelan courses are built on decades of research, real-world experience, and hundreds of hands-on exercises. We push hard to deliver as much value as possible in just a few days — but we also know that no one becomes an expert overnight.


True mastery requires practice, repetition, and exploration long after the class ends. That’s why your learning doesn’t stop when the class is over.


You take home the full courseware, your own lab environment, a collection of exercises, bonus content and the freedom to learn and refine your skills at your own pace.


And when new questions arise — we’re here to help. Every student receives FREE post-training support.


This long-term support system is unique in the industry and one of the best ways to protect the investment you made in a Corelan class, and in your own future.



Target Audience


  • People serious about becoming Exploit Developer and/or Vulnerability Researcher, looking to level up theirbug hunting and crash analysis skills

  • Corelan Stack students that are ready to complete the Windows Userland exploit dev journey

  • Red Team Operators working on modern protected Windows targets

  • SOC & DFIR and Blue Team Analysts who want to better understand "attackers" / exploitation at a deeper level

  • Malware Analysts interested in understanding how adversaries use exploits to deliver malware to targets

  • C/C++ Developers who want to understand and prevent heap corruptions / vulnerabilities

  • Security researchers focused on memory corruption, fuzzing, and bug classes

  • Professionals performing security assessments, exploit verification, or PoC development

  • Endpoint protection developers building detection/defences against heap exploits

  • Military / Law Enforcement / Intelligence Operators working with advanced tooling and targets

  • Anyone who already understands stack exploitation and wants to master modern heap exploitation

  • People interested in demystifying the Windows Heap and have a strong desire to understand "why" behind the "how"

  • Candidates preparing for CCED

Pre-requisites


Technical Prerequisites

Unless specified otherwise, students are required to bring the following :

  • Laptop(16Gb RAM or more)

  • VM software (VMWare/VirtualBox/...)

  • Admin rights

  • 3 Lab Virtual Machines

We will send out detailed VM Lab machine instructions about 2 weeks before class. Your 3 Lab VMs must be setup prior to the start of class!


Knowledge and attitude

Get ready to focus and learn.

Skills needed:

  • Read/write python scripts

  • Read/write basic C++ code

  • Manage your Windows/Linux VMs

  • Master R.O.P.

  • Experience with assembly and a debugger (ideally WinDBG)

  • Drive / motivation to find solutions independently


Legal Prerequisites

It will be required to sign a confidentiality agreement at the start of the course. You will not be admitted to the course without signing this document. You can find a copy of the document here. (we'll bring a printed copy)

Trainer Bio


Peter Van Eeckhoutte is the founder of Corelan Team and the author of the well-known tutorials on Win32 Exploit Development Training, available at https://www.corelan.be. The team gathers a group of IT Security enthusiasts and researchers from around the world, who all share common interests : doing research, gather & share knowledge, and perform responsible/coordination disclosure. Above all, the team is well known for their ethics and their dedication to helping other people in the community. Together with the team, he has developed and published numerous tools that will assist pentesters and exploit developers, and published whitepapers/video’s on a wide range of IT Security related topics (pentesting tools, (malware) reverse engineering, etc). 

You can find some of the tools on the Corelan github page: https://github.com/corelan 


The team also moderates a Discord workplace (with various channels) that provides a platform for people who want to talk about exploit development or discuss wider IT Security topics.  Follow us on Twitter (@corelanconsult) and Facebook (corelanconsulting) to get a Discord invite


Peter is reachable on Twitter via @corelanc0d3r. Peter has been an active member of the IT Security community since 2000 and has been working on exploit development since 2006. He presented at various international security conferences (Athcon, Hack In Paris, DerbyCon, ISSA Belgium) and taught various Win32 Exploit Development courses at numerous places around the globe. He trained security enthusiasts & professionals from private companies, government agencies and military organizations. You can read more about their experiences here: https://www.corelan-training.com/index.php/testimonials/

bottom of page