A curated list of resources (books, tutorials, courses, tools and vulnerable applications) for learning about Exploit Development
BOOKS
- Hacking – The art of exploitation http://amzn.to/2izehnJ
- A bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security http://amzn.to/2jMcppK
- The Shellcoder’s Handbook: Discovering and Exploiting Security Holes http://amzn.to/2jSAZcC
- Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals http://amzn.to/2jSCeZo
- Writing Security tools and Exploits http://amzn.to/2jkYTMZ
- Buffer overflow attacks: Detect, exploit, Prevent http://amzn.to/2jM6pgL
- Metasploit toolkit for Penetration Testing, exploit Development, and vulnerability research http://amzn.to/2itTsqJ
TUTORIALS
Corelan.be
- Exploit writing tutorial part 1: Stack Based Overflows
- Exploit writing tutorial part 2: Stack Based Overflows – jumping to shellcode
- Exploit writing tutorial part 3: SEH Based Exploits
- Exploit writing tutorial part 3b: SEH Based Exploits – just another example
- Exploit writing tutorial part 4: From Exploit to Metasploit – The basics
- Exploit writing tutorial part 5: How debugger modules & plugins can speed up basic exploit development
- Exploit writing part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit writing tutorial part 7: Unicode – from 0x00410041 to calc
- Exploit writing tutorial part 8: Win32 Egg Hunting
- Exploit writing tutorial part 9: Introduction to Win32 shellcoding
- Exploit writing tutorial part 10: Chaining DEP with ROP – the Rubik’s[TM] Cube
- Exploit writing tutorial part 11 : Heap Spraying Demystified
- Starting to write Immunity Debugger PyCommands : my cheatsheet
- Ken Ward Zipper exploit write-up on abysssec.com
- Exploiting Ken Ward Zipper : Taking advantage of payload conversion
- Hack Notes : ROP retn+offset and impact on stack setup
- Hack Notes : Ropping eggs for breakfast
- Universal DEP/ASLR bypass with msvcr71.dll and mona.py
- WoW64 Egghunter
- Debugging Fun – Putting a process to sleep()
- Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2
- Root Cause Analysis – Memory Corruption Vulnerabilities
- Heap Layout Visualization with mona.py and WinDBG
- DEPS – Precise Heap Spray on Firefox and IE10
- Root Cause Analysis – Integer Overflows
Opensecuritytraining.info
Samsclass.info
Securitysift.com
- Windows Exploit Development – Part 1: The Basics
- Windows Exploit Development – Part 2: Intro to Stack Based Overflows
- Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules
- Windows Exploit Development – Part 4: Locating Shellcode With Jumps
- Windows Exploit Development – Part 5: Locating Shellcode With Egghunting
- Windows Exploit Development – Part 6: SEH Exploits
- Windows Exploit Development – Part 7: Unicode Buffer Overflows
COURSES
- Corelan
- Corelan Exploit Development Training
- Offensive Security
- Advanced Windows Exploitation The Official OSEE Certification Course
- SANS
- SANS SEC760: Advanced Exploit Development for Penetration Testers
- Udemy
- Windows Exploit Development Megaprimer
- This is a comprehensive course on Exploit Development in Windows platform. The course is designed in such a way to help the beginners. It will help you understand the different domains of software exploitation.
- Exploit Development From Scratch
- When you complete this training you will learn, GDB and Immunity Debugger usage, basic assembly programming, assembly instructions, stack layout, memory protection mechanisms, Fuzzing, offset calculating, shellcode creating.
- Windows Exploit Development Megaprimer
TOOLS
EXPLOITS DATABASE
Advanced Windows exploit development resources
Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related. Mostly talks and videos that I enjoyed watching.
