Kick off your book project in 2 hours, get started with GhostAI in 2 hours, or do both! Free live workshops, on Zoom. You’ll leave with a real book project and a clear plan to keep going. Saturday, June 27, 2026.

Leanpub Header

Skip to main content
Go to Leanpub.com

Buffer Overflow Exploitation and Defense Evasion

This book is 100% completeLast updated on 2026-06-19
Steve T. Team Publications

Go beyond the basics and master the deep technical realities of memory corruption. Learn how modern defenses like ASLR, CFI, and PAC work, then discover the sophisticated ROP, leak, and data-only techniques required to bypass them. This is your essential guide to advanced exploit development and defense evasion.

Minimum price

$19.00

$29.00

You pay

Author earns

$

Also available for 1 book credit with a Reader Membership

PDF
EPUB
About

About

About the Book

Dive deep into the intricate world of memory corruption with Buffer Overflow Exploitation and Defense Evasion. This comprehensive guide unravels the mechanics behind classic and modern vulnerability classes—from stack and heap overflows to format string bugs and integer manipulation pitfalls. Go beyond theory to understand how these flaws are leveraged at the assembly and OS level on x86/x64 and ARM architectures.

But exploitation is only half the story. This book meticulously dissects the evolution of defensive technologies, including Stack Canaries, NX/DEP, ASLR, PIE, RELRO, CFG, CFI, PAC, and MTE. Crucially, it then details the sophisticated bypass techniques developed by attackers, such as Return-Oriented Programming (ROP), JOP/COP, information leaks, and data-only attacks.

Packed with technical detail, shellcoding craftsmanship, kernel exploitation fundamentals, and insights into essential tooling (GDB, WinDbg, IDA, pwntools), this book is indispensable for security researchers, penetration testers, exploit developers, and advanced cybersecurity students seeking to master the low-level realities of software security and navigate the perpetual arms race between offense and defense. This is not an introductory text; a solid foundation in C/C++, assembly, and OS internals is required.

Share this book

Categories

Automated Software TestingComputer SecuritySoftware EngineeringOperating System Development

Feedback

Email the Author

Author

About the Author

Steve T. Team Publications

Steve T. brings nearly two decades of deep cybersecurity experience to the complex world of memory corruption. With 18 years dedicated to analyzing, understanding, and navigating low-level system security, his expertise spans vulnerability research, exploit development, and the intricacies of modern defense mechanisms. This book distills his extensive practical knowledge, offering readers a clear and authoritative guide through the challenging landscape of buffer overflows, defense evasion, and the perpetual arms race between attackers and defenders.

