Skip to content

A curated list of awesome Windows Exploitation resources, and shiny things. Inspired by awesom

License

Notifications You must be signed in to change notification settings

kimkucheol/awesome-windows-exploitation

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Awesome Windows Exploitation Awesome

A curated list of awesome Windows Exploitation resources, and shiny things.

There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide.

Table of Contents

## Windows stack overflows *Stack Base Overflow Articles.* + [Win32 Buffer Overflows (Location, Exploitation and Prevention)](http://www.phrack.com/issues.html?issue=55&id=15#article) - by Dark spyrit [1999] + [Writing Stack Based Overflows on Windows](http://www.packetstormsecurity.org/papers/win/) - by Nish Bhalla’s [2005] + [Stack Smashing as of Today](https://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-slides.pdf) - by Hagen Fritsch [2009] + [SMASHING C++ VPTRS](http://phrack.org/issues/56/8.html) - by rix [2000] ## Windows heap overflows *Heap Base Overflow Articles.* + [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002] + [Exploiting the MSRPC Heap Overflow Part 1](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap.pdf) - by Dave Aitel (MS03-026) [September 2003] + [Exploiting the MSRPC Heap Overflow Part 2](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap2.pdf) - by Dave Aitel (MS03-026) [September 2003] + [Windows heap overflow penetration in black hat](https://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt) - by David Litchfield [2004] + [Glibc Adventures: The Forgotten Chunk](http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf) - by François Goichon [2015] + [Pseudomonarchia jemallocum](http://www.phrack.org/issues/68/10.html) - by argp & huku + [The House Of Lore: Reloaded](http://phrack.org/issues/67/8.html) - by blackngel [2010] + [Malloc Des-Maleficarum](http://phrack.org/issues/66/10.html) - by blackngel [2009] + [free() exploitation technique](http://phrack.org/issues/66/6.html) - by huku + [Understanding the heap by breaking it](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - by Justin N. Ferguson [2007] + [The use of set_head to defeat the wilderness](http://phrack.org/issues/64/9.html) - by g463 + [The Malloc Maleficarum](http://seclists.org/bugtraq/2005/Oct/118) - by Phantasmal Phantasmagoria [2005] + [Exploiting The Wilderness](http://seclists.org/vuln-dev/2004/Feb/25) - by Phantasmal Phantasmagoria [2004] + [Advanced Doug lea's malloc exploits](http://phrack.org/issues/61/6.html) - by jp ## Kernel based Windows overflows *Kernel Base Exploit Development Articles.* + [How to attack kernel based vulns on windows was done](http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/0101.html) - by a Polish group called “sec-labs” [2003] + [Sec-lab old whitepaper](http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm) + [Sec-lab old exploit](http://www.securityfocus.com/bid/8329/info) + [Windows Local Kernel Exploitation (based on sec-lab research)](http://www.packetstormsecurity.org/hitb04/hitb04-sk-chong.pdf) - by S.K Chong [2004] + [How to exploit Windows kernel memory pool](http://packetstormsecurity.nl/Xcon2005/Xcon2005_SoBeIt.pdf) - by SoBeIt [2005] + [Exploiting remote kernel overflows in windows](http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf) - by Eeye Security + [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf) - by Matt Miller + [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf) + [BH US 2007 Attacking the Windows Kernel](http://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf) + [Remote and Local Exploitation of Network Drivers](http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf) + [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1) + [I2OMGMT Driver Impersonation Attack](http://www.immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf) + [Real World Kernel Pool Exploitation](http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf) + [Exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) + [Alyzing local privilege escalations in win32k](http://www.uninformed.org/?v=10&a=2&t=pdf) + [Intro to Windows Kernel Security Development](http://www.dontstuffbeansupyournose.com/trac/browser/projects/ucon09/Intro_NT_kernel_security_stuff.pdf) + [There’s a party at ring0 and you’re invited](http://www.cr0.org/paper/to-jt-party-at-ring0.pdf) + [Windows kernel vulnerability exploitation](http://vexillium.org/dl.php?call_gate_exploitation.pdf) + [A New CVE-2015-0057 Exploit Technology](https://www.blackhat.com/docs/asia-16/materials/asia-16-Wang-A-New-CVE-2015-0057-Exploit-Technology-wp.pdf) - by Yu Wang [2016] + [Exploiting CVE-2014-4113 on Windows 8.1](https://labs.bluefrostsecurity.de/publications/2016/01/07/exploiting-cve-2014-4113-on-windows-8.1/) - by Moritz Jodeit [2016] + [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012] + [Windows Kernel Exploitation ](http://www.hacking-training.com/download/WKE.pdf) - by Simone Cardona 2016 + [Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/) - by Saif Sherei 2017 + [Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes](http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes) - by keen team [2015] + [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/system/files/publications/2016/10/Abusing-GDI-Reloaded-ekoparty-2016_0.pdf) - [2016] ## Windows Kernel Memory Corruption *Windows Kernel Memory Corruption Exploit Development Articles.