{"id":22559878,"url":"https://github.com/paulveillard/cybersecurity-windows-exploitation","last_synced_at":"2025-04-10T09:27:33.175Z","repository":{"id":109659082,"uuid":"442265373","full_name":"paulveillard/cybersecurity-windows-exploitation","owner":"paulveillard","description":"A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.","archived":false,"fork":false,"pushed_at":"2024-01-06T12:33:33.000Z","size":416,"stargazers_count":42,"open_issues_count":0,"forks_count":12,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-24T08:21:16.713Z","etag":null,"topics":["arm-templates","arm64","cybersecurity-search-engine","executable","exploitation-framework","kernel-methods","kernel-module","windows","windows-exploitation","windows-security","x86","x86-kernel"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/paulveillard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-12-27T20:24:01.000Z","updated_at":"2025-03-12T20:55:01.000Z","dependencies_parsed_at":"2023-04-08T05:31:32.664Z","dependency_job_id":null,"html_url":"https://github.com/paulveillard/cybersecurity-windows-exploitation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-windows-exploitation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-windows-exploitation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-windows-exploitation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-windows-exploitation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/paulveillard","download_url":"https://codeload.github.com/paulveillard/cybersecurity-windows-exploitation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248191018,"owners_count":21062406,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm-templates","arm64","cybersecurity-search-engine","executable","exploitation-framework","kernel-methods","kernel-module","windows","windows-exploitation","windows-security","x86","x86-kernel"],"created_at":"2024-12-07T21:09:54.454Z","updated_at":"2025-04-10T09:27:33.149Z","avatar_url":"https://github.com/paulveillard.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Windows or ARM Exploitation\n\n\u003e A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.\n\n\n##  `What are exploits? `\n\n[Exploits](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/exploits-malware) take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.\n\n![exploits](https://github.com/paulveillard/cybersecurity-windows-exploitation/blob/main/img/exploits-vulnerability.png)\n\n###  `Table of Contents `\n- [Windows stack overflows](#windows_stack_overflows)\n- [Windows heap overflows](#windows_heap_overflows)\n- [Kernel based Windows overflows](#kernel_based_Windows_overflows)\n- [Windows Kernel Memory Corruption](#windows_kernel_memory_corruption)\n- [Return Oriented Programming](#Return_oriented_programming)\n- [Windows memory protections](#Windows_memory_protections)\n- [Bypassing filter and protections](#Bypassing_filter_and_protections)\n- [Typical windows exploits](#Typical_windows_exploits)\n- [Exploit development tutorial series](#Exploit_development_tutorial_series)\n  + [Corelan Team](#corelan)\n  + [Fuzzysecurity](#fuzzysecurity)\n  + [Securitysift](#securitysift)\n  + [Whitehatters Academy](#whitehattersacademy)\n  + [TheSprawl](#TheSprawl)\n  + [Expdev-Kiuhnm](#expdev-kiuhnm)\n- [Tools](#tools)\n- [Miscellaneous](#miscellaneous)\n  - [Conference Talks / Videos](#conference-talks--videos)\n  - [Articles / Papers](#articles--papers)\n  - [Resources](#resources)\n  - [CTF / Training Binaries](#ctf--training-binaries)\n  - [Books](#books)\n  - [Other Tools](#other-tools)\n  - [Courses](#courses)\n  - [Related Awesome Lists](#related-awesome-lists)\n- [Advanced ARM](#advanced-arm)\n  - [Browser](#-browser)\n  - [Mitigation Bypass](#-mitigation-bypass)\n  - [Kernel](#-kernel)\n  - [Misc](#-misc)\n\n\n## \u003ca name=\"windows_stack_overflows\" /\u003eWindows stack overflows\n*Stack Base Overflow Articles.*\n+ [Win32 Buffer Overflows (Location, Exploitation and Prevention)](http://www.phrack.com/issues.html?issue=55\u0026id=15#article) - by Dark spyrit [1999]\n+ [Writing Stack Based Overflows on Windows](http://www.packetstormsecurity.org/papers/win/) - by Nish Bhalla’s [2005]\n+ [Stack Smashing as of Today](https://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-slides.pdf) - by Hagen Fritsch [2009]\n+ [SMASHING C++ VPTRS](http://phrack.org/issues/56/8.html) - by rix [2000]\n\n\n## \u003ca name=\"windows_heap_overflows\" /\u003eWindows heap overflows\n*Heap Base Overflow Articles.*\n+ [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]\n+ [Exploiting the MSRPC Heap Overflow Part 1](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap.pdf) - by Dave Aitel (MS03-026) [September 2003]\n+ [Exploiting the MSRPC Heap Overflow Part 2](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap2.pdf) - by Dave Aitel (MS03-026) [September 2003]\n+ [Windows heap overflow penetration in black hat](https://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt) - by David Litchfield [2004]\n+ [Glibc Adventures: The Forgotten Chunk](http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf) - by François Goichon [2015]\n+ [Pseudomonarchia jemallocum](http://www.phrack.org/issues/68/10.html) - by argp \u0026 huku\n+ [The House Of Lore: Reloaded](http://phrack.org/issues/67/8.html) - by blackngel [2010]\n+ [Malloc Des-Maleficarum](http://phrack.org/issues/66/10.html) - by blackngel [2009]\n+ [free() exploitation technique](http://phrack.org/issues/66/6.html) - by huku\n+ [Understanding the heap by breaking it](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - by  Justin N. Ferguson [2007]\n+ [The use of set_head to defeat the wilderness](http://phrack.org/issues/64/9.html) - by g463\n+ [The Malloc Maleficarum](http://seclists.org/bugtraq/2005/Oct/118) - by Phantasmal Phantasmagoria [2005]\n+ [Exploiting The Wilderness](http://seclists.org/vuln-dev/2004/Feb/25) - by Phantasmal Phantasmagoria [2004]\n+ [Advanced Doug lea's malloc exploits](http://phrack.org/issues/61/6.html) - by jp\n\n**[`^        back to top        ^`](#)**\n\n\n\n## \u003ca name=\"kernel_based_Windows_overflows\" /\u003eKernel based Windows overflows\n*Kernel Base Exploit Development Articles.*\n+ [How to attack kernel based vulns on windows was done](http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/0101.html) - by a Polish group called “sec-labs” [2003]\n+ [Sec-lab old whitepaper](http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm)\n+ [Sec-lab old exploit](http://www.securityfocus.com/bid/8329/info)\n+ [Windows Local Kernel Exploitation (based on sec-lab research)](http://www.packetstormsecurity.org/hitb04/hitb04-sk-chong.pdf) - by S.K Chong [2004]\n+ [How to exploit Windows kernel memory pool](http://packetstormsecurity.nl/Xcon2005/Xcon2005_SoBeIt.pdf) - by SoBeIt [2005]\n+ [Exploiting remote kernel overflows in windows](http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf) - by Eeye Security\n+ [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3\u0026a=4\u0026t=pdf) - by Matt Miller\n+ [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6\u0026a=2\u0026t=pdf)\n+ [BH US 2007 Attacking the Windows Kernel](http://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf)\n+ [Remote and Local Exploitation of Network Drivers](http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf)\n+ [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content\u0026task=view\u0026id=38\u0026Itemid=1)\n+ [I2OMGMT Driver Impersonation Attack](http://www.immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf)\n+ [Real World Kernel Pool Exploitation](http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf)\n+ [Exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf)\n+ [Alyzing local privilege escalations in win32k](http://www.uninformed.org/?v=10\u0026a=2\u0026t=pdf)\n+ [Intro to Windows Kernel Security Development](http://www.dontstuffbeansupyournose.com/trac/browser/projects/ucon09/Intro_NT_kernel_security_stuff.pdf)\n+ [There’s a party at ring0 and you’re invited](http://www.cr0.org/paper/to-jt-party-at-ring0.pdf)\n+ [Windows kernel vulnerability exploitation](http://vexillium.org/dl.php?call_gate_exploitation.pdf)\n+ [A New CVE-2015-0057 Exploit Technology](https://www.blackhat.com/docs/asia-16/materials/asia-16-Wang-A-New-CVE-2015-0057-Exploit-Technology-wp.pdf) - by Yu Wang [2016]\n+ [Exploiting CVE-2014-4113 on Windows 8.1](https://labs.bluefrostsecurity.de/publications/2016/01/07/exploiting-cve-2014-4113-on-windows-8.1/) - by Moritz Jodeit [2016]\n+ [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012]\n+ [Windows Kernel Exploitation ](http://www.hacking-training.com/download/WKE.pdf) - by Simone Cardona 2016\n+ [Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/) - by Saif Sherei 2017\n+ [Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes](http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes) - by keen team [2015]\n+ [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/system/files/publications/2016/10/Abusing-GDI-Reloaded-ekoparty-2016_0.pdf) - [2016]\n\n\n## \u003ca name=\"windows_kernel_memory_corruption\" /\u003eWindows Kernel Memory Corruption\n*Windows Kernel Memory Corruption Exploit Development Articles.*\n+ [Remote Windows Kernel Exploitation](https://cansecwest.com/core05/windowsremotekernel.pdf) - by Barnaby Jack [2005]\n+ [windows kernel-mode payload fundamentals](http://uninformed.org/index.cgi?v=3\u0026a=4\u0026t=sumry) - by Skape [2006]\n+ [exploiting 802.11 wireless driver vulnerabilities on windows](http://www.uninformed.org/?v=6\u0026a=2\u0026t=sumry) - by Johnny Cache, H D Moore, skape [2007]\n+ [Kernel Pool Exploitation on Windows 7](https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf) - by Tarjei Mandt [2011]\n+ [Windows Kernel-mode GS Cookies and 1 bit of entropy](vexillium.org/dl.php?/Windows_Kernel-mode_GS_Cookies_subverted.pdf) - [2011]\n+ [Subtle information disclosure in WIN32K.SYS syscall return values](http://j00ru.vexillium.org/?p=762) - [2011]\n+ [nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques](http://j00ru.vexillium.org/?p=769) - [2011]\n+ [SMEP: What is it, and how to beat it on Windows](http://j00ru.vexillium.org/?p=783) - [2011]\n+ [Kernel Attacks through User-Mode Callbacks](http://www.mista.nu/research/mandt-win32k-paper.pdf) - by Tarjei Mandt [2011]\n+ [Windows Security Hardening Through Kernel Address Protection](http://j00ru.vexillium.org/blog/04_12_11/Windows_Kernel_Address_Protection.pdf) - by Mateusz \"j00ru\" Jurczyk [2011]\n+ [Reversing Windows8: Interesting Features of Kernel Security](http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing%20Windows8-Interesting%20Features%20of%20Kernel%20Security.pdf) - by MJ0011 [2012]\n+ [Smashing The Atom: Extraordinary String Based Attacks](mista.nu/research/smashing_the_atom.pdf) - by Tarjei Mandt [2012]\n+ [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012]\n+ [Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement](www.powerofcommunity.net/poc2012/mj0011.pdf) - by MJ0011 [2012]\n+ [MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit](https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-kernel-exploit/) - [2013]\n+ [KASLR Bypass Mitigations in Windows 8.1](www.alex-ionescu.com/?p=82) - [2013]\n+ [First Dip Into the Kernel Pool: MS10-058](http://doar-e.github.io/blog/2014/03/11/first-dip-into-the-kernel-pool-ms10-058/) - by Jeremy [2014]\n+ [Windows 8 Kernel Memory Protections Bypass](https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/) - [2014]\n+ [An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113)](http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/) - by Weimin Wu [2014]\n+ [Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool](http://www.alex-ionescu.com/?p=231) - [2014]\n+ [Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit](https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf) - by Aaron Adams [2015]\n+ [Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong)](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/08/2015-08-27_-_ncc_group_-_exploiting_ms15_061_uaf_-_release.pdf) - by Dominic Wang [2015]\n+ [Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf) - by Cedric Halbronn [2015]\n+ [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives) - by Diego Juarez [2015]\n+ [Duqu 2.0 Win32k exploit analysis](https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) - [2015]\n\n\n\n## \u003ca name=\"Return_oriented_programming\" /\u003eReturn Oriented Programming\n+ [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)\n+ [Blind return-oriented programming](http://www.scs.stanford.edu/brop/bittau-brop.pdf)\n+ [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)\n+ [Jump-Oriented Programming: A New Class of Code-Reuse Attack](http://ftp.ncsu.edu/pub/tech/2010/TR-2010-8.pdf)\n+ [Out of control: Overcoming control-flow integrity](http://www.cs.stevens.edu/~gportoka/files/outofcontrol_oakland14.pdf)\n+ [ROP is Still Dangerous: Breaking Modern Defenses](http://www.cs.berkeley.edu/~daw/papers/rop-usenix14.pdf)\n+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]\n+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]\n+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]\n+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]\n+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]\n+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]\n+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]\n+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](http://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]\n+ [Practical Rop](http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]\n+ [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]\n+ [Exploitation techniques and mitigations on Windows](http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape\n+ [A little return oriented exploitation on Windows x86 – Part 1](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]\n+ [A little return oriented exploitation on Windows x86 – Part 2](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]\n\n\n## \u003ca name=\"Windows_memory_protections\" /\u003eWindows memory protections\n*Windows memory protections Introduction Articles.*\n+ [Data Execution Prevention](http://support.microsoft.com/kb/875352)\n+ [/GS (Buffer Security Check)](http://msdn.microsoft.com/en-us/library/Aa290051)\n+ [/SAFESEH](http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)\n+ [ASLR](http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)\n+ [SEHOP](http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)\n\n\n## \u003ca name=\"Bypassing_filter_and_protections\" /\u003eBypassing filter and protections\n*Windows memory protections Bypass Methods Articles.*\n+ [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]\n+ [Creating Arbitrary Shellcode In Unicode Expanded Strings](http://www.net-security.org/dl/articles/unicodebo.pdf) - by Chris Anley\n+ [Advanced windows exploitation](http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt) - by Dave Aitel [2003]\n+ [Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server](http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf) - by David Litchfield\n+ [Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)](http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt) - by Matt Conover in cansecwest 2004\n+ [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) - by Matt Miller [2004]\n+ [IE exploit and used a technology called Heap Spray](http://www.exploit-db.com/exploits/612)\n+ [Bypassing hardware-enforced DEP](http://www.uninformed.org/?v=2\u0026a=4\u0026t=pdf) - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]\n+ [Exploiting Freelist[0] On XP Service Pack 2](http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service%20Pack%202.pdf) - by Brett Moore [2005]\n+ [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3\u0026a=4\u0026t=pdf)\n+ [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6\u0026a=2\u0026t=pdf)\n+ [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content\u0026task=view\u0026id=38\u0026Itemid=1)\n+ [Heap Feng Shui in JavaScript](http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf) by Alexander sotirov [2007]\n+ [Understanding and bypassing Windows Heap Protection](http://kkamagui.springnote.com/pages/1350732/attachments/579350) - by Nicolas Waisman [2007]\n+ [Heaps About Heaps](http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt) - by Brett moore [2008]\n+ [Bypassing browser memory protections in Windows Vista](http://taossa.com/archive/bh08sotirovdowd.pdf) - by Mark Dowd and Alex Sotirov [2008]\n+ [Attacking the Vista Heap](http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf) - by ben hawkes [2008]\n+ [Return oriented programming Exploitation without Code Injection](http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf) - by Hovav Shacham  (and others ) [2008]\n+ [Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) - by Cesar Cerrudo [2008]\n+ [Defeating DEP Immunity Way](http://www.immunityinc.com/downloads/DEPLIB.pdf) - by Pablo Sole [2008]\n+ [Practical Windows XP2003 Heap Exploitation](http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf) - by John McDonald and Chris Valasek [2009]\n+ [Bypassing SEHOP](http://www.sysdream.com/articles/sehop_en.pdf) - by Stefan Le Berre Damien Cauquil [2009]\n+ [Interpreter Exploitation  : Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) - by Dionysus Blazakis[2010]\n+ [Write-up of Pwn2Own 2010](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf) - by  Peter Vreugdenhil\n+ [All in one 0day presented in rootedCON](http://wintercore.com/downloads/rootedcon_0day_english.pdf) - by Ruben Santamarta [2010]\n+ [DEP/ASLR bypass using 3rd party](http://web.archive.org/web/20130820021520/http://abysssec.com/files/The_Arashi.pdf) - by Shahin Ramezany [2013]\n+ [Bypassing EMET 5.0](http://blog.sec-consult.com/2014/10/microsoft-emet-armor-against-zero-days.html) - by René Freingruber [2014]\n\n\n## \u003ca name=\"Typical_windows_exploits\" /\u003eTypical windows exploits\n+ [Real-world HW-DEP bypass Exploit](http://www.exploit-db.com/exploits/3652) - by Devcode\n+ [Bypassing DEP by returning into HeapCreate](http://www.metasploit.com/redmine/projects/framework/repository/revisions/7246/entry/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb) - by Toto\n+ [First public ASLR bypass exploit by using partial overwrite ](http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/email/ani_loadimage_chunksize.rb) - by Skape\n+ [Heap spray and bypassing DEP](http://skypher.com/SkyLined/download/www.edup.tudelft.nl/%7Ebjwever/exploits/InternetExploiter2.zip) - by Skylined\n+ [First public exploit that used ROP  for bypassing DEP in adobe lib TIFF vulnerability](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8833/raw/modules/exploits/windows/fileformat/adobe_libtiff.rb)\n+ [Exploit codes of bypassing browsers memory protections](http://phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections-code.zip)\n+ [PoC’s on Tokken TokenKidnapping .  PoC for 2k3 -part 1](http://www.argeniss.com/research/Churrasco.zip) - by Cesar Cerrudo\n+ [PoC’s on Tokken TokenKidnapping .  PoC for 2k8 -part 2](http://www.argeniss.com/research/Churrasco2.zip) - by Cesar Cerrudo\n+ [An exploit works from win 3.1 to win 7](http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip) - by Tavis Ormandy KiTra0d\n+ [Old ms08-067 metasploit module multi-target and DEP bypass](http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb)\n+ [PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass](http://www.exploit-db.com/exploits/12189)\n+ [SMBv2 Exploit](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8916/raw/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb) - by Stephen Fewer\n+ [Microsoft IIS 7.5 remote heap buffer overflow](http://www.phrack.org/issues/68/12.html) - by redpantz\n+ [Browser Exploitation Case Study for Internet Explorer 11](https://labs.bluefrostsecurity.de/files/Look_Mom_I_Dont_Use_Shellcode-WP.pdf) - by Moritz Jodeit [2016]\n\n\n## \u003ca name=\"Exploit_development_tutorial_series\" /\u003eExploit development tutorial series\n*Exploid Development Tutorial Series Base on Windows Operation System Articles.*\n\u003ca name=\"corelan\" /\u003e\n- Corelan Team\n  + [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)\n  + [Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/)\n  + [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/)\n  + [Exploit writing tutorial part 3b : SEH Based Exploits – just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/)\n  + [Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/)\n  + [Exploit writing tutorial part 5 : How debugger modules \u0026 plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)\n  + [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)\n  + [Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/)\n  + [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/)\n  + [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)\n  + [Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)\n  + [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)\n\n- \u003ca name=\"fuzzysecurity\" /\u003eFuzzysecurity\n  + [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html)\n  + [Part 2: Saved Return Pointer Overflows](https://www.fuzzysecurity.com/tutorials/expDev/2.html)\n  + [Part 3: Structured Exception Handler (SEH)](https://www.fuzzysecurity.com/tutorials/expDev/3.html)\n  + [Part 4: Egg Hunters](https://www.fuzzysecurity.com/tutorials/expDev/4.html)\n  + [Part 5: Unicode 0x00410041](https://www.fuzzysecurity.com/tutorials/expDev/5.html)\n  + [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html)\n  + [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)\n  + [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)\n  + [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)\n  + [Part 10: Kernel Exploitation -\u003e Stack Overflow](http://www.fuzzysecurity.com/tutorials/expDev/14.html)\n  + [Part 11: Kernel Exploitation -\u003e Write-What-Where](http://www.fuzzysecurity.com/tutorials/expDev/15.html)\n  + [Part 12: Kernel Exploitation -\u003e Null Pointer Dereference](http://www.fuzzysecurity.com/tutorials/expDev/16.html)\n  + [Part 13: Kernel Exploitation -\u003e Uninitialized Stack Variable](http://www.fuzzysecurity.com/tutorials/expDev/17.html)\n  + [Part 14: Kernel Exploitation -\u003e Integer Overflow](http://www.fuzzysecurity.com/tutorials/expDev/18.html)\n  + [Part 15: Kernel Exploitation -\u003e UAF](http://www.fuzzysecurity.com/tutorials/expDev/19.html)\n  + [Part 16: Kernel Exploitation -\u003e Pool Overflow](http://www.fuzzysecurity.com/tutorials/expDev/20.html)\n  + [Part 17: Kernel Exploitation -\u003e GDI Bitmap Abuse (Win7-10 32/64bit)](http://www.fuzzysecurity.com/tutorials/expDev/21.html)\n  + [Heap Overflows For Humans 101](http://www.fuzzysecurity.com/tutorials/mr_me/2.html)\n  + [Heap Overflows For Humans 102](http://www.fuzzysecurity.com/tutorials/mr_me/3.html)\n  + [Heap Overflows For Humans 102.5](http://www.fuzzysecurity.com/tutorials/mr_me/4.html)\n  + [Heap Overflows For Humans 103](http://www.fuzzysecurity.com/tutorials/mr_me/5.html)\n  + [Heap Overflows For Humans 103.5](http://www.fuzzysecurity.com/tutorials/mr_me/6.html)\n\n- \u003ca name=\"securitysift\" /\u003eSecuritysift\n  + [Windows Exploit Development – Part 1: The Basics](http://www.securitysift.com/windows-exploit-development-part-1-basics/)\n  + [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)\n  + [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)\n  + [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)\n  + [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)\n  + [Windows Exploit Development – Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)\n  + [Windows Exploit Development – Part 7: Unicode Buffer Overflows](http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)\n\n\n- \u003ca name=\"whitehattersacademy\" /\u003eWhitehatters Academy\n  + [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)\n  + [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)\n  + [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)\n  + [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)\n  + [Backdoor 103: Fully Undetected](https://www.whitehatters.academy/backdoor-103-fully-undetected/)\n  + [Backdoor 102](https://www.whitehatters.academy/backdoor-102/)\n  + [Backdoor 101](https://www.whitehatters.academy/backdoor101-vysec/)\n\n\n- \u003ca name=\"TheSprawl\" /\u003eTheSprawl\n  + [corelan - integer overflows - exercise solution](http://thesprawl.org/research/corelan-integer-overflows-exercise-solution/)\n  + [heap overflows for humans - 102 - exercise solution](http://thesprawl.org/research/heap-overflows-humans-102-exercise-solution/)\n  + [exploit exercises - protostar - final levels](http://thesprawl.org/research/exploit-exercises-protostar-final/)\n  + [exploit exercises - protostar - network levels](http://thesprawl.org/research/exploit-exercises-protostar-network/)\n  + [exploit exercises - protostar - heap levels](http://thesprawl.org/research/exploit-exercises-protostar-heap/)\n  + [exploit exercises - protostar - format string levels](http://thesprawl.org/research/exploit-exercises-protostar-format/)\n  + [exploit exercises - protostar - stack levels](http://thesprawl.org/research/exploit-exercises-protostar-stack/)\n  + [open security training - introduction to software exploits - uninitialized variable overflow](http://thesprawl.org/research/ost-introduction-software-exploits-uninit-overflow/)\n  + [open security training - introduction to software exploits - off-by-one](http://thesprawl.org/research/ost-introduction-exploits-offbyone/)\n  + [open security training - introduction to re - bomb lab secret phase](http://thesprawl.org/research/ost-introduction-re-bomb-secret-phase/)\n  + [open security training - introductory x86 - buffer overflow mystery box](http://thesprawl.org/research/ost-introductory-x86-buffer-overflow-mystery-box/)\n  + [corelan - tutorial 10 - exercise solution](http://thesprawl.org/research/corelan-tutorial-10-exercise-solution/)\n  + [corelan - tutorial 9 - exercise solution](http://thesprawl.org/research/corelan-tutorial-9-exercise-solution/)\n  + [corelan - tutorial 7 - exercise solution](http://thesprawl.org/research/corelan-tutorial-7-exercise-solution/)\n  + [getting from seh to nseh](http://thesprawl.org/research/seh-to-nseh/)\n  + [corelan - tutorial 3b - exercise solution](http://thesprawl.org/research/corelan-tutorial-3b-exercise-solution/)\n\n- \u003ca name=\"expdev-kiuhnm\" /\u003eExpdev-Kiuhnm\n  + [WinDbg](http://expdev-kiuhnm.rhcloud.com/2015/05/17/windbg/)\n  + [Mona 2](http://expdev-kiuhnm.rhcloud.com/2015/05/19/mona-2/)\n  + [Structure Exception Handling (SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/19/structured-exception-handling-seh/)\n  + [Heap](http://expdev-kiuhnm.rhcloud.com/2015/05/20/heap/)\n  + [Windows Basics](http://expdev-kiuhnm.rhcloud.com/2015/05/20/windows-basics/)\n  + [Shellcode](http://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/)\n  + [Exploitme1 (ret eip overwrite)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme1-ret-eip-overwrite/)\n  + [Exploitme2 (Stack cookies \u0026 SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme2-stack-cookies-seh-2/)\n  + [Exploitme3 (DEP)](http://expdev-kiuhnm.rhcloud.com/2015/05/27/exploitme3-dep/)\n  + [Exploitme4 (ASLR)](http://expdev-kiuhnm.rhcloud.com/2015/05/28/exploitme4-aslr/)\n  + [Exploitme5 (Heap Spraying \u0026 UAF)](http://expdev-kiuhnm.rhcloud.com/2015/05/29/exploitme5-heap-spraying-uaf/)\n  + [EMET 5.2](http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/)\n  + [Internet Explorer 10 - Reverse Engineering IE](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-reverse-engineering-ie/)\n  + [Internet Explorer 10 - From one-byte-write to full process space read/write](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie-10-from-one-byte-write-to-full-process-space-readwrite/)\n  + [Internet Explorer 10 - God Mode (1)](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-god-mode-1/)\n  + [Internet Explorer 10 - God Mode (2)](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-god-mode-2/)\n  + [Internet Explorer 10 - Use-After-Free bug](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/)\n  + [Internet Explorer 11 - Part 1](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/)\n  + [Internet Explorer 11 - Part 2](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/)\n\n\n\n## \u003ca name=\"tools\" /\u003eTools\n*Disassemblers, debuggers, and other static and dynamic analysis tools.*\n\n+ [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis\n  framework developed at UCSB's Seclab.\n+ [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open\n  source Binary Analysis and Reverse engineering Framework.\n+ [Binary Ninja](https://binary.ninja/) - Multiplatform binary analysis IDE supporting\n  various types of binaries and architecturs. Scriptable via Python.