Contents

Table of Contents

Preface

  1. How to Use This Book
  2. Chapter 1: Memory, Processes, and the Von Neumann Bottleneck
  3. 1.1 Revisiting Process Memory Layout
  4. 1.2 Virtual Memory, Paging, and Permissions
  5. Chapter 1: Memory, Processes, and the Von Neumann Bottleneck (Continued)
  6. 1.3 CPU Architecture Basics: The Registers Guiding Execution
  7. 1.4 The C Language Memory Model: Power and Peril
  8. 1.5 Why Buffer Overflows Happen: The Missing Check
  9. 1.6 The Code/Data Equivalence: Enabling Execution
  10. 1.7 Quantitative Analysis: The Scale of Memory Corruption Vulnerabilities
  11. Chapter 2: Stack-Based Buffer Overflows: The Canonical Exploit
  12. 2.1 Detailed Stack Frame Anatomy
  13. x86 (32-bit) Calling Conventions (cdecl, stdcall):
  14. x64 (64-bit) Calling Conventions (System V AMD64 ABI - Linux/macOS, Microsoft x64 - Windows):
  15. 2.2 Function Prologues and Epilogues
  16. Typical x86 Prologue (with Frame Pointer):
  17. Typical x86 Epilogue (with Frame Pointer):
  18. Typical x64 Prologue (System V, with Frame Pointer):
  19. Typical x64 Epilogue (System V, with Frame Pointer):
  20. 2.3 Overwriting the Return Address: Seizing Control
  21. Example Payload Structure (Conceptual):
  22. 2.4 Vulnerable Functions Revisited
  23. 2.5 Crafting the First Payload: NOP Sleds and Shellcode Injection
  24. Payload Structure:
  25. Example (Conceptual x86):
  26. 2.5.1 Real-World Stack Overflow Case Studies
  27. 2.6 Finding Buffer Addresses: The Elusive Target
  28. 2.7 Variations: Beyond the Simple Overwrite
  29. 2.8 Quantitative Analysis: Stack Overflow Prevalence and Impact
  30. 2.8 Quantitative Analysis: Stack Overflow Prevalence and Impact
  31. 2.8 Quantitative Analysis: Stack Overflow Prevalence and Impact
  32. Chapter 3: Shellcoding Craftsmanship
  33. 3.1 Principles of Position-Independent Code (PIC)
  34. 3.2 Common Shellcode Goals
  35. 3.3 Writing Basic Shellcode: Linux (x86/x64 Syscalls)
  36. Key Concepts:
  37. Example: x64 Linux execve("/bin/sh", ["/bin/sh", NULL], NULL)
  38. 3.4 Writing Basic Shellcode: Windows (API Resolving)
  39. Key Concepts:
  40. Example Snippet (Conceptual x86 - Finding Kernel32 Base):
  41. 3.5 Dealing with Bad Characters
  42. Identifying Bad Characters:
  43. Avoiding Bad Characters:
  44. 3.6 Encoders, Decoders, and Simple Polymorphism
  45. Common Encoder Example (XOR):
  46. 3.7 Staged Shellcode
  47. 3.8 Quantitative Analysis: Shellcode Metrics and Real-World Measurements
  48. Chapter 4: Heap-Based Buffer Overflows: The Unstructured Frontier
  49. 4.1 Heap vs. Stack Dynamics: A Tale of Two Memories
  50. 4.2 Heap Allocator Internals: Focus on dlmalloc/ptmalloc
  51. Core Components:
  52. 4.3 Classic Heap Exploitation Techniques
  53. 4.4 Advanced Heap Exploitation (ptmalloc specific)
  54. 4.5 Heap Spraying Techniques
  55. 4.6 Windows Heap Internals: NT Heap, Segment Heap, and LFH
  56. 4.7 Recent Heap-Related CVEs: Real-World Impact
  57. 4.8 Quantitative Analysis: Heap Exploitation Complexity and Success Rates
  58. Chapter 5: Format String Vulnerabilities: Exploiting Output Functions
  59. 5.1 Variadic Functions and the printf Family
  60. 5.2 Format Specifiers: The Language of printf
  61. 5.3 The Vulnerability: Broken Trust
  62. Incorrect Code:
  63. Correct Code:
  64. Exploitation:
  65. 5.4 Information Leakage: Reading Process Memory
  66. 5.5 Arbitrary Memory Write: The Power of %n
  67. Example (Conceptual): Write 0xdeadbeef to address 0x12345678