* + [Remote Windows Kernel Exploitation](https://cansecwest.com/core05/windowsremotekernel.pdf) - by Barnaby Jack [2005] + [windows kernel-mode payload fundamentals](http://uninformed.org/index.cgi?v=3&a=4&t=sumry) - by Skape [2006] + [exploiting 802.11 wireless driver vulnerabilities on windows](http://www.uninformed.org/?v=6&a=2&t=sumry) - by Johnny Cache, H D Moore, skape [2007] + [Kernel Pool Exploitation on Windows 7](https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf) - by Tarjei Mandt [2011] + [Windows Kernel-mode GS Cookies and 1 bit of entropy](vexillium.org/dl.php?/Windows_Kernel-mode_GS_Cookies_subverted.pdf) - [2011] + [Subtle information disclosure in WIN32K.SYS syscall return values](http://j00ru.vexillium.org/?p=762) - [2011] + [nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques](http://j00ru.vexillium.org/?p=769) - [2011] + [SMEP: What is it, and how to beat it on Windows](http://j00ru.vexillium.org/?p=783) - [2011] + [Kernel Attacks through User-Mode Callbacks](http://www.mista.nu/research/mandt-win32k-paper.pdf) - by Tarjei Mandt [2011] + [Windows Security Hardening Through Kernel Address Protection](http://j00ru.vexillium.org/blog/04_12_11/Windows_Kernel_Address_Protection.pdf) - by Mateusz "j00ru" Jurczyk [2011] + [Reversing Windows8: Interesting Features of Kernel Security](http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing%20Windows8-Interesting%20Features%20of%20Kernel%20Security.pdf) - by MJ0011 [2012] + [Smashing The Atom: Extraordinary String Based Attacks](mista.nu/research/smashing_the_atom.pdf) - by Tarjei Mandt [2012] + [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012] + [Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement](www.powerofcommunity.net/poc2012/mj0011.pdf) - by MJ0011 [2012] + [MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit](https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-kernel-exploit/) - [2013] + [KASLR Bypass Mitigations in Windows 8.1](www.alex-ionescu.com/?p=82) - [2013] + [First Dip Into the Kernel Pool: MS10-058](http://doar-e.github.io/blog/2014/03/11/first-dip-into-the-kernel-pool-ms10-058/) - by Jeremy [2014] + [Windows 8 Kernel Memory Protections Bypass](https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/) - [2014] + [An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113)](http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/) - by Weimin Wu [2014] + [Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool](http://www.alex-ionescu.com/?p=231) - [2014] + [Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit](https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf) - by Aaron Adams [2015] + [Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong)](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/08/2015-08-27_-_ncc_group_-_exploiting_ms15_061_uaf_-_release.pdf) - by Dominic Wang [2015] + [Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf) - by Cedric Halbronn [2015] + [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives) - by Diego Juarez [2015] + [Duqu 2.0 Win32k exploit analysis](https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) - [2015] ## Return Oriented Programming + [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf) + [Blind return-oriented programming](http://www.scs.stanford.edu/brop/bittau-brop.pdf) + [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf) + [Jump-Oriented Programming: A New Class of Code-Reuse Attack](http://ftp.ncsu.edu/pub/tech/2010/TR-2010-8.pdf) + [Out of control: Overcoming control-flow integrity](http://www.cs.stevens.edu/~gportoka/files/outofcontrol_oakland14.pdf) + [ROP is Still Dangerous: Breaking Modern Defenses](http://www.cs.berkeley.edu/~daw/papers/rop-usenix14.pdf) + [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015] + [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013] + [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010] + [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011] + [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014] + [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014] + [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005] + [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](http://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005] + [Practical Rop](http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010] + [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010] + [Exploitation techniques and mitigations on Windows](http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape + [A little return oriented exploitation on Windows x86 – Part 1](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010] + [A little return oriented exploitation on Windows x86 – Part 2](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010] ## Windows memory protections *Windows memory protections Introduction Articles.