├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── README.md
└── img
    └── exploits-vulnerability.png


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Built application files
 2 | *.apk
 3 | *.aar
 4 | *.ap_
 5 | *.aab
 6 | 
 7 | # Files for the ART/Dalvik VM
 8 | *.dex
 9 | 
10 | # Java class files
11 | *.class
12 | 
13 | # Generated files
14 | bin/
15 | gen/
16 | out/
17 | #  Uncomment the following line in case you need and you don't have the release build type files in your app
18 | # release/
19 | 
20 | # Gradle files
21 | .gradle/
22 | build/
23 | 
24 | # Local configuration file (sdk path, etc)
25 | local.properties
26 | 
27 | # Proguard folder generated by Eclipse
28 | proguard/
29 | 
30 | # Log Files
31 | *.log
32 | 
33 | # Android Studio Navigation editor temp files
34 | .navigation/
35 | 
36 | # Android Studio captures folder
37 | captures/
38 | 
39 | # IntelliJ
40 | *.iml
41 | .idea/workspace.xml
42 | .idea/tasks.xml
43 | .idea/gradle.xml
44 | .idea/assetWizardSettings.xml
45 | .idea/dictionaries
46 | .idea/libraries
47 | # Android Studio 3 in .gitignore file.
48 | .idea/caches
49 | .idea/modules.xml
50 | # Comment next line if keeping position of elements in Navigation Editor is relevant for you
51 | .idea/navEditor.xml
52 | 
53 | # Keystore files
54 | # Uncomment the following lines if you do not want to check your keystore files in.
55 | #*.jks
56 | #*.keystore
57 | 
58 | # External native build folder generated in Android Studio 2.2 and later
59 | .externalNativeBuild
60 | .cxx/
61 | 
62 | # Google Services (e.g. APIs or Firebase)
63 | # google-services.json
64 | 
65 | # Freeline
66 | freeline.py
67 | freeline/
68 | freeline_project_description.json
69 | 
70 | # fastlane
71 | fastlane/report.xml
72 | fastlane/Preview.html
73 | fastlane/screenshots
74 | fastlane/test_output
75 | fastlane/readme.md
76 | 
77 | # Version control
78 | vcs.xml
79 | 
80 | # lint
81 | lint/intermediates/
82 | lint/generated/
83 | lint/outputs/
84 | lint/tmp/
85 | # lint/reports/
86 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | **Your pull request should have a useful title. Please carefully read everything in [Adding to this list](#adding-to-this-list).**
 4 | 
 5 | ## Table of Contents
 6 | 
 7 | * [Adding to this list](#adding-to-this-list)
 8 | * [Creating your own awesome list](#creating-your-own-awesome-list)
 9 | * [Adding something to an awesome list](#adding-something-to-an-awesome-list)
10 | * [Updating your Pull Request](#updating-your-pull-request)
11 | 
12 | ## Adding to this list
13 | 
14 | Please ensure your pull request adheres to the following guidelines:
15 | 
16 | * Search previous suggestions before making a new one, as yours may be a duplicate.
17 | * Make sure the item you are adding is useful (and, you know, awesome) before submitting.
18 | * Make an individual pull request for each suggestion.
19 | * Use [title-casing](http://titlecapitalization.com) (AP style).
20 | * Use the following format: `[Item Name](link)`
21 | * Link additions should be added to the bottom of the relevant category.
22 | * New categories or improvements to the existing categorization are welcome.
23 | * Check your spelling and grammar.
24 | * Make sure your text editor is set to remove trailing whitespace.
25 | * The pull request and commit should have a useful title.
26 | * The body of your commit message should contain a link to the repository.
27 | 
28 | Thank you for your suggestions!
29 | 
30 | 
31 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Windows or ARM Exploitation
  2 | 
  3 | > A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.
  4 | 
  5 | 
  6 | ##  `What are exploits? `
  7 | 
  8 | [Exploits](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/exploits-malware) take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
  9 | 
 10 | ![exploits](https://github.com/paulveillard/cybersecurity-windows-exploitation/blob/main/img/exploits-vulnerability.png)
 11 | 
 12 | ###  `Table of Contents `
 13 | - [Windows stack overflows](#windows_stack_overflows)
 14 | - [Windows heap overflows](#windows_heap_overflows)
 15 | - [Kernel based Windows overflows](#kernel_based_Windows_overflows)
 16 | - [Windows Kernel Memory Corruption](#windows_kernel_memory_corruption)
 17 | - [Return Oriented Programming](#Return_oriented_programming)
 18 | - [Windows memory protections](#Windows_memory_protections)
 19 | - [Bypassing filter and protections](#Bypassing_filter_and_protections)
 20 | - [Typical windows exploits](#Typical_windows_exploits)
 21 | - [Exploit development tutorial series](#Exploit_development_tutorial_series)
 22 |   + [Corelan Team](#corelan)
 23 |   + [Fuzzysecurity](#fuzzysecurity)
 24 |   + [Securitysift](#securitysift)
 25 |   + [Whitehatters Academy](#whitehattersacademy)
 26 |   + [TheSprawl](#TheSprawl)
 27 |   + [Expdev-Kiuhnm](#expdev-kiuhnm)
 28 | - [Tools](#tools)
 29 | - [Miscellaneous](#miscellaneous)
 30 |   - [Conference Talks / Videos](#conference-talks--videos)
 31 |   - [Articles / Papers](#articles--papers)
 32 |   - [Resources](#resources)
 33 |   - [CTF / Training Binaries](#ctf--training-binaries)
 34 |   - [Books](#books)
 35 |   - [Other Tools](#other-tools)
 36 |   - [Courses](#courses)
 37 |   - [Related Awesome Lists](#related-awesome-lists)
 38 | - [Advanced ARM](#advanced-arm)
 39 |   - [Browser](#-browser)
 40 |   - [Mitigation Bypass](#-mitigation-bypass)
 41 |   - [Kernel](#-kernel)
 42 |   - [Misc](#-misc)
 43 | 
 44 | 
 45 | ## <a name="windows_stack_overflows" />Windows stack overflows
 46 | *Stack Base Overflow Articles.*
 47 | + [Win32 Buffer Overflows (Location, Exploitation and Prevention)](http://www.phrack.com/issues.html?issue=55&id=15#article) - by Dark spyrit [1999]
 48 | + [Writing Stack Based Overflows on Windows](http://www.packetstormsecurity.org/papers/win/) - by Nish Bhalla’s [2005]
 49 | + [Stack Smashing as of Today](https://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-slides.pdf) - by Hagen Fritsch [2009]
 50 | + [SMASHING C++ VPTRS](http://phrack.org/issues/56/8.html) - by rix [2000]
 51 | 
 52 | 
 53 | ## <a name="windows_heap_overflows" />Windows heap overflows
 54 | *Heap Base Overflow Articles.*
 55 | + [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]
 56 | + [Exploiting the MSRPC Heap Overflow Part 1](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap.pdf) - by Dave Aitel (MS03-026) [September 2003]
 57 | + [Exploiting the MSRPC Heap Overflow Part 2](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap2.pdf) - by Dave Aitel (MS03-026) [September 2003]
 58 | + [Windows heap overflow penetration in black hat](https://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt) - by David Litchfield [2004]
 59 | + [Glibc Adventures: The Forgotten Chunk](http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf) - by François Goichon [2015]
 60 | + [Pseudomonarchia jemallocum](http://www.phrack.org/issues/68/10.html) - by argp & huku
 61 | + [The House Of Lore: Reloaded](http://phrack.org/issues/67/8.html) - by blackngel [2010]
 62 | + [Malloc Des-Maleficarum](http://phrack.org/issues/66/10.html) - by blackngel [2009]
 63 | + [free() exploitation technique](http://phrack.org/issues/66/6.html) - by huku
 64 | + [Understanding the heap by breaking it](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - by  Justin N. Ferguson [2007]
 65 | + [The use of set_head to defeat the wilderness](http://phrack.org/issues/64/9.html) - by g463
 66 | + [The Malloc Maleficarum](http://seclists.org/bugtraq/2005/Oct/118) - by Phantasmal Phantasmagoria [2005]
 67 | + [Exploiting The Wilderness](http://seclists.org/vuln-dev/2004/Feb/25) - by Phantasmal Phantasmagoria [2004]
 68 | + [Advanced Doug lea's malloc exploits](http://phrack.org/issues/61/6.html) - by jp
 69 | 
 70 | **[`^        back to top        ^`](#)**
