Advanced Windows exploit development resources
Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related. Mostly talks and videos that I enjoyed watching.
These are all resources that I have personally used and gone through
Really important resources
- terminus project
- React OS Win32k
- Geoff Chappell – Kernel-Mode Windows
- HEVD Vulnerable driver
- FLARE Kernel Shellcode Loader
- Vergilius – Undocumented kernel structures
- Windows X86-64 System Call Table
- Vulnerable Driver Megathread
Must watch / read (if you could chose a few) – all time favorites
- Kernel Mode Threats and Practical Defenses
- Morten Schenk – Taking Windows 10 Kernel Exploitation to the next level
- The Life & Death of Kernel Object Abuse
- Windows 10 Mitigation Improvements
Windows Rootkits
Talks / video recordings
- 11 part playlist – Rootkits: What they are, and how to find them
- Hooking Nirvana
- Alex Ionescu – Advancing the State of UEFI Bootkits
- BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
- Numchecker: A System Approach for Kernel Rootkit Detection
- DEF CON 26 – Ring 0 Ring 2 Rootkits Bypassing Defenses
- Black Hat Windows 2001 – Kernel Mode Rootkits
- Black Hat Windows 2004 – DKOM (Direct Kernel Object Manipulation)
- RTFM SigSegv1 – From corrupted memory dump to rootkit detection
Articles / papers
- Dissecting Turla Rootkit Malware Using Dynamic Analysis
- A quick insight into the Driver Signature Enforcement
- WINDOWS DRIVER SIGNING BYPASS BY DERUSB
- A Basic Windows DKOM Rootkit
- Manipulating ActiveProcessLinks to Hide Processes in Userland
Windows kernel mitigations
Talks / video recordings
- BlueHat v18 || Hardening hyper-v through offensive security research
- BYPASS CONTROL FLOW GUARD COMPREHENSIVELY – this is cfg not kCFG
- BlueHat v18 || Mitigation Bypass: The Past, Present, and Future
- Windows Offender Reverse Engineering Windows Defender’s Antivirus Emulator
- Windows 10 Mitigation Improvements (really good talk)
- Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot
- Examining the Guardians of Windows 10 Security – Chuanda Ding
- Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
- A Dive in to Hyper-V Architecture & Vulnerabilities
- the last kaslr leak
- BlueHat v18 || A mitigation for kernel toctou vulnerabilities
- REcon 2013 – I got 99 problems but a kernel pointer ain’t one
- SMEP: What is it, and how to beat it on Windows
- BlueHat IL 2020 – David Weston – Keeping Windows Secure
- Advancing Windows Security — David Weston
- OffensiveCon18 – The Evolution of CFI Attacks and Defenses
Articles / papers
General mitigation papers
- Hardening Windows 10 with zero-day exploit mitigations
- TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL
kASLR
- KASLR Bypass Mitigations in Windows 8.1
- Devlopment of a new Windows 10 KASLR bypass – in one winDBG command
SMEP
- Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming
- Return Oriented Programming Tutorial
- Stack Buffer Overflow (SMEP Bypass)
- Windows 10 x64 and Bypassing SMEP
- SMEP: What is it, and how to beat it on Windows
CET
- Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity
- A Technical Look at Intel’s Control-flow Enforcement Technology
- Control-flow Enforcement Technology Specification
- Intel CET Answers Call to Protect Against Common Malware Threats
- R.I.P ROP: CET Internals in Windows 20H1
Windows kernel shellcode
Articles / papers
- Loading Kernel Shellcode
- Windows Kernel Shellcodes – a compendium
- Windows Kernel Shellcode on Windows 10 – Part 1
- Windows Kernel Shellcode on Windows 10 – Part 2
- Windows Kernel Shellcode on Windows 10 – Part 3
- Panic! At The Kernel – Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
- Token Abuse for Privilege Escalation in Kernel
- Introduction to Shellcode Development
- Introduction to Windows shellcode development – Part 1
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
- Exploring Injected Threads
Windows kernel exploitation
Talks / video recordings
- HITB2016AMS – Kernel Exploit Hunting And Mitigation
- Ilja van Sprundel: Windows drivers attack surface
- REcon 2015 – This Time Font hunt you down in 4 bytes
- Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