  68. Using %hn and %hhn for Precise Writes:
  69. Example: Write 0x1234 to address TargetAddr (using %hn)
  70. Direct Parameter Access (%N$n)
  71. 5.6 Exploitation Targets for Arbitrary Write
  72. 5.7 Mitigations
  73. 5.8 Real-world Context
  74. 5.9 Quantitative Analysis: Format String Vulnerability Impact and Detection
  75. Chapter 6: Integer Overflows: The Silent Precursor
  76. 6.1 Integer Representation Fundamentals
  77. 6.2 Overflow, Underflow, and Wraparound: Crossing the Limits
  78. 6.3 Truncation: Losing Precision
  79. 6.4 Sign Extension Errors: Misinterpreting Signs
  80. 6.5 Exploitation Scenarios: From Bad Math to Memory Corruption
  81. 6.6 Real-world Case Studies (Brief Mentions)
  82. 6.7 Detection and Prevention
  83. 6.8 Conclusion
  84. 6.9 Quantitative Analysis: Integer Overflow Prevalence and Impact
  85. Part 2: Modern Defenses and Bypasses
  86. Chapter 7: Platform Defenses: Raising the Bar
  87. 7.1 Stack Canaries / StackGuard / Stack Smashing Protector (SSP)
  88. 7.2 Non-Executable Memory (NX / DEP / W^X)
  89. 7.3 Address Space Layout Randomization (ASLR)
  90. 7.4 Position Independent Executables (PIE)
  91. 7.5 Relocation Read-Only (RELRO)
  92. 7.6 Control Flow Guard (CFG - Windows)
  93. 7.7 Control-Flow Integrity (CFI - Generic/Clang)
  94. 7.8 Pointer Authentication Codes (PAC - ARM)
  95. 7.9 Memory Tagging Extension (MTE - ARM)
  96. 7.10 Source Code Hardening & Secure Libraries
  97. 7.10 Intel Control-Flow Enforcement Technology (CET)
  98. 7.11 Conclusion
  99. 7.12 Quantitative Analysis: Mitigation Effectiveness and Adoption Rates
  100. Chapter 8: Bypassing Stack Canaries
  101. 8.1 Leaking the Canary Value
  102. Methods for Leaking:
  103. Payload Construction after Leak:
  104. 8.2 Brute-Forcing the Canary
  105. Factors Affecting Feasibility:
  106. Brute-Force Payload Structure (Byte-by-Byte):
  107. 8.3 Overwriting Targets Below the Canary
  108. Potential Targets:
  109. 8.4 Attacking Canary Generation or Checking Logic
  110. 8.5 Partial Overwrites and Data-Only Attacks
  111. 8.6 Conclusion
  112. Chapter 9: Bypassing NX/DEP: Return-Oriented Programming (ROP)
  113. 9.1 The Principle: Reusing Existing Code
  114. 9.2 What is a Gadget?
  115. 9.3 Finding Gadgets
  116. 9.4 Gadget Types and Their Roles
  117. 9.5 ROP Chain Construction: Orchestrating Gadgets
  118. Stack Layout Example (Conceptual x64 - Call func(arg1, arg2)):
  119. 9.6 Controlling Function Arguments
  120. 9.7 ret2libc: Calling Library Functions
  121. 9.8 Syscall Gadgets: Direct OS Interaction
  122. 9.9 Stack Pivoting: Changing the Stage
  123. 9.10 Advanced ROP: Sigreturn-Oriented Programming (SROP)
  124. 9.11 Blind ROP (BROP)
  125. 9.12 Conclusion: The Ubiquity of ROP
  126. 9.13 Quantitative Analysis: ROP Chain Metrics and Real-World Performance
  127. Chapter 10: Bypassing Address Space Layout Randomization (ASLR)
  128. 10.1 The Crucial Role of Information Leaks
  129. 10.2 Common Sources of Information Leaks
  130. 10.3 Leveraging Leaked Pointers: Calculating Base Addresses
  131. 10.4 Partial Overwrites: Exploiting Low Entropy
  132. 10.5 Brute-Forcing ASLR: A High-Cost Gamble
  133. 10.6 Exploiting Non-Randomized Components
  134. 10.7 Chaining Leaks: Multi-Stage Exploitation
  135. 10.8 Conclusion
  136. 10.9 Quantitative Analysis: ASLR Entropy and Bypass Feasibility
  137. Chapter 11: Bypassing CFI, CFG, and Advanced Hardware Mitigations
  138. 11.1 Bypassing Control Flow Guard (CFG - Windows)
  139. 11.2 Bypassing Control-Flow Integrity (CFI)
