{"id":22704184,"url":"https://github.com/ayoubfaouzi/windows-exploitation","last_synced_at":"2025-10-19T22:18:38.321Z","repository":{"id":51739472,"uuid":"150267584","full_name":"ayoubfaouzi/windows-exploitation","owner":"ayoubfaouzi","description":"My notes while studying Windows exploitation","archived":false,"fork":false,"pushed_at":"2023-07-25T22:12:48.000Z","size":6410,"stargazers_count":188,"open_issues_count":0,"forks_count":37,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-07-11T12:56:54.960Z","etag":null,"topics":["windows-exploitation"],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ayoubfaouzi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-25T13:13:20.000Z","updated_at":"2025-04-26T00:12:22.000Z","dependencies_parsed_at":"2024-11-24T06:00:07.166Z","dependency_job_id":"5237f9f4-6622-4d15-81c2-864fe58fbe36","html_url":"https://github.com/ayoubfaouzi/windows-exploitation","commit_stats":null,"previous_names":["ayoubfaouzi/windows-exploitation"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ayoubfaouzi/windows-exploitation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fwindows-exploitation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fwindows-exploitation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fwindows-exploitation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fwindows-exploitation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ayoubfaouzi","download_url":"https://codeload.github.com/ayoubfaouzi/windows-exploitation/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayoubfaouzi%2Fwindows-exploitation/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265218709,"owners_count":23729526,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["windows-exploitation"],"created_at":"2024-12-10T08:14:18.090Z","updated_at":"2025-10-19T22:18:33.275Z","avatar_url":"https://github.com/ayoubfaouzi.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Windows exploitation\r\n\r\n## Types of Bugs\r\n\r\n## Uninitialized Stack Variable\r\n\r\n- References a local variable or buffer, which wasn’t previously properly initialized.\r\n- Usually mitigated by compiler warnings/errors, informing about potential security flaws present in the source code.\r\n- Challenge: how can one control the trash bytes present on the ring-0 stack, from within a ring-3 perspective?\r\n- How to exploit:\r\n  - Find the kernel stack init address: `!thread`.\r\n  - Find the offset of our callback from this init address\r\n  - Spray the Kernel Stack with User controlled input from the user mode using **NtMapUserPhysicalPages** trick.\r\n\r\n## Null-Pointer Dereference\r\n\r\n- Happens when the value of the pointer is NULL, and is used by the application to point to a valid memory area.\r\n- How to exploit:\r\n  - Map the NULL page in user space.\r\n  - Place a fake data structure in it which will cause our shell code to be executed.\r\n  - Trigger the dereference bug.\r\n\r\n## Symbolic links\r\n\r\n- Leverages two fundamental concepts in Windows:\r\n  - object manager symbolic links.\r\n  - NTFS junctions/mount points.\r\n- Requirements for exploitation:\r\n  - A high privileged process writing to user controlled files or directories: `C:\\PownMe\\Link.ex`.\r\n  - Reading permission to the referenced directory `C:\\Windows\\System32\\sysprep\\` and writing permissions to the directory where the junction will be stored `C:\\PownMe`.\r\n  - directory where the junction will be stored must be empty: `C:\\PownMe` before the reparse point is defined.\r\n- How to find them:\r\n  - launch process monitor and filter by the process you are targeting.\r\n  - look for `CreateFile` operations by the **SYSTEM** process.\r\n  - then check if the target directory has the right access for the `everyone` group or username.\r\n\r\n## Payloads\r\n\r\n### Token Stealing Payload\r\n\r\n- The general algorithm for the **token stealing** shellcode is:\r\n  - Save the drivers registers so we can restore them later and avoid crashing it.\r\n  - Find the \\_KPRCB struct by looking in the fs segment register\r\n  - Find the \\_KTHREAD structure corresponding to the current thread by indexing into_KPRCB.\r\n  - Find the \\_EPROCESS structure corresponding to the current process by indexing into_KTHREAD.\r\n  - Look for the \\_EPROCESS structure corresponding to the process with PID=4 (UniqueProcessId = 4) by walking the doubly linked list of all_EPROCESS structures that the_EPROCRESS structure contains a references to, this is the \"System\" process that always has SID ( Security Identifier) = NT AUTHORITY\\SYSTEM SID.\r\n  - Retrieve the address of the Token of that process.\r\n  - Look for the \\_EPROCESS structure corresponding to the process we want to escalate (our process).\r\n  - Replace the Token of the target process with the Token of the \"System\" process.\r\n  - Clean up our stack and reset our registers before returning.\r\n\r\n## Mitigations\r\n\r\n### SMEP (Supervisor Mode Execution Prevention)\r\n\r\n- Introduced in 2011 in Intel processors based on the Ivy Bridge architecture and enabled by default since Windows 8.0.\r\n- SMEP restricts executing code that lies in usermode to be executed with Ring-0 privileges, attempts result in a crash. This basically prevents EoP exploits that rely on executing a usermode payload from ever executing it.\r\n- The SMEP bit is bit 20 of the CR4 register.\r\n- SMEP's goal is to block kernel exploit which:\r\n  - Prepares a shellcode in user memory\r\n  - Redirects execution to the prepared payload, by exploiting a kernel/driver security flaw.\r\n\r\n### SMEP Bypass\r\n\r\n- Craft a rop chain to disable SMEP (not possible with win10 vbs)\r\n- Modifying nt!MmUserProbeAddress\r\n- Windows Reserve Objects\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayoubfaouzi%2Fwindows-exploitation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fayoubfaouzi%2Fwindows-exploitation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayoubfaouzi%2Fwindows-exploitation/lists"}