- Windows kernel exploitation techniques – Adrien Garin – LSE Week 2016
- Hackingz Ze Komputerz – Exploiting CAPCOM.SYS – Part 1
- Hackingz Ze Komputerz – Exploiting CAPCOM.SYS – Part 2
- The 3 Way06 Practical Windows Kernel Exploitation
- Reverse Engineering and Bug Hunting on KMDF Drivers
- Binary Exploit Mitigation and Bypass History – not just kernel
- Morten Schenk – Taking Windows 10 Kernel Exploitation to the next level
- REcon 2015 – Reverse Engineering Windows AFD.sys
- Windows Kernel Graphics Driver Attack Surface
- Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
- Black Hat USA 2013 – Smashing The Font Scaler Engine in Windows Kernel
Articles / papers
- Kernel Exploit Sample Hunting and Mining Contents
- The entire GreyHatHacker site has great writeups
- BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
- Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation
- Windows Drivers are True’ly Tricky
- Taking apart a double zero-day sample discovered in joint hunt with ESET
- Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
- Kernel Pool Overflow Exploitation in Real World: Windows 10
- Kernel Pool Overflow Exploitation in Real World – Windows 7
- Kernel Pool Exploitation on Windows 7
- Easy local Windows Kernel exploitation
- Exploiting CVE-2014-4113
- Pwn2Own 2014 – AFD.sys Dangling Pointer Vulnerability
- Symantec Endpoint protection 0day
- Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393
- nt!_SEP_TOKEN_PRIVILEGES – Single Write EoP Protect
- Token Abuse for Privilege Escalation in Kernel
Windows kernel GDI exploitation
Talks / video recordings
- Abusing GDI for ring0 exploit primitives Evolution
- Demystifying Windows Kernel Exploitation by Abusing GDI Objects
- CommSec D1 – The Life & Death of Kernel Object Abuse
- Kernel Object Abuse by Type Isolation
Articles / papers
- Turning CVE-2017-14961 into full arbitrary read / write with PALETTE objects
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- The zero-day exploits of Operation WizardOpium
- Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
- Abusing GDI Objects for ring0 Primitives Revolution
- https://www.coresecurity.com/core-labs/articles/abusing-gdi-for-ring0-exploit-primitives
- A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
- CSW2017 Peng qiu shefang zhong win32k dark_composition
- Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
Windows kernel Win32k.sys research
Talks / video recordings
Articles / papers
- CVE-2020-1054 Analysis
- TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
- One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild
- Reverse Engineering the Win32k Type Isolation Mitigation
- A new exploit for zero-day vulnerability CVE-2018-8589
- Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
- Exploring CVE-2015-1701 — A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free
- New zero-day vulnerability CVE-2019-0859 in win32k.sys
- Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks
- Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo
- Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame
- Windows Kernel Local Denial-of-Service #4: nt!NtAccessCheck and family
- Windows Kernel Local Denial-of-Service #5: win32k!NtGdiGetDIBitsInternal
- Windows win32k.sys menus and some “close, but no cigar” bugs
- Windows Kernel Internals – Win32K.sys
Windows Kernel logic bugs
Talks / video recordings
Articles / papers
- A vulnerable driver: lesson almost learned
- CVE-2020-12138 – Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys
- CVE-2019-18845 – Viper RGB Driver Local Privilege Escalation
- CVE-2020-8808 – CORSAIR iCUE Driver Local Privilege Escalation
- Logic bugs in Razer rzpnk.sys
- Dell SupportAssist Driver – Local Privilege Escalation
- MSI ntiolib.sys/winio.sys local privilege escalation
- CVE-2019-8372 – Local Privilege Elevation in LG Kernel Driver
- Reading Physical Memory using Carbon Black’s Endpoint driver
- ASUS UEFI Update Driver Physical Memory Read/Write
- Privilege escalation vulnerabilities found in over 40 Windows Drivers
- Blackat – KERNEL MODE THREATS AND PRACTICAL DEFENSES
- Weaponizing vulnerable driver for privilege escalation— Gigabyte Edition!