  140. 11.3 Bypassing Pointer Authentication Codes (PAC - ARM)
  141. 11.4 Bypassing Memory Tagging Extension (MTE - ARM)
  142. 11.5 JOP/COP: Alternative Code Reuse
  143. 11.6 Return-to-CSU (__libc_csu_init)
  144. 11.5 Counterfeit Object-Oriented Programming (COOP)
  145. 11.6 PACMAN: Speculative Execution Oracle for ARM Pointer Authentication
  146. 11.7 TikTag: Breaking ARM Memory Tagging Extension with Speculative Execution
  147. 11.8 Conclusion: The Ever-Shifting Battlefield
  148. Chapter 12: The Holistic View: Combining Bypasses and Tooling
  149. 12.1 Typical Exploit Chains: The Sum of Parts
  150. 12.2 Exploit Development Workflow: A Systematic Approach
  151. 12.3 Using Debuggers Effectively
  152. Debugger Usage Strategy:
  153. 12.4 Leveraging Disassemblers/Decompilers
  154. Usage Strategy:
  155. 12.5 Exploit Frameworks (pwntools)
  156. 12.6 Fuzzing for Bug Discovery
  157. 12.7 Automated Exploit Generation (AEG) Concepts
  158. 12.8 Conclusion
  159. Part 3: Beyond the Basics and Future Trends
  160. Chapter 13: Architecture Specifics and Kernel Exploitation
  161. 13.1 Architecture Specifics: ARM/AArch64 Exploitation
  162. Key Architectural Differences:
  163. Impact on Exploitation Techniques:
  164. 13.2 Introduction to Kernel Exploitation
  165. User Space vs. Kernel Space:
  166. Kernel Memory Layout:
  167. Kernel Attack Surface:
  168. Common Kernel Bug Classes:
  169. Kernel Mitigations:
  170. 13.3 Basic Kernel Exploit Concepts
  171. Payload Example: Privilege Escalation
  172. 13.4 Conclusion
  173. Chapter 14: The Shifting Landscape and Conclusion
  174. 14.1 The Rise of Memory-Safe Languages
  175. 14.1.5 Recent CVE Trends: Active Exploitation in 2024–2025
  176. 14.2 Managed Runtimes (JVM, .NET, Python, Ruby, etc.)
  177. 14.3 WebAssembly (Wasm) Security Considerations
  178. 14.4 Hardware-Level Security Evolution
  179. 14.5 The Continuous Arms Race: What’s Next?
  180. 14.6 Final Thoughts: The Primacy of Secure Development
  181. References
  182. Appendix A: Glossary of Terms
  183. Appendix B: Common Syscall Tables (x86, x64, ARM32, ARM64)
  184. B.1 x86 (32-bit) Syscall Convention
  185. Common x86 Syscalls:
  186. B.2 x64 (64-bit) Syscall Convention
  187. Common x64 Syscalls:
  188. Important Considerations:
  189. B.3 ARM64 (AArch64) Syscall Convention
  190. Appendix C: Useful Debugger Commands for Exploit Development
  191. C.1 GDB + Extensions (PEDA/GEF/Pwndbg)
  192. Process Control & Execution:
  193. Breakpoints:
  194. Memory Examination:
  195. Register Manipulation:
  196. Stack Analysis:
  197. Disassembly:
  198. Heap Analysis (Extensions - Commands may differ slightly):
  199. ASLR/PIE/Mitigation Info (Extensions):
  200. Searching Memory:
  201. Scripting & Automation:
  202. C.2 WinDbg (Windows)
  203. Process Control & Execution:
  204. Breakpoints:
  205. Memory Examination:
  206. Register Manipulation:
  207. Stack Analysis:
  208. Disassembly:
  209. Heap Analysis:
  210. Module/Memory Info:
  211. Searching Memory:
  212. Symbols:
  213. C.3 Final Note
  214. Appendix D: Further Reading and Resources
  215. D.1 Foundational Books
  216. D.2 Advanced Exploitation & Reverse Engineering Books
  217. D.3 Online Resources & Communities
  218. D.4 Essential Tools (Recap & Beyond)
  219. D.5 Practice Platforms
  220. D.6 Final Advice

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

Download Sample PDFDownload Sample EPUB

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub