{"id":13782474,"url":"https://github.com/dhn/OSEE","last_synced_at":"2025-05-11T15:32:32.289Z","repository":{"id":149712903,"uuid":"142921077","full_name":"dhn/OSEE","owner":"dhn","description":"Collection of resources for my preparation to take the OSEE certification.","archived":false,"fork":false,"pushed_at":"2020-09-09T19:12:34.000Z","size":41,"stargazers_count":218,"open_issues_count":0,"forks_count":55,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-17T17:43:19.753Z","etag":null,"topics":["expert","exploitation","exploits","hevd","kernel","offensive-security","osee","preparation","resources"],"latest_commit_sha":null,"homepage":"https://zer0-day.pw","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dhn.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-07-30T19:47:32.000Z","updated_at":"2024-11-17T08:56:15.000Z","dependencies_parsed_at":"2023-06-29T13:30:42.603Z","dependency_job_id":null,"html_url":"https://github.com/dhn/OSEE","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhn%2FOSEE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhn%2FOSEE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhn%2FOSEE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhn%2FOSEE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dhn","download_url":"https://codeload.github.com/dhn/OSEE/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253588746,"owners_count":21932316,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["expert","exploitation","exploits","hevd","kernel","offensive-security","osee","preparation","resources"],"created_at":"2024-08-03T18:01:37.677Z","updated_at":"2025-05-11T15:32:32.008Z","avatar_url":"https://github.com/dhn.png","language":"Python","readme":"#+TITLE: Resources\n\nCollection of resources for my preparation to take the OSEE certification.\nBased on the [[https://www.offensive-security.com/documentation/advanced-windows-exploitation.pdf][syllabus]] from Offensive Security.\nMy review can be found [[https://zer0-day.pw/2020-01/offsec-says-try-harder-or-how-to-become-an-osee/][here]].\n\n** Browser Exploitation\n*** Safari/Chrome/Webkit\n + [[https://phoenhex.re/2018-09-26/safari-array-concat][Exploiting a Safari information leak]] by Bruno Keith\n + [[https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf][Attacking Client-Side JIT Compilers]] by Samuel Groß\n + [[http://phrack.org/papers/jit_exploitation.html][Exploiting Logic Bugs in JavaScript JIT Engines]] by Samuel Groß\n** Bypass and\tSandbox\tEscape\n*** Data Execution Prevention (DEP)\n**** Tutorials\n + [[https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/][Exploit writing tutorial part 10 : Chaining DEP with ROP]] by Corelan\n + [[https://0x00sec.org/t/bypass-data-execution-protection-dep/6988][Bypass Data Execution Protection (DEP)]] by Sk0xic\n + [[https://0x00sec.org/t/exploit-mitigation-techniques-data-execution-prevention-dep/4634][Exploit Mitigation Techniques - Data Execution Prevention (DEP)]] by ricksanchez\n*** Supervisor Mode Execution Prevention (SMEP)\n + [[https://www.coresecurity.com/system/files/publications/2019/03/Windows%20SMEP%20bypass%20U%3DS.pdf][Windows SMEP bypass: U=S]] by Nicolas Economou \u0026 Enrique Nissim\n + [[https://www.abatchy.com/2018/01/kernel-exploitation-4][Kernel Exploitation 4: Stack Buffer Overflow (SMEP Bypass)]] by Mohamed Shahat\n + [[https://salls.github.io/Linux-Kernel-CVE-2017-5123/][Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!]] by Chris Salls\n + [[https://rce.wtf/2017/09/24/P4wning-the-windows-kernel-with-ROP.html][ROP: Pwn the Windows Kernel with return oriented programming]] by akayn\n*** Enhanced Mitigation Experience Toolkit (EMET)\n**** Papers/Slides/Blogs \n + [[https://www.offensive-security.com/vulndev/disarming-emet-v5-0/][Disarming EMET v5.0]] by Offensive Security\n + [[https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/][Disarming and Bypassing EMET 5.1]] by Offensive Security\n + [[https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/][Disarming Enhanced Mitigation Experience Toolkit (EMET)]] by Offensive Security\n + [[https://www.xorlab.com/blog/2016/10/27/emet-memprot-bypass/][Bypassing EMET 5.5 MemProt using VirtualAlloc]] by Matthias Ganz\n + [[https://www.offensive-security.com/vulndev/fldbg-a-pykd-script-to-debug-flashplayer/][Fldbg, a Pykd script to debug FlashPlayer]] by Offensive Security\n** Heap Exploitation\n*** Tutorials\n + [[https://blog.rapid7.com/2019/06/12/heap-overflow-exploitation-on-windows-10-explained/][Heap Overflow Exploitation on Windows 10 Explained]] by Wei Chen\n + [[https://www.fuzzysecurity.com/tutorials/expDev/8.html][Part 8: Spraying the Heap (Vanilla EIP)]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/11.html][Part 9: Spraying the Heap (Use-After-Free)]] by FuzzySecurity\n + [[https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/][DEPS – Precise Heap Spray on Firefox and IE10]] by Corelan\n + [[https://0x00sec.org/t/heap-exploitation-abusing-use-after-free/3580][Heap Exploitation ~ Abusing Use-After-Free]] by _py\n*** Heap Overflows\n + [[http://www.fuzzysecurity.com/tutorials/mr_me/2.html][Heap Overflows For Humans 101]] by FuzzySecurity\n + [[http://www.fuzzysecurity.com/tutorials/mr_me/3.html][Heap Overflows For Humans 102]] by FuzzySecurity\n + [[http://www.fuzzysecurity.com/tutorials/mr_me/4.html][Heap Overflows For Humans 102.5]] by FuzzySecurity\n + [[http://www.fuzzysecurity.com/tutorials/mr_me/5.html][Heap Overflows For Humans 103]] by FuzzySecurity\n + [[http://www.fuzzysecurity.com/tutorials/mr_me/6.html][Heap Overflows For Humans 103.5]] by FuzzySecurity\n** Kernel Exploitation\n*** Documentation/Papers/Slides\n + [[https://docs.microsoft.com/en-us/windows/desktop/SysInfo/kernel-objects][Kernel Objects]] by Microsoft\n + [[https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf][Kernel Pool Exploitation on Windows 7]] by Tarjei Mandt\n** Kernel Drivers\tExploitation (32-bit)\n*** Tutorials\n + [[https://github.com/hacksysteam/HackSysExtremeVulnerableDriver][HackSys Extreme Vulnerable Windows Driver]] by Ashfaq Ansari\n + [[https://www.abatchy.com/2018/01/kernel-exploitation-1][Kernel Exploitation 1: Setting up the environment]] by Mohamed Shahat\n + [[http://niiconsulting.com/checkmate/2016/01/windows-kernel-exploitation/][Windows Kernel Exploitation]] by Neelu Tripathy\n + [[https://sizzop.github.io/2016/07/05/kernel-hacking-with-hevd-part-1.html][Kernel Hacking With HEVD Part 1 - The Setup]] by Brian Beaudry\n + [[https://www.fuzzysecurity.com/tutorials/expDev/14.html][Kernel Exploitation -\u003e Stack Overflow]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/15.html][Kernel Exploitation -\u003e Write-What-Where]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/16.html][Kernel Exploitation -\u003e Null Pointer Dereferenc]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/17.html][Kernel Exploitation -\u003e Uninitialized Stack Variable]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/18.html][Kernel Exploitation -\u003e Integer Overflow]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/19.html][Kernel Exploitation -\u003e UAF]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/20.html][Kernel Exploitation -\u003e Pool Overflow]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/21.html][Kernel Exploitation -\u003e GDI Bitmap Abuse (Win7-10 32/64bit)]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/22.html][Kernel Exploitation -\u003e RS2 Bitmap Necromancy]] by FuzzySecurity\n + [[https://www.fuzzysecurity.com/tutorials/expDev/23.html][Kernel Exploitation -\u003e Logic bugs in Razer rzpnk.sys]] by FuzzySecurity\n + [[https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/][Intro to Windows kernel exploitation]] by Sam Brown\n + [[https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html][Mixed Object Exploitation in the Windows Kernel Pool]] by Steven Seeley\n*** Papers/Slides\n + [[https://www.coresecurity.com/system/files/publications/2019/03/Windows%20SMEP%20bypass%20U%3DS.pdf][Windows SMEP bypass: U=S]] by Nicolas Economou \u0026 Enrique Nissim\n + [[http://web.archive.org/web/20170525074304/http://trackwatch.com/windows-kernel-pool-spraying/][Windows Kernel Pool Spraying]] by Philippe\n + [[https://insomniasec.com/downloads/publications/The%20Path%20To%20Ring-0.pdf][The Path to Ring-0 (Windows Edition)]] by Debasis Mohanty\n** Kernel Drivers Exploitation (64-bit)\n*** Articles\n + [[https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf][Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit]] by Cedric Halbronn\n + [[https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf][Taking Windows 10 Kernel-Exploitation To The Next Level Leveraging Write What Where Vulnerabilities In Creators Update]] by Morten Schenk\n + [[http://mcdermottcybersecurity.com/articles/x64-kernel-privilege-escalation][x64 Kernel Privilege Escalation]] by mcdermott\n*** Tutorials\n + [[https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/][Arbitrary Write primitive in Windows kernel (HEVD)]] by blahcat\n*** Exploits \n + [[https://github.com/Cn33liz/HSEVD-StackOverflowX64][HackSys Extreme Vulnerable Driver - Windows 10 x64 StackOverflow Exploit with SMEP Bypass]] by Cn33liz\n + [[https://www.exploit-db.com/exploits/41721/][CVE-2015-5736 - Fortinet FortiClient 5.2.3]] by Alexandru Uifalvi\n** Kernel ASLR Bypass\n*** Articles\n\t+ [[https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/][Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)]] by Morten Schenk\n** Shellcoding\n*** Windows 10\n + [[https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1][Windows Kernel Shellcode on Windows 10 - Part 1]] by Morten Schenk\n + [[https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2][Windows Kernel Shellcode on Windows 10 - Part 2]] by Morten Schenk\n + [[https://github.com/MortenSchenk/Token-Stealing-Shellcode][Token Stealing Shellcode]] by Morten Schenk\n** Misc\n*** WinDbg\n + [[http://windbg.info/doc/1-common-cmds.html][Common WinDbg Commands]] by Robert Kuster\n + [[https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/][Debugging Tools for Windows]] by Microsoft\n + [[https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windows-debugging][Getting Started with Windows Debugging]] by Microsoft\n + [[https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debug-universal-drivers---step-by-step-lab--echo-kernel-mode-][Debug Universal Drivers - Step by Step Lab]] by Microsoft\n + [[https://briolidz.wordpress.com/2013/11/17/windbg-some-debugging-commands/][WinDbg: Some debugging commands]] by Kamel Messaoudi\n + [[https://web.archive.org/web/20170803175807/http://expdev-kiuhnm.rhcloud.com:80/2015/05/17/windbg/][WinDbg]] by Exploit Development Community\n*** Tutorials\n + [[https://rayanfam.com/topics/pykd-tutorial-part1/][PyKD Tutorial – part 1]] by Sinaei\n** Books\n + [[https://beginners.re/][Reverse Engineering for Beginners]] by Dennis Yurichev\n + [[https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460/?_encoding=UTF8\u0026camp=1789\u0026creative=9325\u0026linkCode=ur2\u0026tag=theethhacne0c-20][Advanced Windows Debugging]] by Mario Hewardt\n + [[https://www.amazon.com/Windows-Internals-Part-Covering-Server%C2%AE/dp/0735648735/?_encoding=UTF8\u0026camp=1789\u0026creative=9325\u0026linkCode=ur2\u0026tag=theethhacne0c-20][Windows Internals, Part 1]] by Mark E. Russinovich\n + [[http://www.amazon.com/Windows-Internals-Part-Covering-Server%C2%AE/dp/0735665877/?_encoding=UTF8\u0026camp=1789\u0026creative=9325\u0026linkCode=ur2\u0026tag=theethhacne0c-20][Windows Internals, Part 2]] by Mark E. Russinovich\n + [[https://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898/?_encoding=UTF8\u0026camp=1789\u0026creative=9325\u0026linkCode=ur2\u0026tag=theethhacne0c-20][The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler]] by Chris Eagle\n","funding_links":[],"categories":["Github resources"],"sub_categories":["Posts from Hacker101 members on how to get started hacking"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhn%2FOSEE","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdhn%2FOSEE","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhn%2FOSEE/lists"}