Windows kernel driver development
Talks / video recordings
- Windows Kernel Programming – 14 part playlist
- Windows Driver Development – 19 part playlist
- Developing Kernel Drivers with Modern C++ – Pavel Yosifovich
Articles / papers
- Winsock Kernel Overview Topics
- Driver Development Part 1: Introduction to Drivers
- Driver Development Part 2: Introduction to Implementing IOCTLs
- Driver Development Part 3: Introduction to driver contexts
- Driver Development Part 4: Introduction to device stacks
- Creating IOCTL Requests in Drivers
- Windows Drivers Part 2: IOCTLs
- Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Windows internals
Talks / video recordings
- Pluralsight – Windows Internals 1
- Pluralsight – Windows Internals 2
- Pluralsight – Windows Internals 3
- Pluralsight – Windows 10 Internals: Systems and Processes
- Pluralsight – Windows 10 Internals – Threads, Memory and Security
- Alex Ionescu Insection: AWEsomely Exploiting Shared Memory Objects
- Windows Internals
- Windows 10 Segment Heap Internals
- Windows Kernel Vulnerability Research and Exploitation – Gilad Bakas
- NIC 5th Anniversary – Windows 10 internals
- Black Hat USA 2012 – Windows 8 Heap Intervals
Articles / papers
- Whitepaper – WINDOWS 10 SEGMENT HEAP INTERNALS
- The Quest for the SSDTs
- System Service Descriptor Table – SSDT
- Interrupt Descriptor Table – IDT
- Exploring Process Environment Block
- Windows Pool Manager
- Parsing PE File Headers with C++
- Digging Into Handles, Callbacks & ObjectTypes
Advanced Windows debugging
Talks / video recordings
- Hacking Livestream #28: Windows Kernel Debugging Part I
- Hacking Livestream #29: Windows Kernel Debugging Part II
- Hacking Livestream #30: Windows Kernel Debugging Part III
- WinDbg Basics for Malware Analysis
- Windows Debugging and Troubleshooting
- CNIT 126 10: Kernel Debugging with WinDbg
- Windows Kernel Debugging Part I
- Microsoft Patch Analysis for Exploitation
- Windows Kernel Debugging Fundamentals
Articles / papers
- Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD
- Debug Tutorial Part 2: The Stack
- Debug Tutorial Part 3: The Heap
- Debug Tutorial Part 4: Writing WINDBG Extensions
- Debug Tutorial Part 5: Handle Leaks
- Debug Tutorial Part 6: Navigating The Kernel Debugge
- Debug Tutorial Part 7: Locks and Synchronization Objects
- Getting Started with WinDbg – kernelmode
- Windows Debuggers: Part 1: A WinDbg Tutorial
0days – APT advanced malware research
Talks / video recordings
- W32.Duqu: The Precursor to the Next Stuxnet
- Kernel Mode Threats and Practical Defenses
- Selling 0-Days to Governments and Offensive Security Companies
Articles / papers
- AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
- The zero-day exploits of Operation WizardOpium
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- EternalBlue – Everything There Is To Know
- Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255
Video game cheating (kernel mode stuff sometimes)
Talks / video recordings
Articles / papers
- drvmap – driver manual mapper using capcom
- All methods of retrieving unique identifiers(HWIDs) on your PC
- Driver aka Kernel Mode cheating
Hyper-V and VM / sandbox escape
Talks / video recordings
- Vulnerability Exploitation In Docker Container Environments
- Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
- REcon 2014 – Breaking Out of VirtualBox through 3D Acceleration
- 36C3 – The Great Escape of ESXi
- BlueHat v18 || Straight outta VMware
- Hardening hyper-v through offensive security research
- A Driver in to Hyper v Architecture&Vulnerabilities
- The HyperV Architecture and its Memory Manager
- Ring 0 to Ring -1 Exploitation with Hyper-V IPC
- Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine
- A Dive in to Hyper-V Architecture & Vulnerabilities
Articles / papers
- Hyper-V memory internals. EXO partition memory access
- Ventures into Hyper-V – Fuzzing hypercalls
- Fuzzing para-virtualized devices in Hyper-V
- First Steps in Hyper-V Research
- Windows Sandbox Attack Surface Analysis
Fuzzing
Talks / video recordings
- HITBGSEC 2016 – Fuzzing The Windows Kernel
- Windows Kernel Vulnerability Research and Exploitation
- Bugs on the Windshield: Fuzzing the Windows Kernel
- Windows Kernel Fuzzing for Intermediate Learners
- Windows Kernel Fuzzing For Beginners – Ben Nagy
- Disobey 2018 – Building Windows Kernel fuzzer
- For The Win: The Art Of The Windows Kernel Fuzzing
- RECON 2019 – Vectorized Emulation Putting it all together
Articles / papers
- A year of Windows kernel font fuzzing #1: the results
- A year of Windows kernel font fuzzing #2: the techniques
Windows browser exploitation
Talks / video recordings
Favorite books of mine
- Windows Internals, Part 1 (Pavel Yosifovich, and some others)
- Windows 10 System Programming, Part 1 (Pavel Yosifovich)
- Windows 10 System Programming, Part 2 (Pavel Yosifovich)
- Windows Kernel Programming (Pavel Yosifovich)
- Rootkits: Subverting the Windows Kernel
- The Rootkit Arsenal
- Intel® 64 and IA-32 Architectures Software Developer Manuals
Related certifications and courses
Courses
- Advanced Windows Exploitation (AWE)
- Sans 660
- Sans 760
- Corelan “Bootcamp” training
- Corelan “Advanced” training
Certifications
- Offensive Security Exploitation Expert (OSEE)
- Giac GXPN
The Exploitation Resources is a github repository by FULLSHADE