 71 | 
 72 | 
 73 | 
 74 | ## <a name="kernel_based_Windows_overflows" />Kernel based Windows overflows
 75 | *Kernel Base Exploit Development Articles.*
 76 | + [How to attack kernel based vulns on windows was done](http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/0101.html) - by a Polish group called “sec-labs” [2003]
 77 | + [Sec-lab old whitepaper](http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm)
 78 | + [Sec-lab old exploit](http://www.securityfocus.com/bid/8329/info)
 79 | + [Windows Local Kernel Exploitation (based on sec-lab research)](http://www.packetstormsecurity.org/hitb04/hitb04-sk-chong.pdf) - by S.K Chong [2004]
 80 | + [How to exploit Windows kernel memory pool](http://packetstormsecurity.nl/Xcon2005/Xcon2005_SoBeIt.pdf) - by SoBeIt [2005]
 81 | + [Exploiting remote kernel overflows in windows](http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf) - by Eeye Security
 82 | + [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf) - by Matt Miller
 83 | + [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf)
 84 | + [BH US 2007 Attacking the Windows Kernel](http://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf)
 85 | + [Remote and Local Exploitation of Network Drivers](http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf)
 86 | + [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1)
 87 | + [I2OMGMT Driver Impersonation Attack](http://www.immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf)
 88 | + [Real World Kernel Pool Exploitation](http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf)
 89 | + [Exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf)
 90 | + [Alyzing local privilege escalations in win32k](http://www.uninformed.org/?v=10&a=2&t=pdf)
 91 | + [Intro to Windows Kernel Security Development](http://www.dontstuffbeansupyournose.com/trac/browser/projects/ucon09/Intro_NT_kernel_security_stuff.pdf)
 92 | + [There’s a party at ring0 and you’re invited](http://www.cr0.org/paper/to-jt-party-at-ring0.pdf)
 93 | + [Windows kernel vulnerability exploitation](http://vexillium.org/dl.php?call_gate_exploitation.pdf)
 94 | + [A New CVE-2015-0057 Exploit Technology](https://www.blackhat.com/docs/asia-16/materials/asia-16-Wang-A-New-CVE-2015-0057-Exploit-Technology-wp.pdf) - by Yu Wang [2016]
 95 | + [Exploiting CVE-2014-4113 on Windows 8.1](https://labs.bluefrostsecurity.de/publications/2016/01/07/exploiting-cve-2014-4113-on-windows-8.1/) - by Moritz Jodeit [2016]
 96 | + [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012]
 97 | + [Windows Kernel Exploitation ](http://www.hacking-training.com/download/WKE.pdf) - by Simone Cardona 2016
 98 | + [Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/) - by Saif Sherei 2017
 99 | + [Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes](http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes) - by keen team [2015]
100 | + [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/system/files/publications/2016/10/Abusing-GDI-Reloaded-ekoparty-2016_0.pdf) - [2016]
101 | 
102 | 
103 | ## <a name="windows_kernel_memory_corruption" />Windows Kernel Memory Corruption
104 | *Windows Kernel Memory Corruption Exploit Development Articles.*
105 | + [Remote Windows Kernel Exploitation](https://cansecwest.com/core05/windowsremotekernel.pdf) - by Barnaby Jack [2005]
106 | + [windows kernel-mode payload fundamentals](http://uninformed.org/index.cgi?v=3&a=4&t=sumry) - by Skape [2006]
107 | + [exploiting 802.11 wireless driver vulnerabilities on windows](http://www.uninformed.org/?v=6&a=2&t=sumry) - by Johnny Cache, H D Moore, skape [2007]
108 | + [Kernel Pool Exploitation on Windows 7](https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf) - by Tarjei Mandt [2011]
109 | + [Windows Kernel-mode GS Cookies and 1 bit of entropy](vexillium.org/dl.php?/Windows_Kernel-mode_GS_Cookies_subverted.pdf) - [2011]
110 | + [Subtle information disclosure in WIN32K.SYS syscall return values](http://j00ru.vexillium.org/?p=762) - [2011]
111 | + [nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques](http://j00ru.vexillium.org/?p=769) - [2011]
112 | + [SMEP: What is it, and how to beat it on Windows](http://j00ru.vexillium.org/?p=783) - [2011]
113 | + [Kernel Attacks through User-Mode Callbacks](http://www.mista.nu/research/mandt-win32k-paper.pdf) - by Tarjei Mandt [2011]
114 | + [Windows Security Hardening Through Kernel Address Protection](http://j00ru.vexillium.org/blog/04_12_11/Windows_Kernel_Address_Protection.pdf) - by Mateusz "j00ru" Jurczyk [2011]
115 | + [Reversing Windows8: Interesting Features of Kernel Security](http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing%20Windows8-Interesting%20Features%20of%20Kernel%20Security.pdf) - by MJ0011 [2012]
116 | + [Smashing The Atom: Extraordinary String Based Attacks](mista.nu/research/smashing_the_atom.pdf) - by Tarjei Mandt [2012]
117 | + [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012]
118 | + [Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement](www.powerofcommunity.net/poc2012/mj0011.pdf) - by MJ0011 [2012]
119 | + [MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit](https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-kernel-exploit/) - [2013]
120 | + [KASLR Bypass Mitigations in Windows 8.1](www.alex-ionescu.com/?p=82) - [2013]
121 | + [First Dip Into the Kernel Pool: MS10-058](http://doar-e.github.io/blog/2014/03/11/first-dip-into-the-kernel-pool-ms10-058/) - by Jeremy [2014]
122 | + [Windows 8 Kernel Memory Protections Bypass](https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/) - [2014]
123 | + [An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113)](http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/) - by Weimin Wu [2014]
124 | + [Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool](http://www.alex-ionescu.com/?p=231) - [2014]
125 | + [Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit](https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf) - by Aaron Adams [2015]
126 | + [Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong)](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/08/2015-08-27_-_ncc_group_-_exploiting_ms15_061_uaf_-_release.pdf) - by Dominic Wang [2015]
127 | + [Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf) - by Cedric Halbronn [2015]
128 | + [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives) - by Diego Juarez [2015]
129 | + [Duqu 2.0 Win32k exploit analysis](https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) - [2015]
130 | 
131 | 
132 | 
133 | ## <a name="Return_oriented_programming" />Return Oriented Programming
134 | + [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
135 | + [Blind return-oriented programming](http://www.scs.stanford.edu/brop/bittau-brop.pdf)
136 | + [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)
137 | + [Jump-Oriented Programming: A New Class of Code-Reuse Attack](http://ftp.ncsu.edu/pub/tech/2010/TR-2010-8.pdf)
138 | + [Out of control: Overcoming control-flow integrity](http://www.cs.stevens.edu/~gportoka/files/outofcontrol_oakland14.pdf)
139 | + [ROP is Still Dangerous: Breaking Modern Defenses](http://www.cs.berkeley.edu/~daw/papers/rop-usenix14.pdf)
140 | + [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
141 | + [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
142 | + [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
143 | + [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
144 | + [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
145 | + [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
146 | + [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
147 | + [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](http://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
148 | + [Practical Rop](http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