⚠️ These are all resources that I have personally used and gone through
Really important resources
- terminus project
- React OS Win32k
- Geoff Chappell – Kernel-Mode Windows
- HEVD Vulnerable driver
- HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
- FLARE Kernel Shellcode Loader
- Vergilius – Undocumented kernel structures
- Take a look into the depths of Windows kernels and reveal more than 60000 undocumented structures
- Windows X86-64 System Call Table
- Vulnerable Driver Megathread
Must watch / read
- ⭐ Kernel Mode Threats and Practical Defenses
- ⭐ Morten Schenk – Taking Windows 10 Kernel Exploitation to the next level
- ⭐ The Life & Death of Kernel Object Abuse
- ⭐ Windows 10 Mitigation Improvements
Windows Rootkits
Talks / video recordings
- 11 part playlist – Rootkits: What they are, and how to find them
- Hooking Nirvana
- Alex Ionescu – Advancing the State of UEFI Bootkits
- BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
- Numchecker: A System Approach for Kernel Rootkit Detection
- DEF CON 26 – Ring 0 Ring 2 Rootkits Bypassing Defenses
- Black Hat Windows 2001 – Kernel Mode Rootkits
- Black Hat Windows 2004 – DKOM (Direct Kernel Object Manipulation)
- RTFM SigSegv1 – From corrupted memory dump to rootkit detection
Articles / papers
- Dissecting Turla Rootkit Malware Using Dynamic Analysis
- A quick insight into the Driver Signature Enforcement
- WINDOWS DRIVER SIGNING BYPASS BY DERUSB
- A Basic Windows DKOM Rootkit
- Manipulating Active Process Links to Hide Processes in Userland
Windows kernel mitigations
Talks / video recordings
- BlueHat v18 || Hardening hyper-v through offensive security research
- BYPASS CONTROL FLOW GUARD COMPREHENSIVELY – this is cfg not kCFG
- BlueHat v18 || Mitigation Bypass: The Past, Present, and Future
- Windows Offender Reverse Engineering Windows Defender’s Antivirus Emulator
- Windows 10 Mitigation Improvements (really good talk)
- Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot
- Examining the Guardians of Windows 10 Security – Chuanda Ding
- Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
- A Dive in to Hyper-V Architecture & Vulnerabilities
- the last kaslr leak
- BlueHat v18 || A mitigation for kernel toctou vulnerabilities
- REcon 2013 – I got 99 problems but a kernel pointer ain’t one
- SMEP: What is it, and how to beat it on Windows
- BlueHat IL 2020 – David Weston – Keeping Windows Secure
- Advancing Windows Security — David Weston
- OffensiveCon18 – The Evolution of CFI Attacks and Defenses
Articles / papers
General mitigation papers
- Hardening Windows 10 with zero-day exploit mitigations
- TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL
kASLR
- KASLR Bypass Mitigations in Windows 8.1
- Devlopment of a new Windows 10 KASLR bypass – in one winDBG command
SMEP
- Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming
- Return Oriented Programming Tutorial
- Stack Buffer Overflow (SMEP Bypass)
- Windows 10 x64 and Bypassing SMEP
- SMEP: What is it, and how to beat it on Windows
CET
- Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity
- A Technical Look at Intel’s Control-flow Enforcement Technology
- Control-flow Enforcement Technology Specification
- Intel CET Answers Call to Protect Against Common Malware Threats
- R.I.P ROP: CET Internals in Windows 20H1
Windows kernel shellcode
Articles / papers
- Loading Kernel Shellcode
- Windows Kernel Shellcodes – a compendium
- Windows Kernel Shellcode on Windows 10 – Part 1
- Windows Kernel Shellcode on Windows 10 – Part 2
- Windows Kernel Shellcode on Windows 10 – Part 3
- Panic! At The Kernel – Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
- Token Abuse for Privilege Escalation in Kernel
- Introduction to Shellcode Development
- Introduction to Windows shellcode development – Part 1
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
- Exploring Injected Threads
Windows kernel exploitation
Talks / video recordings
- HITB2016AMS – Kernel Exploit Hunting And Mitigation
- Ilja van Sprundel: Windows drivers attack surface
- REcon 2015 – This Time Font hunt you down in 4 bytes
- Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