* + [Data Execution Prevention](http://support.microsoft.com/kb/875352) + [/GS (Buffer Security Check)](http://msdn.microsoft.com/en-us/library/Aa290051) + [/SAFESEH](http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx) + [ASLR](http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx) + [SEHOP](http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx) ## Bypassing filter and protections *Windows memory protections Bypass Methods Articles.* + [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002] + [Creating Arbitrary Shellcode In Unicode Expanded Strings](http://www.net-security.org/dl/articles/unicodebo.pdf) - by Chris Anley + [Advanced windows exploitation](http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt) - by Dave Aitel [2003] + [Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server](http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf) - by David Litchfield + [Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)](http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt) - by Matt Conover in cansecwest 2004 + [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) - by Matt Miller [2004] + [IE exploit and used a technology called Heap Spray](http://www.exploit-db.com/exploits/612) + [Bypassing hardware-enforced DEP](http://www.uninformed.org/?v=2&a=4&t=pdf) - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005] + [Exploiting Freelist[0] On XP Service Pack 2](http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service%20Pack%202.pdf) - by Brett Moore [2005] + [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf) + [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf) + [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1) + [Heap Feng Shui in JavaScript](http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf) by Alexander sotirov [2007] + [Understanding and bypassing Windows Heap Protection](http://kkamagui.springnote.com/pages/1350732/attachments/579350) - by Nicolas Waisman [2007] + [Heaps About Heaps](http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt) - by Brett moore [2008] + [Bypassing browser memory protections in Windows Vista](http://taossa.com/archive/bh08sotirovdowd.pdf) - by Mark Dowd and Alex Sotirov [2008] + [Attacking the Vista Heap](http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf) - by ben hawkes [2008] + [Return oriented programming Exploitation without Code Injection](http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf) - by Hovav Shacham (and others ) [2008] + [Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) - by Cesar Cerrudo [2008] + [Defeating DEP Immunity Way](http://www.immunityinc.com/downloads/DEPLIB.pdf) - by Pablo Sole [2008] + [Practical Windows XP2003 Heap Exploitation](http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf) - by John McDonald and Chris Valasek [2009] + [Bypassing SEHOP](http://www.sysdream.com/articles/sehop_en.pdf) - by Stefan Le Berre Damien Cauquil [2009] + [Interpreter Exploitation : Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) - by Dionysus Blazakis[2010] + [Write-up of Pwn2Own 2010](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf) - by Peter Vreugdenhil + [All in one 0day presented in rootedCON](http://wintercore.com/downloads/rootedcon_0day_english.pdf) - by Ruben Santamarta [2010] + [DEP/ASLR bypass using 3rd party](http://web.archive.org/web/20130820021520/http://abysssec.com/files/The_Arashi.pdf) - by Shahin Ramezany [2013] + [Bypassing EMET 5.0](http://blog.sec-consult.com/2014/10/microsoft-emet-armor-against-zero-days.html) - by René Freingruber [2014] ## Typical windows exploits + [Real-world HW-DEP bypass Exploit](http://www.exploit-db.com/exploits/3652) - by Devcode + [Bypassing DEP by returning into HeapCreate](http://www.metasploit.com/redmine/projects/framework/repository/revisions/7246/entry/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb) - by Toto + [First public ASLR bypass exploit by using partial overwrite ](http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/email/ani_loadimage_chunksize.rb) - by Skape + [Heap spray and bypassing DEP](http://skypher.com/SkyLined/download/www.edup.tudelft.nl/%7Ebjwever/exploits/InternetExploiter2.zip) - by Skylined + [First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8833/raw/modules/exploits/windows/fileformat/adobe_libtiff.rb) + [Exploit codes of bypassing browsers memory protections](http://phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections-code.zip) + [PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1](http://www.argeniss.com/research/Churrasco.zip) - by Cesar Cerrudo + [PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2](http://www.argeniss.com/research/Churrasco2.zip) - by Cesar Cerrudo + [An exploit works from win 3.1 to win 7](http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip) - by Tavis Ormandy KiTra0d + [Old ms08-067 metasploit module multi-target and DEP bypass](http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb) + [PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass](http://www.exploit-db.com/exploits/12189) + [SMBv2 Exploit](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8916/raw/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb) - by Stephen Fewer + [Microsoft IIS 7.5 remote heap buffer overflow](http://www.phrack.org/issues/68/12.html) - by redpantz + [Browser Exploitation Case Study for Internet Explorer 11](https://labs.bluefrostsecurity.de/files/Look_Mom_I_Dont_Use_Shellcode-WP.pdf) - by Moritz Jodeit [2016] ## Exploit development tutorial series *Exploid Development Tutorial Series Base on Windows Operation System Articles.