149 | + [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]
150 | + [Exploitation techniques and mitigations on Windows](http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
151 | + [A little return oriented exploitation on Windows x86 – Part 1](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
152 | + [A little return oriented exploitation on Windows x86 – Part 2](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
153 | 
154 | 
155 | ## <a name="Windows_memory_protections" />Windows memory protections
156 | *Windows memory protections Introduction Articles.*
157 | + [Data Execution Prevention](http://support.microsoft.com/kb/875352)
158 | + [/GS (Buffer Security Check)](http://msdn.microsoft.com/en-us/library/Aa290051)
159 | + [/SAFESEH](http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)
160 | + [ASLR](http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)
161 | + [SEHOP](http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
162 | 
163 | 
164 | ## <a name="Bypassing_filter_and_protections" />Bypassing filter and protections
165 | *Windows memory protections Bypass Methods Articles.*
166 | + [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]
167 | + [Creating Arbitrary Shellcode In Unicode Expanded Strings](http://www.net-security.org/dl/articles/unicodebo.pdf) - by Chris Anley
168 | + [Advanced windows exploitation](http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt) - by Dave Aitel [2003]
169 | + [Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server](http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf) - by David Litchfield
170 | + [Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)](http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt) - by Matt Conover in cansecwest 2004
171 | + [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) - by Matt Miller [2004]
172 | + [IE exploit and used a technology called Heap Spray](http://www.exploit-db.com/exploits/612)
173 | + [Bypassing hardware-enforced DEP](http://www.uninformed.org/?v=2&a=4&t=pdf) - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
174 | + [Exploiting Freelist[0] On XP Service Pack 2](http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service%20Pack%202.pdf) - by Brett Moore [2005]
175 | + [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf)
176 | + [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf)
177 | + [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1)
178 | + [Heap Feng Shui in JavaScript](http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf) by Alexander sotirov [2007]
179 | + [Understanding and bypassing Windows Heap Protection](http://kkamagui.springnote.com/pages/1350732/attachments/579350) - by Nicolas Waisman [2007]
180 | + [Heaps About Heaps](http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt) - by Brett moore [2008]
181 | + [Bypassing browser memory protections in Windows Vista](http://taossa.com/archive/bh08sotirovdowd.pdf) - by Mark Dowd and Alex Sotirov [2008]
182 | + [Attacking the Vista Heap](http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf) - by ben hawkes [2008]
183 | + [Return oriented programming Exploitation without Code Injection](http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf) - by Hovav Shacham  (and others ) [2008]
184 | + [Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) - by Cesar Cerrudo [2008]
185 | + [Defeating DEP Immunity Way](http://www.immunityinc.com/downloads/DEPLIB.pdf) - by Pablo Sole [2008]
186 | + [Practical Windows XP2003 Heap Exploitation](http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf) - by John McDonald and Chris Valasek [2009]
187 | + [Bypassing SEHOP](http://www.sysdream.com/articles/sehop_en.pdf) - by Stefan Le Berre Damien Cauquil [2009]
188 | + [Interpreter Exploitation  : Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) - by Dionysus Blazakis[2010]
189 | + [Write-up of Pwn2Own 2010](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf) - by  Peter Vreugdenhil
190 | + [All in one 0day presented in rootedCON](http://wintercore.com/downloads/rootedcon_0day_english.pdf) - by Ruben Santamarta [2010]
191 | + [DEP/ASLR bypass using 3rd party](http://web.archive.org/web/20130820021520/http://abysssec.com/files/The_Arashi.pdf) - by Shahin Ramezany [2013]
192 | + [Bypassing EMET 5.0](http://blog.sec-consult.com/2014/10/microsoft-emet-armor-against-zero-days.html) - by René Freingruber [2014]
193 | 
194 | 
195 | ## <a name="Typical_windows_exploits" />Typical windows exploits
196 | + [Real-world HW-DEP bypass Exploit](http://www.exploit-db.com/exploits/3652) - by Devcode
197 | + [Bypassing DEP by returning into HeapCreate](http://www.metasploit.com/redmine/projects/framework/repository/revisions/7246/entry/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb) - by Toto
198 | + [First public ASLR bypass exploit by using partial overwrite ](http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/email/ani_loadimage_chunksize.rb) - by Skape
199 | + [Heap spray and bypassing DEP](http://skypher.com/SkyLined/download/www.edup.tudelft.nl/%7Ebjwever/exploits/InternetExploiter2.zip) - by Skylined
200 | + [First public exploit that used ROP  for bypassing DEP in adobe lib TIFF vulnerability](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8833/raw/modules/exploits/windows/fileformat/adobe_libtiff.rb)
201 | + [Exploit codes of bypassing browsers memory protections](http://phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections-code.zip)
202 | + [PoC’s on Tokken TokenKidnapping .  PoC for 2k3 -part 1](http://www.argeniss.com/research/Churrasco.zip) - by Cesar Cerrudo
203 | + [PoC’s on Tokken TokenKidnapping .  PoC for 2k8 -part 2](http://www.argeniss.com/research/Churrasco2.zip) - by Cesar Cerrudo
204 | + [An exploit works from win 3.1 to win 7](http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip) - by Tavis Ormandy KiTra0d
205 | + [Old ms08-067 metasploit module multi-target and DEP bypass](http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb)
206 | + [PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass](http://www.exploit-db.com/exploits/12189)
207 | + [SMBv2 Exploit](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8916/raw/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb) - by Stephen Fewer
208 | + [Microsoft IIS 7.5 remote heap buffer overflow](http://www.phrack.org/issues/68/12.html) - by redpantz
209 | + [Browser Exploitation Case Study for Internet Explorer 11](https://labs.bluefrostsecurity.de/files/Look_Mom_I_Dont_Use_Shellcode-WP.pdf) - by Moritz Jodeit [2016]
210 | 
211 | 
212 | ## <a name="Exploit_development_tutorial_series" />Exploit development tutorial series
213 | *Exploid Development Tutorial Series Base on Windows Operation System Articles.*
214 | <a name="corelan" />
215 | - Corelan Team
216 |   + [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
217 |   + [Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/)
218 |   + [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/)
219 |   + [Exploit writing tutorial part 3b : SEH Based Exploits – just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/)
220 |   + [Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/)
221 |   + [Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)
222 |   + [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
223 |   + [Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/)
224 |   + [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/)
225 |   + [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)
226 |   + [Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
227 |   + [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
228 | 
229 | - <a name="fuzzysecurity" />Fuzzysecurity
230 |   + [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html)
