• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
KaliTut

KaliTut

Kali Linux tutorial and Linux system tips

  • Home
  • Raspberry Pi
  • Privacy Policy
  • About us

Exploit development resources

Last Updated on October 12, 2020 by Walid Salame Leave a Comment

A curated list of resources (books, tutorials, courses, tools and vulnerable applications) for learning about Exploit Development

Exploit development resources

  • BOOKS
  • TUTORIALS
    • Corelan.be
    • Opensecuritytraining.info
    • Samsclass.info
    • Securitysift.com
  • COURSES
  • TOOLS
  • EXPLOITS DATABASE
  • Advanced Windows exploit development resources
    • Really important resources
    • Must watch / read
    • Windows Rootkits
    • Windows kernel mitigations
    • Windows kernel shellcode
    • Windows kernel exploitation
    • Windows kernel GDI exploitation
    • Windows kernel Win32k.sys research
    • Windows Kernel logic bugs
    • Windows kernel driver development
    • Windows internals
    • Advanced Windows debugging
  • 0days – APT advanced malware research
  • Video game cheating (kernel mode stuff sometimes)
  • Hyper-V and VM / sandbox escape
  • Fuzzing
  • Windows browser exploitation
  • Related certifications and courses

BOOKS

  • Hacking – The art of exploitation http://amzn.to/2izehnJ
  • A bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security http://amzn.to/2jMcppK
  • The Shellcoder’s Handbook: Discovering and Exploiting Security Holes http://amzn.to/2jSAZcC
  • Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals http://amzn.to/2jSCeZo
  • Writing Security tools and Exploits http://amzn.to/2jkYTMZ
  • Buffer overflow attacks: Detect, exploit, Prevent http://amzn.to/2jM6pgL
  • Metasploit toolkit for Penetration Testing, exploit Development, and vulnerability research http://amzn.to/2itTsqJ

TUTORIALS

Corelan.be

  • Exploit writing tutorial part 1: Stack Based Overflows
  • Exploit writing tutorial part 2: Stack Based Overflows – jumping to shellcode
  • Exploit writing tutorial part 3: SEH Based Exploits
  • Exploit writing tutorial part 3b: SEH Based Exploits – just another example
  • Exploit writing tutorial part 4: From Exploit to Metasploit – The basics
  • Exploit writing tutorial part 5: How debugger modules & plugins can speed up basic exploit development
  • Exploit writing part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
  • Exploit writing tutorial part 7: Unicode – from 0x00410041 to calc
  • Exploit writing tutorial part 8: Win32 Egg Hunting
  • Exploit writing tutorial part 9: Introduction to Win32 shellcoding
  • Exploit writing tutorial part 10: Chaining DEP with ROP – the Rubik’s[TM] Cube
  • Exploit writing tutorial part 11 : Heap Spraying Demystified
  • Starting to write Immunity Debugger PyCommands : my cheatsheet
  • Ken Ward Zipper exploit write-up on abysssec.com
  • Exploiting Ken Ward Zipper : Taking advantage of payload conversion
  • Hack Notes : ROP retn+offset and impact on stack setup
  • Hack Notes : Ropping eggs for breakfast
  • Universal DEP/ASLR bypass with msvcr71.dll and mona.py
  • WoW64 Egghunter
  • Debugging Fun – Putting a process to sleep()
  • Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2
  • Root Cause Analysis – Memory Corruption Vulnerabilities
  • Heap Layout Visualization with mona.py and WinDBG
  • DEPS – Precise Heap Spray on Firefox and IE10
  • Root Cause Analysis – Integer Overflows

Opensecuritytraining.info

  • Introduction To Software Exploits
  • Exploitation in the Windows Environment

Samsclass.info

  • https://samsclass.info/127/127_F15.shtml

Securitysift.com

  • Windows Exploit Development – Part 1: The Basics
  • Windows Exploit Development – Part 2: Intro to Stack Based Overflows
  • Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules
  • Windows Exploit Development – Part 4: Locating Shellcode With Jumps
  • Windows Exploit Development – Part 5: Locating Shellcode With Egghunting
  • Windows Exploit Development – Part 6: SEH Exploits
  • Windows Exploit Development – Part 7: Unicode Buffer Overflows