* - Corelan Team + [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) + [Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/) + [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/) + [Exploit writing tutorial part 3b : SEH Based Exploits – just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/) + [Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/) + [Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/) + [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/) + [Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/) + [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/) + [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/) + [Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/) + [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/) - Fuzzysecurity + [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html) + [Part 2: Saved Return Pointer Overflows](https://www.fuzzysecurity.com/tutorials/expDev/2.html) + [Part 3: Structured Exception Handler (SEH)](https://www.fuzzysecurity.com/tutorials/expDev/3.html) + [Part 4: Egg Hunters](https://www.fuzzysecurity.com/tutorials/expDev/4.html) + [Part 5: Unicode 0x00410041](https://www.fuzzysecurity.com/tutorials/expDev/5.html) + [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html) + [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html) + [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html) + [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html) + [Part 10: Kernel Exploitation -> Stack Overflow](http://www.fuzzysecurity.com/tutorials/expDev/14.html) + [Part 11: Kernel Exploitation -> Write-What-Where](http://www.fuzzysecurity.com/tutorials/expDev/15.html) + [Part 12: Kernel Exploitation -> Null Pointer Dereference](http://www.fuzzysecurity.com/tutorials/expDev/16.html) + [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](http://www.fuzzysecurity.com/tutorials/expDev/17.html) + [Part 14: Kernel Exploitation -> Integer Overflow](http://www.fuzzysecurity.com/tutorials/expDev/18.html) + [Part 15: Kernel Exploitation -> UAF](http://www.fuzzysecurity.com/tutorials/expDev/19.html) + [Part 16: Kernel Exploitation -> Pool Overflow](http://www.fuzzysecurity.com/tutorials/expDev/20.html) + [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](http://www.fuzzysecurity.com/tutorials/expDev/21.html) + [Heap Overflows For Humans 101](http://www.fuzzysecurity.com/tutorials/mr_me/2.html) + [Heap Overflows For Humans 102](http://www.fuzzysecurity.com/tutorials/mr_me/3.html) + [Heap Overflows For Humans 102.5](http://www.fuzzysecurity.com/tutorials/mr_me/4.html) + [Heap Overflows For Humans 103](http://www.fuzzysecurity.com/tutorials/mr_me/5.html) + [Heap Overflows For Humans 103.5](http://www.fuzzysecurity.com/tutorials/mr_me/6.html) - Securitysift + [Windows Exploit Development – Part 1: The Basics](http://www.securitysift.com/windows-exploit-development-part-1-basics/) + [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/) + [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/) + [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/) + [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/) + [Windows Exploit Development – Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/) + [Windows Exploit Development – Part 7: Unicode Buffer Overflows](http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/) - Whitehatters Academy + [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/) + [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/) + [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/) + [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/) + [Backdoor 103: Fully Undetected](https://www.whitehatters.academy/backdoor-103-fully-undetected/) + [Backdoor 102](https://www.whitehatters.academy/backdoor-102/) + [Backdoor 101](https://www.whitehatters.academy/backdoor101-vysec/) - TheSprawl + [corelan - integer overflows - exercise solution](http://thesprawl.org/research/corelan-integer-overflows-exercise-solution/) + [heap overflows for humans - 102 - exercise solution](http://thesprawl.org/research/heap-overflows-humans-102-exercise-solution/) + [exploit exercises - protostar - final levels](http://thesprawl.org/research/exploit-exercises-protostar-final/) + [exploit exercises - protostar - network levels](http://thesprawl.org/research/exploit-exercises-protostar-network/) + [exploit