231 |   + [Part 2: Saved Return Pointer Overflows](https://www.fuzzysecurity.com/tutorials/expDev/2.html)
232 |   + [Part 3: Structured Exception Handler (SEH)](https://www.fuzzysecurity.com/tutorials/expDev/3.html)
233 |   + [Part 4: Egg Hunters](https://www.fuzzysecurity.com/tutorials/expDev/4.html)
234 |   + [Part 5: Unicode 0x00410041](https://www.fuzzysecurity.com/tutorials/expDev/5.html)
235 |   + [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html)
236 |   + [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)
237 |   + [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
238 |   + [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
239 |   + [Part 10: Kernel Exploitation -> Stack Overflow](http://www.fuzzysecurity.com/tutorials/expDev/14.html)
240 |   + [Part 11: Kernel Exploitation -> Write-What-Where](http://www.fuzzysecurity.com/tutorials/expDev/15.html)
241 |   + [Part 12: Kernel Exploitation -> Null Pointer Dereference](http://www.fuzzysecurity.com/tutorials/expDev/16.html)
242 |   + [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](http://www.fuzzysecurity.com/tutorials/expDev/17.html)
243 |   + [Part 14: Kernel Exploitation -> Integer Overflow](http://www.fuzzysecurity.com/tutorials/expDev/18.html)
244 |   + [Part 15: Kernel Exploitation -> UAF](http://www.fuzzysecurity.com/tutorials/expDev/19.html)
245 |   + [Part 16: Kernel Exploitation -> Pool Overflow](http://www.fuzzysecurity.com/tutorials/expDev/20.html)
246 |   + [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](http://www.fuzzysecurity.com/tutorials/expDev/21.html)
247 |   + [Heap Overflows For Humans 101](http://www.fuzzysecurity.com/tutorials/mr_me/2.html)
248 |   + [Heap Overflows For Humans 102](http://www.fuzzysecurity.com/tutorials/mr_me/3.html)
249 |   + [Heap Overflows For Humans 102.5](http://www.fuzzysecurity.com/tutorials/mr_me/4.html)
250 |   + [Heap Overflows For Humans 103](http://www.fuzzysecurity.com/tutorials/mr_me/5.html)
251 |   + [Heap Overflows For Humans 103.5](http://www.fuzzysecurity.com/tutorials/mr_me/6.html)
252 | 
253 | - <a name="securitysift" />Securitysift
254 |   + [Windows Exploit Development – Part 1: The Basics](http://www.securitysift.com/windows-exploit-development-part-1-basics/)
255 |   + [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
256 |   + [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
257 |   + [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
258 |   + [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
259 |   + [Windows Exploit Development – Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
260 |   + [Windows Exploit Development – Part 7: Unicode Buffer Overflows](http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)
261 | 
262 | 
263 | - <a name="whitehattersacademy" />Whitehatters Academy
264 |   + [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
265 |   + [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)
266 |   + [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)
267 |   + [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)
268 |   + [Backdoor 103: Fully Undetected](https://www.whitehatters.academy/backdoor-103-fully-undetected/)
269 |   + [Backdoor 102](https://www.whitehatters.academy/backdoor-102/)
270 |   + [Backdoor 101](https://www.whitehatters.academy/backdoor101-vysec/)
271 | 
272 | 
273 | - <a name="TheSprawl" />TheSprawl
274 |   + [corelan - integer overflows - exercise solution](http://thesprawl.org/research/corelan-integer-overflows-exercise-solution/)
275 |   + [heap overflows for humans - 102 - exercise solution](http://thesprawl.org/research/heap-overflows-humans-102-exercise-solution/)
276 |   + [exploit exercises - protostar - final levels](http://thesprawl.org/research/exploit-exercises-protostar-final/)
277 |   + [exploit exercises - protostar - network levels](http://thesprawl.org/research/exploit-exercises-protostar-network/)
278 |   + [exploit exercises - protostar - heap levels](http://thesprawl.org/research/exploit-exercises-protostar-heap/)
279 |   + [exploit exercises - protostar - format string levels](http://thesprawl.org/research/exploit-exercises-protostar-format/)
280 |   + [exploit exercises - protostar - stack levels](http://thesprawl.org/research/exploit-exercises-protostar-stack/)
281 |   + [open security training - introduction to software exploits - uninitialized variable overflow](http://thesprawl.org/research/ost-introduction-software-exploits-uninit-overflow/)
282 |   + [open security training - introduction to software exploits - off-by-one](http://thesprawl.org/research/ost-introduction-exploits-offbyone/)
283 |   + [open security training - introduction to re - bomb lab secret phase](http://thesprawl.org/research/ost-introduction-re-bomb-secret-phase/)
284 |   + [open security training - introductory x86 - buffer overflow mystery box](http://thesprawl.org/research/ost-introductory-x86-buffer-overflow-mystery-box/)
285 |   + [corelan - tutorial 10 - exercise solution](http://thesprawl.org/research/corelan-tutorial-10-exercise-solution/)
286 |   + [corelan - tutorial 9 - exercise solution](http://thesprawl.org/research/corelan-tutorial-9-exercise-solution/)
287 |   + [corelan - tutorial 7 - exercise solution](http://thesprawl.org/research/corelan-tutorial-7-exercise-solution/)
288 |   + [getting from seh to nseh](http://thesprawl.org/research/seh-to-nseh/)
289 |   + [corelan - tutorial 3b - exercise solution](http://thesprawl.org/research/corelan-tutorial-3b-exercise-solution/)
290 | 
291 | - <a name="expdev-kiuhnm" />Expdev-Kiuhnm
292 |   + [WinDbg](http://expdev-kiuhnm.rhcloud.com/2015/05/17/windbg/)
293 |   + [Mona 2](http://expdev-kiuhnm.rhcloud.com/2015/05/19/mona-2/)
294 |   + [Structure Exception Handling (SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/19/structured-exception-handling-seh/)
295 |   + [Heap](http://expdev-kiuhnm.rhcloud.com/2015/05/20/heap/)
296 |   + [Windows Basics](http://expdev-kiuhnm.rhcloud.com/2015/05/20/windows-basics/)
297 |   + [Shellcode](http://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/)
298 |   + [Exploitme1 (ret eip overwrite)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme1-ret-eip-overwrite/)
299 |   + [Exploitme2 (Stack cookies & SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme2-stack-cookies-seh-2/)
300 |   + [Exploitme3 (DEP)](http://expdev-kiuhnm.rhcloud.com/2015/05/27/exploitme3-dep/)
301 |   + [Exploitme4 (ASLR)](http://expdev-kiuhnm.rhcloud.com/2015/05/28/exploitme4-aslr/)
302 |   + [Exploitme5 (Heap Spraying & UAF)](http://expdev-kiuhnm.rhcloud.com/2015/05/29/exploitme5-heap-spraying-uaf/)
303 |   + [EMET 5.2](http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/)
304 |   + [Internet Explorer 10 - Reverse Engineering IE](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-reverse-engineering-ie/)
305 |   + [Internet Explorer 10 - From one-byte-write to full process space read/write](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie-10-from-one-byte-write-to-full-process-space-readwrite/)
306 |   + [Internet Explorer 10 - God Mode (1)](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-god-mode-1/)
307 |   + [Internet Explorer 10 - God Mode (2)](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-god-mode-2/)
308 |   + [Internet Explorer 10 - Use-After-Free bug](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/)
309 |   + [Internet Explorer 11 - Part 1](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/)
310 |   + [Internet Explorer 11 - Part 2](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/)
311 | 
312 | 
313 | 
314 | ## <a name="tools" />Tools
315 | *Disassemblers, debuggers, and other static and dynamic analysis tools.*
316 | 
317 | + [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis
318 |   framework developed at UCSB's Seclab.