COURSES

  • Corelan
    • Corelan Exploit Development Training
      • https://www.corelan-training.com
  • Offensive Security
    • Advanced Windows Exploitation The Official OSEE Certification Course
      • https://www.offensive-security.com/awe-osee/
  • SANS
    •  SANS SEC760: Advanced Exploit Development for Penetration Testers
      • https://www.sans.org/course/advance-exploit-development-pentetration-testers 
  • Udemy
    • Windows Exploit Development Megaprimer
      • This is a comprehensive course on Exploit Development in Windows platform. The course is designed in such a way to help the beginners. It will help you understand the different domains of software exploitation.
    • Exploit Development From Scratch
      • When you complete this training you will learn, GDB and Immunity Debugger usage, basic assembly programming, assembly instructions, stack layout, memory protection mechanisms, Fuzzing, offset calculating, shellcode creating.

TOOLS

  • IDA Pro
  • OllyDbg
  • WinDbg
  • Mona.py

EXPLOITS DATABASE

  • https://www.exploit-db.com
  • http://0day.today
  • https://packetstormsecurity.com

Advanced Windows exploit development resources

Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related. Mostly talks and videos that I enjoyed watching.

⚠️ These are all resources that I have personally used and gone through

Really important resources

  • terminus project
  • React OS Win32k
  • Geoff Chappell – Kernel-Mode Windows
  • HEVD Vulnerable driver
    • HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
  • FLARE Kernel Shellcode Loader
  • Vergilius – Undocumented kernel structures
    • Take a look into the depths of Windows kernels and reveal more than 60000 undocumented structures
  • Windows X86-64 System Call Table
  • Vulnerable Driver Megathread

Must watch / read

  • ⭐ Kernel Mode Threats and Practical Defenses
  • ⭐ Morten Schenk – Taking Windows 10 Kernel Exploitation to the next level
  • ⭐ The Life & Death of Kernel Object Abuse
  • ⭐ Windows 10 Mitigation Improvements

Windows Rootkits

Talks / video recordings

  • 11 part playlist – Rootkits: What they are, and how to find them
  • Hooking Nirvana
  • Alex Ionescu – Advancing the State of UEFI Bootkits
  • BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
  • Numchecker: A System Approach for Kernel Rootkit Detection
  • DEF CON 26 – Ring 0 Ring 2 Rootkits Bypassing Defenses
  • Black Hat Windows 2001 – Kernel Mode Rootkits
  • Black Hat Windows 2004 – DKOM (Direct Kernel Object Manipulation)
  • RTFM SigSegv1 – From corrupted memory dump to rootkit detection

Articles / papers

  • Dissecting Turla Rootkit Malware Using Dynamic Analysis
  • A quick insight into the Driver Signature Enforcement
  • WINDOWS DRIVER SIGNING BYPASS BY DERUSB
  • A Basic Windows DKOM Rootkit
  • Manipulating Active Process Links to Hide Processes in Userland

Windows kernel mitigations

Talks / video recordings

  • BlueHat v18 || Hardening hyper-v through offensive security research
  • BYPASS CONTROL FLOW GUARD COMPREHENSIVELY – this is cfg not kCFG
  • BlueHat v18 || Mitigation Bypass: The Past, Present, and Future
  • Windows Offender Reverse Engineering Windows Defender’s Antivirus Emulator
  • Windows 10 Mitigation Improvements (really good talk)
  • Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot
  • Examining the Guardians of Windows 10 Security – Chuanda Ding
  • Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
  • A Dive in to Hyper-V Architecture & Vulnerabilities
  • the last kaslr leak
  • BlueHat v18 || A mitigation for kernel toctou vulnerabilities
  • REcon 2013 – I got 99 problems but a kernel pointer ain’t one
  • SMEP: What is it, and how to beat it on Windows
  • BlueHat IL 2020 – David Weston – Keeping Windows Secure
  • Advancing Windows Security — David Weston
  • OffensiveCon18 – The Evolution of CFI Attacks and Defenses

Articles / papers

General mitigation papers

  • Hardening Windows 10 with zero-day exploit mitigations
  • TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL

kASLR

  • KASLR Bypass Mitigations in Windows 8.1
  • Devlopment of a new Windows 10 KASLR bypass – in one winDBG command

SMEP

  • Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming
  • Return Oriented Programming Tutorial
  • Stack Buffer Overflow (SMEP Bypass)
  • Windows 10 x64 and Bypassing SMEP
  • SMEP: What is it, and how to beat it on Windows

CET

  • Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity
  • A Technical Look at Intel’s Control-flow Enforcement Technology
  • Control-flow Enforcement Technology Specification
  • Intel CET Answers Call to Protect Against Common Malware Threats
  • R.I.P ROP: CET Internals in Windows 20H1

Windows kernel shellcode

Articles / papers

  • Loading Kernel Shellcode
  • Windows Kernel Shellcodes – a compendium
  • Windows Kernel Shellcode on Windows 10 – Part 1
  • Windows Kernel Shellcode on Windows 10 – Part 2
  • Windows Kernel Shellcode on Windows 10 – Part 3
  • Panic! At The Kernel – Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
  • Token Abuse for Privilege Escalation in Kernel
  • Introduction to Shellcode Development
  • Introduction to Windows shellcode development – Part 1
  • DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
  • Exploring Injected Threads

Windows kernel exploitation

Talks / video recordings

  • HITB2016AMS – Kernel Exploit Hunting And Mitigation
  • Ilja van Sprundel: Windows drivers attack surface
  • REcon 2015 – This Time Font hunt you down in 4 bytes
  • Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
  • Windows kernel exploitation techniques – Adrien Garin – LSE Week 2016
  • Hackingz Ze Komputerz – Exploiting CAPCOM.SYS – Part 1
  • Hackingz Ze Komputerz – Exploiting CAPCOM.SYS – Part 2
  • The 3 Way06 Practical Windows Kernel Exploitation
  • Reverse Engineering and Bug Hunting on KMDF Drivers
  • Binary Exploit Mitigation and Bypass History – not just kernel
  • Morten Schenk – Taking Windows 10 Kernel Exploitation to the next level
  • REcon 2015 – Reverse Engineering Windows AFD.sys
  • Windows Kernel Graphics Driver Attack Surface
  • Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
  • Black Hat USA 2013 – Smashing The Font Scaler Engine in Windows Kernel

Articles / papers

  • Kernel Exploit Sample Hunting and Mining Contents
  • The entire GreyHatHacker site has great writeups
  • BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
  • Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation
  • Windows Drivers are True’ly Tricky
  • Taking apart a double zero-day sample discovered in joint hunt with ESET
  • Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
  • Kernel Pool Overflow Exploitation in Real World: Windows 10
  • Kernel Pool Overflow Exploitation in Real World – Windows 7
  • Kernel Pool Exploitation on Windows 7
  • Easy local Windows Kernel exploitation
  • Exploiting CVE-2014-4113
  • Pwn2Own 2014 – AFD.sys Dangling Pointer Vulnerability
  • Symantec Endpoint protection 0day
  • Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393
  • nt!_SEP_TOKEN_PRIVILEGES – Single Write EoP Protect
  • Token Abuse for Privilege Escalation in Kernel

Windows kernel GDI exploitation

Talks / video recordings

  • Abusing GDI for ring0 exploit primitives Evolution
  • Demystifying Windows Kernel Exploitation by Abusing GDI Objects
  • CommSec D1 – The Life & Death of Kernel Object Abuse
  • Kernel Object Abuse by Type Isolation

Articles / papers

  • Turning CVE-2017-14961 into full arbitrary read / write with PALETTE objects
  • Zero-day exploit (CVE-2018-8453) used in targeted attacks
  • The zero-day exploits of Operation WizardOpium
  • Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
  • Abusing GDI Objects for ring0 Primitives Revolution
  • Abusing GDI for ring0 exploit primitives
  • A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
  • CSW2017 Peng qiu shefang zhong win32k dark_composition
  • Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)