exercises - protostar - heap levels](http://thesprawl.org/research/exploit-exercises-protostar-heap/) + [exploit exercises - protostar - format string levels](http://thesprawl.org/research/exploit-exercises-protostar-format/) + [exploit exercises - protostar - stack levels](http://thesprawl.org/research/exploit-exercises-protostar-stack/) + [open security training - introduction to software exploits - uninitialized variable overflow](http://thesprawl.org/research/ost-introduction-software-exploits-uninit-overflow/) + [open security training - introduction to software exploits - off-by-one](http://thesprawl.org/research/ost-introduction-exploits-offbyone/) + [open security training - introduction to re - bomb lab secret phase](http://thesprawl.org/research/ost-introduction-re-bomb-secret-phase/) + [open security training - introductory x86 - buffer overflow mystery box](http://thesprawl.org/research/ost-introductory-x86-buffer-overflow-mystery-box/) + [corelan - tutorial 10 - exercise solution](http://thesprawl.org/research/corelan-tutorial-10-exercise-solution/) + [corelan - tutorial 9 - exercise solution](http://thesprawl.org/research/corelan-tutorial-9-exercise-solution/) + [corelan - tutorial 7 - exercise solution](http://thesprawl.org/research/corelan-tutorial-7-exercise-solution/) + [getting from seh to nseh](http://thesprawl.org/research/seh-to-nseh/) + [corelan - tutorial 3b - exercise solution](http://thesprawl.org/research/corelan-tutorial-3b-exercise-solution/) - Expdev-Kiuhnm + [WinDbg](http://expdev-kiuhnm.rhcloud.com/2015/05/17/windbg/) + [Mona 2](http://expdev-kiuhnm.rhcloud.com/2015/05/19/mona-2/) + [Structure Exception Handling (SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/19/structured-exception-handling-seh/) + [Heap](http://expdev-kiuhnm.rhcloud.com/2015/05/20/heap/) + [Windows Basics](http://expdev-kiuhnm.rhcloud.com/2015/05/20/windows-basics/) + [Shellcode](http://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/) + [Exploitme1 (ret eip overwrite)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme1-ret-eip-overwrite/) + [Exploitme2 (Stack cookies & SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme2-stack-cookies-seh-2/) + [Exploitme3 (DEP)](http://expdev-kiuhnm.rhcloud.com/2015/05/27/exploitme3-dep/) + [Exploitme4 (ASLR)](http://expdev-kiuhnm.rhcloud.com/2015/05/28/exploitme4-aslr/) + [Exploitme5 (Heap Spraying & UAF)](http://expdev-kiuhnm.rhcloud.com/2015/05/29/exploitme5-heap-spraying-uaf/) + [EMET 5.2](http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/) + [Internet Explorer 10 - Reverse Engineering IE](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-reverse-engineering-ie/) + [Internet Explorer 10 - From one-byte-write to full process space read/write](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie-10-from-one-byte-write-to-full-process-space-readwrite/) + [Internet Explorer 10 - God Mode (1)](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-god-mode-1/) + [Internet Explorer 10 - God Mode (2)](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-god-mode-2/) + [Internet Explorer 10 - Use-After-Free bug](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/) + [Internet Explorer 11 - Part 1](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/) + [Internet Explorer 11 - Part 2](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/) ## Tools *Disassemblers, debuggers, and other static and dynamic analysis tools.*
  • angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
  • BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • Binary Ninja - Multiplatform binary analysis IDE supporting various types of binaries and architecturs. Scriptable via Python.
  • binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
  • Bokken - GUI for Pyew and Radare.
  • Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro - Web based code browser using clang to provide basic code analysis.
  • dnSpy - .NET assembly editor, decompiler and debugger.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  • GDB - The GNU debugger.
  • GEF - GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger - Debugger for malware analysis and more, with a Python API.
  • ltrace - Dynamic analysis for Linux executables.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • PANDA - Platform for Architecture-Neutral Dynamic Analysis
  • PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio - Perform static analysis of Windows executables.
  • Process Monitor - Advanced monitoring tool for Windows programs.
  • Pyew - Python tool for malware analysis.
  • Radare2 - Reverse engineering framework, with debugger support.
  • SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace - Dynamic analysis for Linux executables.
  • Udis86 - Disassembler library and tool for x86 and x86_64.
  • Vivisect - Python tool for malware analysis.
  • X64dbg - An open-source x64/x32 debugger for windows.

About

A curated list of awesome Windows Exploitation resources, and shiny things. Inspired by awesom

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published