319 | + [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open
320 |   source Binary Analysis and Reverse engineering Framework.
321 | + [Binary Ninja](https://binary.ninja/) - Multiplatform binary analysis IDE supporting
322 |   various types of binaries and architecturs. Scriptable via Python.
323 | + [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
324 |   reverse engineering based on graph visualization.
325 | + [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
326 | + [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
327 |   binary analysis and reversing, with support for many architectures and
328 |   bindings in several languages.
329 | + [codebro](https://github.com/hugsy/codebro) - Web based code browser using
330 |   clang to provide basic code analysis.
331 | + [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
332 |   and debugger.
333 | + [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
334 |   modular debugger with a Qt GUI.
335 | + [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
336 | + [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
337 |   and reverse engineers.
338 | + [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
339 |   search for strings in PE executables including imports, exports, and debug
340 |   symbols.
341 | + [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
342 |   disassembler and debugger, with a free evaluation version.
343 | + [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
344 |   malware analysis and more, with a Python API.
345 | + [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
346 | + [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
347 |   for static analysis of Linux binaries.
348 | + [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
349 |   executables.
350 | + [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis
351 | + [PEDA](https://github.com/longld/peda) - Python Exploit Development
352 |   Assistance for GDB, an enhanced display with added commands.
353 | + [pestudio](https://winitor.com/) - Perform static analysis of Windows
354 |   executables.
355 | + [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) -
356 |   Advanced monitoring tool for Windows programs.
357 | + [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
358 |   analysis.
359 | + [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
360 |   debugger support.
361 | + [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
362 |   plugin for Sublime 3 to aid with malware analyis.
363 | + [strace](http://sourceforge.net/projects/strace/) - Dynamic analysis for
364 |   Linux executables.
365 | + [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
366 |   for x86 and x86_64.
367 | + [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
368 |   malware analysis.
369 | + [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
370 | 
371 | 
372 | 
373 | ##  `Conference Talks / Videos `
374 | * [Exploitation on ARM](https://www.youtube.com/watch?v=kykVyJ0dm8Y) - Itzhak Avraham - Defcon 18 (2010)
375 | * [ARM Exploitation ROPMAP](https://www.youtube.com/watch?v=VDyf_tJ8IUg) - Long Le - Blackhat USA (2011)
376 | * [Advanced ARM Exploitation](https://www.youtube.com/watch?v=gdsPydfBfSA) - Stephen Ridley & Stephen Lawler - Blackhat USA (2012)
377 | * [ARM Assembly and Shellcode Basics](https://www.youtube.com/watch?v=BhjJBuX0YCU) - Saumil Shah - 44CON (2017)
378 | * [Heap Overflow Exploits for Beginners (ARM Exploitation Tutorial)](https://www.youtube.com/watch?v=L8Ya7fBgEzU) - Billy Ellis (2017)
379 | * [Introduction to Exploitation on ARM64](https://www.youtube.com/watch?v=xVyH68HFsQU) - Billy Ellis - Codetalks (2018)
380 | * [Make ARM Shellcode Great Again](https://www.youtube.com/watch?v=9tx293lbGuc) - Saumil Shah - Hack.lu (2018)
381 | * [ARM Memory Tagging, how it improves C++ memory safety](https://www.youtube.com/watch?v=iP_iHroclgM) - Kostya Serebryany - LLVM (2018)
382 | * [Breaking Samsung's ARM Trustzone](https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf)
383 | * [Hacker Nightmares: Giving Hackers a Headache with Exploit Mitigations](https://www.youtube.com/watch?v=riQ-WyYrxh4) - Azeria - Virtual Arm Research Summit (2020)
384 | 
385 | ##  `Articles / Papers `
386 | * [ARM Assembly Basics Series](https://azeria-labs.com/writing-arm-assembly-part-1/) - Azeria
387 | * [ARM Binary Exploitation Series](https://azeria-labs.com/writing-arm-shellcode/) - Azeria
388 | * [Smashing the ARM Stack](https://www.merckedsecurity.com/blog/smashing-the-arm-stack-part-1) - Mercked Security
389 | * [Introduction to ARMv8 64-bit Architecture](https://quequero.org/2014/04/introduction-to-arm-architecture/) - pnuic
390 | * [Alphanumeric RISC ARM Shellcode](http://phrack.org/issues/66/12.html) - (Phrack) - Yves Younan, Pieter Philippaerts
391 | * [Return-Oriented Programming on a Cortex-M Processor](https://ieeexplore.ieee.org/document/8029521)
392 | * [3or ARM Exploitation Series](https://blog.3or.de/arm-exploitation-return-oriented-programming.html) - Dimitrios Slamaris
393 | * [Developing StrongARM/Linux Shellcode](http://www.phrack.com/issues/58/10.html) - (Phrack) - funkysh
394 | * [Reversing and Exploiting ARM Binaries](http://www.mathyvanhoef.com/2013/12/reversing-and-exploiting-arm-binaries.html) - Mathy Vanhoef
395 | * [ARM Exploitation for IoT Series](https://quequero.org/2017/07/arm-exploitation-iot-episode-1/) - Andrea Sindoni
396 | * [Reverse Engineering of ARM Microcontrollers](https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/) - Rdomanski
397 | * [ARM64 Reversing and Exploitation - Part 1: ARM Instruction Set + Simple Heap Overflow](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) - 8ksec
398 | * [ARM64 Reversing and Exploitation - Part 2: Use After Free](
399 | https://8ksec.io/arm64-reversing-and-exploitation-part-2-use-after-free/) - 8ksec
400 | * [ARM64 Reversing and Exploitation - Part 3: A Simple ROP Chain](
401 | https://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/) - 8ksec
402 | * [ARM64 Reversing and Exploitation - Part 4: Using Mprotect() To Bypass NX Protection](
403 | https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/) - 8ksec
404 | * [ARM64 Reversing and Exploitation - Part 5: Writing Shellcode](
405 | https://8ksec.io/arm64-reversing-and-exploitation-part-5-writing-shellcode-8ksec-blogs/) - 8ksec
406 | * [ARM64 Reversing and Exploitation - Part 6: Exploiting An Uninitialized Stack Variable Vulnerability](