Windows kernel Win32k.sys research

Talks / video recordings

  • BlackHat 2011 – Kernel Attacks Through User-Mode Callbacks

Articles / papers

  • CVE-2020-1054 Analysis
  • TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
  • One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild
  • Reverse Engineering the Win32k Type Isolation Mitigation
  • A new exploit for zero-day vulnerability CVE-2018-8589
  • Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
  • Exploring CVE-2015-1701 — A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks
  • Exploiting the win32k!xxxEnableWndSBArrows use-after-free
  • New zero-day vulnerability CVE-2019-0859 in win32k.sys
  • Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks
  • Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo
  • Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame
  • Windows Kernel Local Denial-of-Service #4: nt!NtAccessCheck and family
  • Windows Kernel Local Denial-of-Service #5: win32k!NtGdiGetDIBitsInternal
  • Windows win32k.sys menus and some “close, but no cigar” bugs
  • Windows Kernel Internals – Win32K.sys

Windows Kernel logic bugs

Talks / video recordings

  • Get Off the Kernel if You Can’t Drive – DEF CON 27 Conference

Articles / papers

  • A vulnerable driver: lesson almost learned
  • CVE-2020-12138 – Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys
  • CVE-2019-18845 – Viper RGB Driver Local Privilege Escalation
  • CVE-2020-8808 – CORSAIR iCUE Driver Local Privilege Escalation
  • Logic bugs in Razer rzpnk.sys
  • Dell SupportAssist Driver – Local Privilege Escalation
  • MSI ntiolib.sys/winio.sys local privilege escalation
  • CVE-2019-8372 – Local Privilege Elevation in LG Kernel Driver
  • Reading Physical Memory using Carbon Black’s Endpoint driver
  • ASUS UEFI Update Driver Physical Memory Read/Write
  • Privilege escalation vulnerabilities found in over 40 Windows Drivers
  • Blackat – KERNEL MODE THREATS AND PRACTICAL DEFENSES
  • Weaponizing vulnerable driver for privilege escalation— Gigabyte Edition!

Windows kernel driver development

Talks / video recordings

  • Windows Kernel Programming – 14 part playlist
  • Windows Driver Development – 19 part playlist
  • Developing Kernel Drivers with Modern C++ – Pavel Yosifovich

Articles / papers

  • Winsock Kernel Overview Topics
  • Driver Development Part 1: Introduction to Drivers
  • Driver Development Part 2: Introduction to Implementing IOCTLs
  • Driver Development Part 3: Introduction to driver contexts
  • Driver Development Part 4: Introduction to device stacks
  • Creating IOCTL Requests in Drivers
  • Windows Drivers Part 2: IOCTLs
  • Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL

Windows internals

Talks / video recordings

  • Pluralsight – Windows Internals 1
  • Pluralsight – Windows Internals 2
  • Pluralsight – Windows Internals 3
  • Pluralsight – Windows 10 Internals: Systems and Processes
  • Pluralsight – Windows 10 Internals – Threads, Memory and Security
  • Alex Ionescu Insection: AWEsomely Exploiting Shared Memory Objects
  • Windows Internals
  • Windows 10 Segment Heap Internals
  • Windows Kernel Vulnerability Research and Exploitation – Gilad Bakas
  • NIC 5th Anniversary – Windows 10 internals
  • Black Hat USA 2012 – Windows 8 Heap Intervals

Articles / papers

  • Whitepaper – WINDOWS 10 SEGMENT HEAP INTERNALS
  • The Quest for the SSDTs
  • System Service Descriptor Table – SSDT
  • Interrupt Descriptor Table – IDT
  • Exploring Process Environment Block
  • Windows Pool Manager
  • Parsing PE File Headers with C++
  • Digging Into Handles, Callbacks & ObjectTypes

Advanced Windows debugging

Talks / video recordings

  • Hacking Livestream #28: Windows Kernel Debugging Part I
  • Hacking Livestream #29: Windows Kernel Debugging Part II
  • Hacking Livestream #30: Windows Kernel Debugging Part III
  • WinDbg Basics for Malware Analysis
  • Windows Debugging and Troubleshooting
  • CNIT 126 10: Kernel Debugging with WinDbg
  • Windows Kernel Debugging Part I
  • Microsoft Patch Analysis for Exploitation
  • Windows Kernel Debugging Fundamentals