- Windows kernel exploitation techniques – Adrien Garin – LSE Week 2016
- Hackingz Ze Komputerz – Exploiting CAPCOM.SYS – Part 1
- Hackingz Ze Komputerz – Exploiting CAPCOM.SYS – Part 2
- The 3 Way06 Practical Windows Kernel Exploitation
- Reverse Engineering and Bug Hunting on KMDF Drivers
- Binary Exploit Mitigation and Bypass History – not just kernel
- Morten Schenk – Taking Windows 10 Kernel Exploitation to the next level
- REcon 2015 – Reverse Engineering Windows AFD.sys
- Windows Kernel Graphics Driver Attack Surface
- Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
- Black Hat USA 2013 – Smashing The Font Scaler Engine in Windows Kernel
Articles / papers
- Kernel Exploit Sample Hunting and Mining Contents
- The entire GreyHatHacker site has great writeups
- BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
- Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation
- Windows Drivers are True’ly Tricky
- Taking apart a double zero-day sample discovered in joint hunt with ESET
- Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
- Kernel Pool Overflow Exploitation in Real World: Windows 10
- Kernel Pool Overflow Exploitation in Real World – Windows 7
- Kernel Pool Exploitation on Windows 7
- Easy local Windows Kernel exploitation
- Exploiting CVE-2014-4113
- Pwn2Own 2014 – AFD.sys Dangling Pointer Vulnerability
- Symantec Endpoint protection 0day
- Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393
- nt!_SEP_TOKEN_PRIVILEGES – Single Write EoP Protect
- Token Abuse for Privilege Escalation in Kernel
Windows kernel GDI exploitation
Talks / video recordings
- Abusing GDI for ring0 exploit primitives Evolution
- Demystifying Windows Kernel Exploitation by Abusing GDI Objects
- CommSec D1 – The Life & Death of Kernel Object Abuse
- Kernel Object Abuse by Type Isolation
Articles / papers
- Turning CVE-2017-14961 into full arbitrary read / write with PALETTE objects
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- The zero-day exploits of Operation WizardOpium
- Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
- Abusing GDI Objects for ring0 Primitives Revolution
- Abusing GDI for ring0 exploit primitives
- A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
- CSW2017 Peng qiu shefang zhong win32k dark_composition
- Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
Windows kernel Win32k.sys research
Talks / video recordings
Articles / papers
- CVE-2020-1054 Analysis
- TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
- One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild
- Reverse Engineering the Win32k Type Isolation Mitigation
- A new exploit for zero-day vulnerability CVE-2018-8589
- Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
- Exploring CVE-2015-1701 — A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free
- New zero-day vulnerability CVE-2019-0859 in win32k.sys
- Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks
- Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo
- Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame
- Windows Kernel Local Denial-of-Service #4: nt!NtAccessCheck and family
- Windows Kernel Local Denial-of-Service #5: win32k!NtGdiGetDIBitsInternal
- Windows win32k.sys menus and some “close, but no cigar” bugs
- Windows Kernel Internals – Win32K.sys
Windows Kernel logic bugs
Talks / video recordings
Articles / papers
- A vulnerable driver: lesson almost learned
- CVE-2020-12138 – Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys
- CVE-2019-18845 – Viper RGB Driver Local Privilege Escalation
- CVE-2020-8808 – CORSAIR iCUE Driver Local Privilege Escalation
- Logic bugs in Razer rzpnk.sys
- Dell SupportAssist Driver – Local Privilege Escalation
- MSI ntiolib.sys/winio.sys local privilege escalation
- CVE-2019-8372 – Local Privilege Elevation in LG Kernel Driver
- Reading Physical Memory using Carbon Black’s Endpoint driver
- ASUS UEFI Update Driver Physical Memory Read/Write
- Privilege escalation vulnerabilities found in over 40 Windows Drivers
- Blackat – KERNEL MODE THREATS AND PRACTICAL DEFENSES
- Weaponizing vulnerable driver for privilege escalation— Gigabyte Edition!