407 | https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) - 8ksec
408 | * [ARM64 Reversing and Exploitation - Part 7: Bypassing ASLR And NX](
409 | https://8ksec.io/arm64-reversing-and-exploitation-part-7-bypassing-aslr-and-nx/) - 8ksec
410 | * [ARM64 Reversing and Exploitation - Part 8: Exploiting An Integer Overflow Vulnerability](
411 | https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/) - 8ksec
412 | * [ARM64 Reversing and Exploitation - Part 9 :Exploiting An Off By One Overflow Vulnerability](
413 | https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/) - 8ksec
414 | * [ARM64 Reversing and Exploitation - Part 10: Intro To Arm Memory Tagging Extension (MTE)](
415 | https://8ksec.io/arm64-reversing-and-exploitation-part-10-intro-to-arm-memory-tagging-extension-mte/) - 8ksec
416 | 
417 | ## Resources
418 | 
419 | * [ARM Architecture Reference Manual](http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.subset.architecture.reference/index.html)
420 | * [Online ARM Assembler](https://azm.azerialabs.com/)
421 | * [ARM TEE Reversing and Exploitation](https://github.com/enovella/TEE-reversing)
422 | 
423 | ## CTF / Training Binaries
424 | 
425 | * [Exploit Me](https://github.com/bkerler/exploit_me)
426 | * [Exploit Challenges](https://github.com/Billy-Ellis/Exploit-Challenges)
427 | * [Azeria ARM Lab](https://azeria-labs.com/emulate-raspberry-pi-with-qemu/)
428 | 
429 | ##  `Books `
430 | 
431 | * [Practical Reverse Engineering](https://www.wiley.com/en-us/Practical+Reverse+Engineering%3A+x86%2C+x64%2C+ARM%2C+Windows+Kernel%2C+Reversing+Tools%2C+and+Obfuscation-p-9781118787311) (Chapter 2) - Bruce Dang, Alexandre Gazet and Elias Bachalany
432 | * [Beginners Guide to Exploitation on ARM](https://zygosec.com/book.html) - Volumes 1 & 2 - Billy Ellis
433 | * [ARM Assembly Language: Fundamentals & Techniques](https://www.amazon.co.uk/ARM-Assembly-Language-Fundamentals-Techniques/dp/1439806101) - William Hohl
434 | 
435 | ##  `Other Tools `
436 | 
437 | * [Ropper](https://github.com/sashs/Ropper)
438 | 
439 | ##  `Courses `
440 | 
441 | * [Azeria ARM Training](https://training.azeria-labs.com/)
442 | * [Pentest Academy ARM Assembly](https://www.pentesteracademy.com/course?id=46)
443 | * [Pentest Academy Reverse Engineering for ARM Platforms](https://www.pentesteracademy.com/course?id=49)
444 | * [IHackArm Offensive ARM Exploitation](https://ihackarm.com/)
445 | 
446 | ##  `Related Awesome Lists `
447 | 
448 | * [Cybersecurity Android Security](https://github.com/paulveillard/cybersecurity-android-security)
449 | * [Awesome iOS Security](https://github.com/ashishb/osx-and-ios-security-awesome)
450 | * [Awesome IoT Hacks](https://github.com/nebgnahz/awesome-iot-hacks)
451 | * [Awesome Exploit Development](https://github.com/FabioBaroni/awesome-exploit-development)
452 | 
453 | 
454 | 
455 | ## [↑](#advanced-arm) Browser
456 | * [Beginners guide to UAT exploits IE 0day exploit development](https://0xicf.wordpress.com/2012/11/18/beginners-guide-to-use-after-free-exploits-ie-0-day-exploit-development/)
457 | * [Fuzzy Security - Spraying the Heap [Chapter 1: Vanilla EIP] – Putting Needles in the Haystack](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
458 | * [Fuzzy Security - Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
459 | * [Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)
460 | * [Using the JIT Vulnerability to Pwn Microsoft Edge](http://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)
461 | * [Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)](http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html)
462 | * [Advanced Heapspraying Technique](https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf)
463 | * [HeapSpray Aurora Vulnerability](http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.html)
464 | * [Microsoft Edge Chakra JIT Type Confusion CVE-2019-0539](https://perception-point.io/resources/research/cve-2019-0539-exploitation/)
465 | * [CVE-2019-0539 Root Cause Analysis](https://perception-point.io/resources/research/cve-2019-0539-root-cause-analysis/)
466 | * [attacking javascript engines](http://www.phrack.org/papers/attacking_javascript_engines.html)
467 | * [Learning browser exploitation via 33C3 CTF  feuerfuchs challenge](https://bruce30262.github.io/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/)
468 | * [A Methodical Approach to Browser Exploitation](https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/)
469 | * [Reducing target scope within JSC, building a JavaScript fuzzer](https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/)
470 | * [Performing root-cause analysis of a JSC vulnerability](https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/)
471 | * [Weaponizing a JSC vulnerability for single-click RCE](https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/)
472 | * [Evaluating the Safari sandbox, and fuzzing WindowServer on MacOS](https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/)
473 | * [Weaponizing a Safari sandbox escape](https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/)
474 | * [Microsoft Edge MemGC Internals](https://hitcon.org/2015/CMT/download/day2-h-r1.pdf)
475 | * [The ECMA and the Chakra](http://conference.hitb.org/hitbsecconf2017ams/materials/CLOSING%20KEYNOTE%20-%20Natalie%20Silvanovich%20-%20The%20ECMA%20and%20The%20Chakra.pdf)
476 | * [Memory Corruption Exploitation In Internet Explorer](https://www.syscan360.org/slides/2012_ZH_MemoryCorruptionExploitationInInternetExplorer_MotiJoseph.pdf)
477 | * [IE 0day Analysis And Exploit](http://vdisk.weibo.com/s/dC_SSJ6Fvb71i)
478 | * [Write Once, Pwn Anywhere](https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf)
479 | * [The Art of Leaks: The Return of Heap Feng Shui](https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf)
480 | * [IE 11 0day & Windows 8.1 Exploit](https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE%2011%200day%20%26%20Windows%208.1%20Exploit.pdf)
481 | * [IE11 Sandbox Escapes Presentation](https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf)
482 | * [Spartan 0day & Exploit](https://github.com/exp-sky/HitCon-2015-spartan-0day-exploit)
483 | * [Look Mom, I don't use Shellcode](https://www.syscan360.org/slides/2016_SH_Moritz_Jodeit_Look_Mom_I_Dont_Use_Shellcode.pdf)
484 | * [Windows 10 x64 edge 0day and exploit](https://github.com/exp-sky/HitCon-2016-Windows-10-x64-edge-0day-and-exploit/blob/master/Windows%2010%20x64%20edge%200day%20and%20exploit.pdf)