Articles / papers

  • Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD
  • Debug Tutorial Part 2: The Stack
  • Debug Tutorial Part 3: The Heap
  • Debug Tutorial Part 4: Writing WINDBG Extensions
  • Debug Tutorial Part 5: Handle Leaks
  • Debug Tutorial Part 6: Navigating The Kernel Debugge
  • Debug Tutorial Part 7: Locks and Synchronization Objects
  • Getting Started with WinDbg – kernelmode
  • Windows Debuggers: Part 1: A WinDbg Tutorial

0days – APT advanced malware research

Talks / video recordings

  • W32.Duqu: The Precursor to the Next Stuxnet
  • Kernel Mode Threats and Practical Defenses
  • Selling 0-Days to Governments and Offensive Security Companies

Articles / papers

  • AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
  • The zero-day exploits of Operation WizardOpium
  • Zero-day exploit (CVE-2018-8453) used in targeted attacks
  • EternalBlue – Everything There Is To Know
  • Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

Video game cheating (kernel mode stuff sometimes)

Talks / video recordings

  • Unveiling the Underground World of Anti-Cheats

Articles / papers

  • drvmap – driver manual mapper using capcom
  • All methods of retrieving unique identifiers(HWIDs) on your PC
  • Driver aka Kernel Mode cheating

Hyper-V and VM / sandbox escape

Talks / video recordings

  • Vulnerability Exploitation In Docker Container Environments
  • Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
  • REcon 2014 – Breaking Out of VirtualBox through 3D Acceleration
  • 36C3 – The Great Escape of ESXi
  • BlueHat v18 || Straight outta VMware
  • Hardening hyper-v through offensive security research
  • A Driver in to Hyper v Architecture&Vulnerabilities
  • The HyperV Architecture and its Memory Manager
  • Ring 0 to Ring -1 Exploitation with Hyper-V IPC
  • Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine
  • A Dive in to Hyper-V Architecture & Vulnerabilities

Articles / papers

  • Hyper-V memory internals. EXO partition memory access
  • Ventures into Hyper-V – Fuzzing hypercalls
  • Fuzzing para-virtualized devices in Hyper-V
  • First Steps in Hyper-V Research
  • Windows Sandbox Attack Surface Analysis

Fuzzing

Talks / video recordings

  • HITBGSEC 2016 – Fuzzing The Windows Kernel
  • Windows Kernel Vulnerability Research and Exploitation
  • Bugs on the Windshield: Fuzzing the Windows Kernel
  • Windows Kernel Fuzzing for Intermediate Learners
  • Windows Kernel Fuzzing For Beginners – Ben Nagy
  • Disobey 2018 – Building Windows Kernel fuzzer
  • For The Win: The Art Of The Windows Kernel Fuzzing
  • RECON 2019 – Vectorized Emulation Putting it all together

Articles / papers

  • A year of Windows kernel font fuzzing #1: the results
  • A year of Windows kernel font fuzzing #2: the techniques

Windows browser exploitation

Talks / video recordings

  • Digging for IE11 Sandbox Escapes Part 1

Related certifications and courses

Courses

  • Advanced Windows Exploitation (AWE)
  • Sans 660
  • Sans 760
  • Corelan “Bootcamp” training
  • Corelan “Advanced” training

Certifications

  • Offensive Security Exploitation Expert (OSEE)
  • Giac GXPN

Filed Under: resources

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow us

  • Facebook
  • Twitter
  • YouTube

Categories

  • Android pentesting tools
  • Arduino
  • Books
  • Darknet
  • database
  • General
  • Github Tools
  • Hacking
  • Kali Linux
  • Linux
  • Linux Commands
  • Network Administrator
  • Penetration Testing
  • Penetration Testing Tools
  • PowerShell
  • Raspberry Pi
  • resources
  • Review
  • Termux
  • Tutorials
  • Ubuntu
  • Uncategorized
  • Video Tutorials
  • vmware
  • WiFi Adapter
  • WiFi Pentesting
  • Wireless Router
  • Wireshark

Recent Posts

  • Hijacked Wi-Fi? Thorough explanation of hacking techniques
  • Windows PowerShell tutorial for beginners
  • Learn to Hack Steps from Beginner to Hacker
  • PowerShell Tutorial – GUIDE introduction with basics
  • Top Hacking Tools
  • Home
  • About us
  • Privacy Policy
  • Affiliate disclaimer

Copyright © 2023