\n+ [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for\n  reverse engineering based on graph visualization.\n+ [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.\n+ [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for\n  binary analysis and reversing, with support for many architectures and\n  bindings in several languages.\n+ [codebro](https://github.com/hugsy/codebro) - Web based code browser using\n  clang to provide basic code analysis.\n+ [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler\n  and debugger.\n+ [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A\n  modular debugger with a Qt GUI.\n+ [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.\n+ [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters\n  and reverse engineers.\n+ [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to\n  search for strings in PE executables including imports, exports, and debug\n  symbols.\n+ [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows\n  disassembler and debugger, with a free evaluation version.\n+ [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for\n  malware analysis and more, with a Python API.\n+ [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.\n+ [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,\n  for static analysis of Linux binaries.\n+ [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows\n  executables.\n+ [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis\n+ [PEDA](https://github.com/longld/peda) - Python Exploit Development\n  Assistance for GDB, an enhanced display with added commands.\n+ [pestudio](https://winitor.com/) - Perform static analysis of Windows\n  executables.\n+ [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) -\n  Advanced monitoring tool for Windows programs.\n+ [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware\n  analysis.\n+ [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with\n  debugger support.\n+ [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a\n  plugin for Sublime 3 to aid with malware analyis.\n+ [strace](http://sourceforge.net/projects/strace/) - Dynamic analysis for\n  Linux executables.\n+ [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool\n  for x86 and x86_64.\n+ [Vivisect](https://github.com/vivisect/vivisect) - Python tool for\n  malware analysis.\n+ [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.\n\n\n\n##  `Conference Talks / Videos `\n* [Exploitation on ARM](https://www.youtube.com/watch?v=kykVyJ0dm8Y) - Itzhak Avraham - Defcon 18 (2010)\n* [ARM Exploitation ROPMAP](https://www.youtube.com/watch?v=VDyf_tJ8IUg) - Long Le - Blackhat USA (2011)\n* [Advanced ARM Exploitation](https://www.youtube.com/watch?v=gdsPydfBfSA) - Stephen Ridley \u0026 Stephen Lawler - Blackhat USA (2012)\n* [ARM Assembly and Shellcode Basics](https://www.youtube.com/watch?v=BhjJBuX0YCU) - Saumil Shah - 44CON (2017)\n* [Heap Overflow Exploits for Beginners (ARM Exploitation Tutorial)](https://www.youtube.com/watch?v=L8Ya7fBgEzU) - Billy Ellis (2017)\n* [Introduction to Exploitation on ARM64](https://www.youtube.com/watch?v=xVyH68HFsQU) - Billy Ellis - Codetalks (2018)\n* [Make ARM Shellcode Great Again](https://www.youtube.com/watch?v=9tx293lbGuc) - Saumil Shah - Hack.lu (2018)\n* [ARM Memory Tagging, how it improves C++ memory safety](https://www.youtube.com/watch?v=iP_iHroclgM) - Kostya Serebryany - LLVM (2018)\n* [Breaking Samsung's ARM Trustzone](https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf)\n* [Hacker Nightmares: Giving Hackers a Headache with Exploit Mitigations](https://www.youtube.com/watch?v=riQ-WyYrxh4) - Azeria - Virtual Arm Research Summit (2020)\n\n##  `Articles / Papers `\n* [ARM Assembly Basics Series](https://azeria-labs.com/writing-arm-assembly-part-1/) - Azeria\n* [ARM Binary Exploitation Series](https://azeria-labs.com/writing-arm-shellcode/) - Azeria\n* [Smashing the ARM Stack](https://www.merckedsecurity.com/blog/smashing-the-arm-stack-part-1) - Mercked Security\n* [Introduction to ARMv8 64-bit Architecture](https://quequero.org/2014/04/introduction-to-arm-architecture/) - pnuic\n* [Alphanumeric RISC ARM Shellcode](http://phrack.org/issues/66/12.html) - (Phrack) - Yves Younan, Pieter Philippaerts\n* [Return-Oriented Programming on a Cortex-M Processor](https://ieeexplore.ieee.org/document/8029521)\n* [3or ARM Exploitation Series](https://blog.3or.de/arm-exploitation-return-oriented-programming.html) - Dimitrios Slamaris\n* [Developing StrongARM/Linux Shellcode](http://www.phrack.com/issues/58/10.html) - (Phrack) - funkysh\n* [Reversing and Exploiting ARM Binaries](http://www.mathyvanhoef.com/2013/12/reversing-and-exploiting-arm-binaries.html) - Mathy Vanhoef\n* [ARM Exploitation for IoT Series](https://quequero.org/2017/07/arm-exploitation-iot-episode-1/) - Andrea Sindoni\n* [Reverse Engineering of ARM Microcontrollers](https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/) - Rdomanski\n* [ARM64 Reversing and Exploitation - Part 1: ARM Instruction Set + Simple Heap Overflow](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 2: Use After Free](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-2-use-after-free/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 3: A Simple ROP Chain](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 4: Using Mprotect() To Bypass NX Protection](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 5: Writing Shellcode](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-5-writing-shellcode-8ksec-blogs/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 6: Exploiting An Uninitialized Stack Variable Vulnerability](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 7: Bypassing ASLR And NX](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-7-bypassing-aslr-and-nx/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 8: Exploiting An Integer Overflow Vulnerability](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 9 :Exploiting An Off By One Overflow Vulnerability](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/) - 8ksec\n* [ARM64 Reversing and Exploitation - Part 10: Intro To Arm Memory Tagging Extension (MTE)](\nhttps://8ksec.io/arm64-reversing-and-exploitation-part-10-intro-to-arm-memory-tagging-extension-mte/) - 8ksec\n\n## Resources\n\n* [ARM Architecture Reference Manual](http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.subset.architecture.reference/index.html)\n* [Online ARM Assembler](https://azm.azerialabs.com/)\n* [ARM TEE Reversing and Exploitation](https://github.com/enovella/TEE-reversing)\n\n## CTF / Training Binaries\n\n* [Exploit Me](https://github.com/bkerler/exploit_me)\n* [Exploit Challenges](https://github.com/Billy-Ellis/Exploit-Challenges)\n* [Azeria ARM Lab](https://azeria-labs.com/emulate-raspberry-pi-with-qemu/)\n\n##  `Books `\n\n* [Practical Reverse Engineering](https://www.wiley.com/en-us/Practical+Reverse+Engineering%3A+x86%2C+x64%2C+ARM%2C+Windows+Kernel%2C+Reversing+Tools%2C+and+Obfuscation-p-9781118787311) (Chapter 2) - Bruce Dang, Alexandre Gazet and Elias Bachalany\n* [Beginners Guide to Exploitation on ARM](https://zygosec.com/book.html) - Volumes 1 \u0026 2 - Billy Ellis\n* [ARM Assembly Language: Fundamentals \u0026 Techniques](https://www.amazon.co.uk/ARM-Assembly-Language-Fundamentals-Techniques/dp/1439806101) - William Hohl\n\n##  `Other Tools `\n\n* [Ropper](https://github.com/sashs/Ropper)\n\n##  `Courses `\n\n* [Azeria ARM Training](https://training.azeria-labs.com/)\n* [Pentest Academy ARM Assembly](https://www.pentesteracademy.com/course?id=46)\n* [Pentest Academy Reverse Engineering for ARM Platforms](https://www.pentesteracademy.com/course?id=49)\n* [IHackArm Offensive ARM Exploitation](https://ihackarm.com/)\n\n##  `Related Awesome Lists `\n\n* [Cybersecurity Android Security](https://github.com/paulveillard/cybersecurity-android-security)\n* [Awesome iOS Security](https://github.com/ashishb/osx-and-ios-security-awesome)\n* [Awesome IoT Hacks](https://github.com/nebgnahz/awesome-iot-hacks)\n* [Awesome Exploit Development](https://github.com/FabioBaroni/awesome-exploit-development)\n\n\n\n## [↑](#advanced-arm) Browser\n* [Beginners guide to UAT exploits IE 0day exploit development](https://0xicf.wordpress.com/2012/11/18/beginners-guide-to-use-after-free-exploits-ie-0-day-exploit-development/)\n* [Fuzzy Security - Spraying the Heap [Chapter 1: Vanilla EIP] – Putting Needles in the Haystack](https://www.fuzzysecurity.com/tutorials/expDev/8.html)\n* [Fuzzy Security - Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)\n* [Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)\n* [Using the JIT Vulnerability to Pwn Microsoft Edge](http://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)\n* [Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)](http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html)\n* [Advanced Heapspraying Technique](https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf)\n* [HeapSpray Aurora Vulnerability](http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.html)\n* [Microsoft Edge Chakra JIT Type Confusion CVE-2019-0539](https://perception-point.io/resources/research/cve-2019-0539-exploitation/)\n* [CVE-2019-0539 Root Cause Analysis](https://perception-point.io/resources/research/cve-2019-0539-root-cause-analysis/)\n* [attacking javascript engines](http://www.phrack.org/papers/attacking_javascript_engines.html)\n* [Learning browser exploitation via 33C3 CTF  feuerfuchs challenge](https://bruce30262.github.io/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/)\n* [A Methodical Approach to Browser Exploitation](https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/)\n* [Reducing target scope within JSC, building a JavaScript fuzzer](https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/)\n* [Performing root-cause analysis of a JSC vulnerability](https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/)\n* [Weaponizing a JSC vulnerability for single-click RCE](https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/)\n* [Evaluating the Safari sandbox, and fuzzing WindowServer on MacOS](https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/)\n* [Weaponizing a Safari sandbox escape](https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/)\n* [Microsoft Edge MemGC Internals](https://hitcon.org/2015/CMT/download/day2-h-r1.pdf)\n* [The ECMA and the Chakra](http://conference.hitb.org/hitbsecconf2017ams/materials/CLOSING%20KEYNOTE%20-%20Natalie%20Silvanovich%20-%20The%20ECMA%20and%20The%20Chakra.pdf)\n* [Memory Corruption Exploitation In Internet Explorer](https://www.syscan360.org/slides/2012_ZH_MemoryCorruptionExploitationInInternetExplorer_MotiJoseph.pdf)\n* [IE 0day Analysis And Exploit](http://vdisk.weibo.com/s/dC_SSJ6Fvb71i)\n* [Write Once, Pwn Anywhere](https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf)\n* [The Art of Leaks: The Return of Heap Feng Shui](https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf)\n* [IE 11 0day \u0026 Windows 8.1 Exploit](https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE%2011%200day%20%26%20Windows%208.1%20Exploit.pdf)\n* [IE11 Sandbox Escapes Presentation](https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf)\n* [Spartan 0day \u0026 Exploit](https://github.com/exp-sky/HitCon-2015-spartan-0day-exploit)\n* [Look Mom, I don't use Shellcode](https://www.syscan360.org/slides/2016_SH_Moritz_Jodeit_Look_Mom_I_Dont_Use_Shellcode.pdf)\n* [Windows 10 x64 edge 0day and exploit](https://github.com/exp-sky/HitCon-2016-Windows-10-x64-edge-0day-and-exploit/blob/master/Windows%2010%20x64%20edge%200day%20and%20exploit.pdf)\n* [1-Day