485 | * [1-Day Browser & Kernel Exploitation](http://powerofcommunity.net/poc2017/andrew.pdf)
486 | * [The Secret of ChakraCore: 10 Ways to Go Beyond the Edge](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Linan%20Hao%20and%20Long%20Liu%20-%20The%20Secret%20of%20ChakraCore.pdf)
487 | * [From Out of Memory to Remote Code Execution](https://speakerd.s3.amazonaws.com/presentations/c0a3e7bc0dca407cbafb465828ff204a/From_Out_of_Memory_to_Remote_Code_Execution_Yuki_Chen_PacSec2017_final.pdf)
488 | * [Attacking WebKit Applications by exploiting memory corruption bugs](https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf)
489 | * [CVE-2018-5129: Out-of-bounds write with malformed IPC messages](https://infinite.loopsec.com.au/cve-2018-5129-how-i-found-my-first-cve)
490 | * [it-sec catalog browser exploitation chapter](https://www.it-sec-catalog.info/browser_exploitation.html)
491 | * [ZDI-18-428: An MsEdge InfoLeak Story](https://rce.wtf/2018/12/12/ZDI-18-428-An-MsEdge-InfoLeak-Story.html)
492 | * [AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation](https://github.com/exp-sky/AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation/blob/master/Chakra%20vulnerability%20and%20exploit%20bypass%20all%20system%20mitigation.pdf)
493 | * [IE 0day Analysis And Exploit](https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf)
494 | * [Attacking Client-Side JIT Compilers v2](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf)
495 | * [The Return of the JIT Part 1](https://rh0dev.github.io/blog/2017/the-return-of-the-jit/)
496 | * [The Return of the JIT Part 2](https://rh0dev.github.io/blog/2017/the-return-of-the-jit-part-2/)
497 | * [Using the JIT vulnerability to Pwning Microsoft Edge](https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)
498 | * [From Assembly to JavaScript and Back](https://gsec.hitb.org/materials/sg2018/D1%20-%20Turning%20Memory%20Errors%20into%20Code%20Execution%20with%20Client-Side%20Compilers%20-%20Robert%20Gawlik.pdf)
499 | * [Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox](https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/)
500 | * [Exploiting CVE-2020-0041 - Part 2: Escalating to root](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/)
501 | 
502 | ## [↑](#table-of-contents) Mitigation Bypass
503 | * [Disarming EMET v5.0](https://www.offensive-security.com/vulndev/disarming-emet-v5-0/)
504 | * [Disarming and Bypassing EMET 5.1](https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/)
505 | * [Universal DEP/ASLR bypass with msvcr71.dll and mona.py](https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/)
506 | * [Chaining DEP with ROP – the Rubik’s[TM] Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
507 | * [Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
508 | * [Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)](https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/)
509 | * [Disarming Enhanced Mitigation Experience Toolkit (EMET)](https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)
510 | * [Simple EMET EAF bypass](http://casual-scrutiny.blogspot.com/2015/01/simple-emet-eaf-bypass.html)
511 | * [Exploit Dev 101: Bypassing ASLR on Windows](https://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html)
512 | * [Bypassing Control Flow Guard in Windows 10](https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10)
513 | * [Bypassing Control Flow Guard in Windows 10 - Part II](https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii)
514 | * [BYPASS CONTROL FLOW GUARD COMPREHENSIVELY](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)
515 | * [CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE](https://www.blackhat.com/docs/asia-17/materials/asia-17-Li-Cross-The-Wall-Bypass-All-Modern-Mitigations-Of-Microsoft-Edge.pdf)
516 | * [How to find the vulnerability to bypass the Control Flow Guard](https://cansecwest.com/slides/2017/CSW2017_HenryLi_How_to_find_the_vulnerability_to_bypass_the_ControlFlowGuard.pdf)
517 | * [Bypassing Memory Mitigation Using Data-Only Exploitation Technique](https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Bing%20Sun%20and%20Chong%20Xu%20-%20Bypassing%20Memory%20Mitigation%20Using%20Data-Only%20Exploitation%20Techniques.pdf)
518 | * [CHAKRA JIT CFG BYPASS](https://theori.io/research/chakra-jit-cfg-bypass)
519 | * [SMEP: What is it, and how to beat it on Windows](https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/)
520 | * [ROP for SMEP bypass](https://rce.wtf/2017/09/24/P4wning-the-windows-kernel-with-ROP.html)
521 | * [Smashing The Browser](https://github.com/demi6od/Smashing_The_Browser)
522 | * [Browser security mitigations against memory corruption vulnerabilities](https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/edit)
523 | 
524 | 
525 | ## [↑](#table-of-contents) Kernel
526 | * [Windows Kernel Pool Spraying](http://trackwatch.com/windows-kernel-pool-spraying/)
527 | * [Windows Kernel Exploitation Basics - Part 1 : Introduction to DVWDDriver](http://poppopret.blogspot.com/2011/06/windows-kernel-exploitation-part-1.html)
528 | * [Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html)
529 | * [Windows Kernel Exploitation Basics - Part 3 : Arbitrary Memory Overwrite exploitation using LDT](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_2423.html)
530 | * [Windows Kernel Exploitation Basics - Part 4 : Stack-based Buffer Overflow exploitation (bypassing cookie)](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_16.html)
531 | * [Arbitrary Write primitive in Windows kernel (HEVD)](https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/)
532 | * [MS11-080 Exploit – A Voyage into Ring Zero](https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/)
533 | * [Windows kernel pool spraying fun - Part 1 - Determine kernel object size](https://theevilbit.blogspot.com/2017/09/pool-spraying-fun-part-1.html)
534 | * [Windows kernel pool spraying fun - Part 2 - More objects](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-2.html)
535 | * [Windows kernel pool spraying fun - Part 3 - Let's make holes](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-3.html)
536 | * [Fuzzy Security - Kernel Exploitation -> Stack Overflow](https://www.fuzzysecurity.com/tutorials/expDev/14.html)
537 | * [Fuzzy Security - Kernel Exploitation -> Write-What-Where](https://www.fuzzysecurity.com/tutorials/expDev/15.html)