Windows kernel driver development
Talks / video recordings
- Windows Kernel Programming – 14 part playlist
- Windows Driver Development – 19 part playlist
- Developing Kernel Drivers with Modern C++ – Pavel Yosifovich
Articles / papers
- Winsock Kernel Overview Topics
- Driver Development Part 1: Introduction to Drivers
- Driver Development Part 2: Introduction to Implementing IOCTLs
- Driver Development Part 3: Introduction to driver contexts
- Driver Development Part 4: Introduction to device stacks
- Creating IOCTL Requests in Drivers
- Windows Drivers Part 2: IOCTLs
- Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Windows internals
Talks / video recordings
- Pluralsight – Windows Internals 1
- Pluralsight – Windows Internals 2
- Pluralsight – Windows Internals 3
- Pluralsight – Windows 10 Internals: Systems and Processes
- Pluralsight – Windows 10 Internals – Threads, Memory and Security
- Alex Ionescu Insection: AWEsomely Exploiting Shared Memory Objects
- Windows Internals
- Windows 10 Segment Heap Internals
- Windows Kernel Vulnerability Research and Exploitation – Gilad Bakas
- NIC 5th Anniversary – Windows 10 internals
- Black Hat USA 2012 – Windows 8 Heap Intervals
Articles / papers
- Whitepaper – WINDOWS 10 SEGMENT HEAP INTERNALS
- The Quest for the SSDTs
- System Service Descriptor Table – SSDT
- Interrupt Descriptor Table – IDT
- Exploring Process Environment Block
- Windows Pool Manager
- Parsing PE File Headers with C++
- Digging Into Handles, Callbacks & ObjectTypes
Advanced Windows debugging
Talks / video recordings
- Hacking Livestream #28: Windows Kernel Debugging Part I
- Hacking Livestream #29: Windows Kernel Debugging Part II
- Hacking Livestream #30: Windows Kernel Debugging Part III
- WinDbg Basics for Malware Analysis
- Windows Debugging and Troubleshooting
- CNIT 126 10: Kernel Debugging with WinDbg
- Windows Kernel Debugging Part I
- Microsoft Patch Analysis for Exploitation
- Windows Kernel Debugging Fundamentals
Articles / papers
- Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD
- Debug Tutorial Part 2: The Stack
- Debug Tutorial Part 3: The Heap
- Debug Tutorial Part 4: Writing WINDBG Extensions
- Debug Tutorial Part 5: Handle Leaks
- Debug Tutorial Part 6: Navigating The Kernel Debugge
- Debug Tutorial Part 7: Locks and Synchronization Objects
- Getting Started with WinDbg – kernelmode
- Windows Debuggers: Part 1: A WinDbg Tutorial
0days – APT advanced malware research
Talks / video recordings
- W32.Duqu: The Precursor to the Next Stuxnet
- Kernel Mode Threats and Practical Defenses
- Selling 0-Days to Governments and Offensive Security Companies
Articles / papers
- AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
- The zero-day exploits of Operation WizardOpium
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- EternalBlue – Everything There Is To Know
- Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255
Video game cheating (kernel mode stuff sometimes)
Talks / video recordings
Articles / papers
- drvmap – driver manual mapper using capcom
- All methods of retrieving unique identifiers(HWIDs) on your PC
- Driver aka Kernel Mode cheating
Hyper-V and VM / sandbox escape
Talks / video recordings
- Vulnerability Exploitation In Docker Container Environments
- Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
- REcon 2014 – Breaking Out of VirtualBox through 3D Acceleration
- 36C3 – The Great Escape of ESXi
- BlueHat v18 || Straight outta VMware
- Hardening hyper-v through offensive security research
- A Driver in to Hyper v Architecture&Vulnerabilities
- The HyperV Architecture and its Memory Manager
- Ring 0 to Ring -1 Exploitation with Hyper-V IPC
- Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine
- A Dive in to Hyper-V Architecture & Vulnerabilities
Articles / papers
- Hyper-V memory internals. EXO partition memory access
- Ventures into Hyper-V – Fuzzing hypercalls
- Fuzzing para-virtualized devices in Hyper-V
- First Steps in Hyper-V Research
- Windows Sandbox Attack Surface Analysis
Fuzzing
Talks / video recordings
- HITBGSEC 2016 – Fuzzing The Windows Kernel
- Windows Kernel Vulnerability Research and Exploitation
- Bugs on the Windshield: Fuzzing the Windows Kernel
- Windows Kernel Fuzzing for Intermediate Learners
- Windows Kernel Fuzzing For Beginners – Ben Nagy
- Disobey 2018 – Building Windows Kernel fuzzer
- For The Win: The Art Of The Windows Kernel Fuzzing
- RECON 2019 – Vectorized Emulation Putting it all together
Articles / papers
- A year of Windows kernel font fuzzing #1: the results
- A year of Windows kernel font fuzzing #2: the techniques
Windows browser exploitation
Talks / video recordings
Related certifications and courses
Courses
- Advanced Windows Exploitation (AWE)
- Sans 660
- Sans 760
- Corelan “Bootcamp” training
- Corelan “Advanced” training
Certifications
- Offensive Security Exploitation Expert (OSEE)
- Giac GXPN