538 | * [Fuzzy Security - Kernel Exploitation -> Null Pointer Dereference](https://www.fuzzysecurity.com/tutorials/expDev/16.html)
539 | * [Fuzzy Security - Kernel Exploitation -> Uninitialized Stack Variable](https://www.fuzzysecurity.com/tutorials/expDev/17.html)
540 | * [Fuzzy Security - Kernel Exploitation -> Integer Overflow](https://www.fuzzysecurity.com/tutorials/expDev/18.html)
541 | * [Fuzzy Security - Kernel Exploitation -> UAF](https://www.fuzzysecurity.com/tutorials/expDev/19.html)
542 | * [Fuzzy Security - Kernel Exploitation -> Pool Overflow](https://www.fuzzysecurity.com/tutorials/expDev/20.html)
543 | * [Fuzzy Security - Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](https://www.fuzzysecurity.com/tutorials/expDev/21.html)
544 | * [Fuzzy Security - Kernel Exploitation -> RS2 Bitmap Necromancy](https://www.fuzzysecurity.com/tutorials/expDev/22.html)
545 | * [Fuzzy Security - Kernel Exploitation -> Logic bugs in Razer rzpnk.sys](https://www.fuzzysecurity.com/tutorials/expDev/23.html)
546 | * [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
547 | * [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)
548 | * [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)
549 | * [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)
550 | * [Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool](https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html)
551 | * [Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment](https://rootkits.xyz/blog/2017/06/kernel-setting-up/)
552 | * [Windows Kernel Exploitation Tutorial Part 2: Stack Overflow](https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/)
553 | * [Windows Kernel Exploitation Tutorial Part 3: Arbitrary Memory Overwrite (Write-What-Where)](https://rootkits.xyz/blog/2017/09/kernel-write-what-where/)
554 | * [Windows Kernel Exploitation Tutorial Part 4: Pool Feng-Shui –> Pool Overflow](https://rootkits.xyz/blog/2017/11/kernel-pool-overflow/)
555 | * [Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference](https://rootkits.xyz/blog/2018/01/kernel-null-pointer-dereference/)
556 | * [Windows Kernel Exploitation Tutorial Part 6: Uninitialized Stack Variable](https://rootkits.xyz/blog/2018/01/kernel-uninitialized-stack-variable/)
557 | * [Windows Kernel Exploitation Tutorial Part 7: Uninitialized Heap Variable](https://rootkits.xyz/blog/2018/03/kernel-uninitialized-heap-variable/)
558 | * [Windows Kernel Exploitation Tutorial Part 8: Use After Free](https://rootkits.xyz/blog/2018/04/kernel-use-after-free/)
559 | * [Corelan Team (corelanc0d3r) Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
560 | * [abatchy Kernel Exploitation 1: Setting up the environment](https://www.abatchy.com/2018/01/kernel-exploitation-1)
561 | * [abatchy Kernel Exploitation 2: Payloads](https://www.abatchy.com/2018/01/kernel-exploitation-2)
562 | * [abatchy Kernel Exploitation 3: Stack Buffer Overflow (Windows 7 x86/x64)](https://www.abatchy.com/2018/01/kernel-exploitation-3)
563 | * [abatchy Kernel Exploitation 4: Stack Buffer Overflow (SMEP Bypass)](https://www.abatchy.com/2018/01/kernel-exploitation-4)
564 | * [abatchy Kernel Exploitation 5: Integer Overflow](https://www.abatchy.com/2018/01/kernel-exploitation-5)
565 | * [abatchy Kernel Exploitation 6: NULL pointer dereference](https://www.abatchy.com/2018/01/kernel-exploitation-6)
566 | * [abatchy Kernel Exploitation 7: Arbitrary Overwrite (Win7 x86)](https://www.abatchy.com/2018/01/kernel-exploitation-7)
567 | * [Kernel Hacking With HEVD Part 1 - The Setup](https://sizzop.github.io/2016/07/05/kernel-hacking-with-hevd-part-1.html)
568 | * [Kernel Hacking With HEVD Part 2 - The Bug](https://sizzop.github.io/2016/07/06/kernel-hacking-with-hevd-part-2.html)
569 | * [Kernel Hacking With HEVD Part 3 - The Shellcode](https://sizzop.github.io/2016/07/07/kernel-hacking-with-hevd-part-3.html)
570 | * [Kernel Hacking With HEVD Part 4 - The Exploit](https://sizzop.github.io/2016/07/08/kernel-hacking-with-hevd-part-4.html)
571 | * [Kernel Hacking With HEVD Part 5 - The SMEP Version](https://sizzop.github.io/2016/09/13/kernel-hacking-with-hevd-part-5.html)
572 | * [The Path to Ring-0 Windows Edition](https://insomniasec.com/downloads/publications/The%20Path%20To%20Ring-0.pdf)
573 | * [DIRECTX TO THE KERNEL](https://www.zerodayinitiative.com/blog/2018/12/4/directx-to-the-kernel)
574 | * [Windows Kernel Graphics Driver Attack Surface](https://www.blackhat.com/docs/us-14/materials/us-14-vanSprundel-Windows-Kernel-Graphics-Driver-Attack-Surface.pdf)
575 | * [Root Cause of the Kernel Privilege Escalation Vulnerabilities CVE-2019-0808](http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html)
576 | * [Kernel Pool Overflow Exploitation In Real World – Windows 10](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-10/)
577 | * [Kernel Pool Overflow Exploitation In Real World – Windows 7](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/)
578 | * [Windows Kernel Exploitation - Exploiting HEVD x64 Use-After-Free using Generic Non-Paged Pool Feng-Shui](https://securityinsecurity.github.io/exploiting-hevd-use-after-free/)
579 | * [Windows Kernel Exploitation Part 1: Stack Buffer Overflows](https://pwnrip.com/windows-kernel-exploitation-part-1-stack-buffer-overflows/)
580 | * [Windows Kernel Exploitation Part 2: Type Confusion](https://pwnrip.com/windows-kernel-exploitation-part-2-type-confusion/)
581 | * [Windows Kernel Exploitation Part 3: Integer Overflow](https://pwnrip.com/windows-kernel-exploitation-part-3-integer-overflow/)
582 | 
583 | ## [↑](#table-of-contents) Misc
584 | * [Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)
585 | * [Windows 10 x86/wow64 Userland heap](https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/)
586 | 
587 | 
588 | **[`^        back to top        ^`](#)**
589 | 
590 | 
591 | ##  `License `
592 | MIT License & [cc](https://creativecommons.org/licenses/by/4.0/) license
593 | 
594 | <a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.
595 | 
596 | To the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.
597 | Just follow the [guidelines](/CONTRIBUTING.MD). Thank you!
598 | 
599 | 


--------------------------------------------------------------------------------
/img/exploits-vulnerability.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/paulveillard/cybersecurity-windows-exploitation/3cf2327bee3cb5b600e6c705c4e467c45dc55ca5/img/exploits-vulnerability.png


--------------------------------------------------------------------------------