Browser \u0026 Kernel Exploitation](http://powerofcommunity.net/poc2017/andrew.pdf)\n* [The Secret of ChakraCore: 10 Ways to Go Beyond the Edge](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Linan%20Hao%20and%20Long%20Liu%20-%20The%20Secret%20of%20ChakraCore.pdf)\n* [From Out of Memory to Remote Code Execution](https://speakerd.s3.amazonaws.com/presentations/c0a3e7bc0dca407cbafb465828ff204a/From_Out_of_Memory_to_Remote_Code_Execution_Yuki_Chen_PacSec2017_final.pdf)\n* [Attacking WebKit Applications by exploiting memory corruption bugs](https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf)\n* [CVE-2018-5129: Out-of-bounds write with malformed IPC messages](https://infinite.loopsec.com.au/cve-2018-5129-how-i-found-my-first-cve)\n* [it-sec catalog browser exploitation chapter](https://www.it-sec-catalog.info/browser_exploitation.html)\n* [ZDI-18-428: An MsEdge InfoLeak Story](https://rce.wtf/2018/12/12/ZDI-18-428-An-MsEdge-InfoLeak-Story.html)\n* [AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation](https://github.com/exp-sky/AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation/blob/master/Chakra%20vulnerability%20and%20exploit%20bypass%20all%20system%20mitigation.pdf)\n* [IE 0day Analysis And Exploit](https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf)\n* [Attacking Client-Side JIT Compilers v2](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf)\n* [The Return of the JIT Part 1](https://rh0dev.github.io/blog/2017/the-return-of-the-jit/)\n* [The Return of the JIT Part 2](https://rh0dev.github.io/blog/2017/the-return-of-the-jit-part-2/)\n* [Using the JIT vulnerability to Pwning Microsoft Edge](https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)\n* [From Assembly to JavaScript and Back](https://gsec.hitb.org/materials/sg2018/D1%20-%20Turning%20Memory%20Errors%20into%20Code%20Execution%20with%20Client-Side%20Compilers%20-%20Robert%20Gawlik.pdf)\n* [Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox](https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/)\n* [Exploiting CVE-2020-0041 - Part 2: Escalating to root](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/)\n\n## [↑](#table-of-contents) Mitigation Bypass\n* [Disarming EMET v5.0](https://www.offensive-security.com/vulndev/disarming-emet-v5-0/)\n* [Disarming and Bypassing EMET 5.1](https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/)\n* [Universal DEP/ASLR bypass with msvcr71.dll and mona.py](https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/)\n* [Chaining DEP with ROP – the Rubik’s[TM] Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)\n* [Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)\n* [Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)](https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/)\n* [Disarming Enhanced Mitigation Experience Toolkit (EMET)](https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)\n* [Simple EMET EAF bypass](http://casual-scrutiny.blogspot.com/2015/01/simple-emet-eaf-bypass.html)\n* [Exploit Dev 101: Bypassing ASLR on Windows](https://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html)\n* [Bypassing Control Flow Guard in Windows 10](https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10)\n* [Bypassing Control Flow Guard in Windows 10 - Part II](https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii)\n* [BYPASS CONTROL FLOW GUARD COMPREHENSIVELY](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)\n* [CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE](https://www.blackhat.com/docs/asia-17/materials/asia-17-Li-Cross-The-Wall-Bypass-All-Modern-Mitigations-Of-Microsoft-Edge.pdf)\n* [How to find the vulnerability to bypass the Control Flow Guard](https://cansecwest.com/slides/2017/CSW2017_HenryLi_How_to_find_the_vulnerability_to_bypass_the_ControlFlowGuard.pdf)\n* [Bypassing Memory Mitigation Using Data-Only Exploitation Technique](https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Bing%20Sun%20and%20Chong%20Xu%20-%20Bypassing%20Memory%20Mitigation%20Using%20Data-Only%20Exploitation%20Techniques.pdf)\n* [CHAKRA JIT CFG BYPASS](https://theori.io/research/chakra-jit-cfg-bypass)\n* [SMEP: What is it, and how to beat it on Windows](https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/)\n* [ROP for SMEP bypass](https://rce.wtf/2017/09/24/P4wning-the-windows-kernel-with-ROP.html)\n* [Smashing The Browser](https://github.com/demi6od/Smashing_The_Browser)\n* [Browser security mitigations against memory corruption vulnerabilities](https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/edit)\n\n\n## [↑](#table-of-contents) Kernel\n* [Windows Kernel Pool Spraying](http://trackwatch.com/windows-kernel-pool-spraying/)\n* [Windows Kernel Exploitation Basics - Part 1 : Introduction to DVWDDriver](http://poppopret.blogspot.com/2011/06/windows-kernel-exploitation-part-1.html)\n* [Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html)\n* [Windows Kernel Exploitation Basics - Part 3 : Arbitrary Memory Overwrite exploitation using LDT](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_2423.html)\n* [Windows Kernel Exploitation Basics - Part 4 : Stack-based Buffer Overflow exploitation (bypassing cookie)](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_16.html)\n* [Arbitrary Write primitive in Windows kernel (HEVD)](https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/)\n* [MS11-080 Exploit – A Voyage into Ring Zero](https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/)\n* [Windows kernel pool spraying fun - Part 1 - Determine kernel object size](https://theevilbit.blogspot.com/2017/09/pool-spraying-fun-part-1.html)\n* [Windows kernel pool spraying fun - Part 2 - More objects](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-2.html)\n* [Windows kernel pool spraying fun - Part 3 - Let's make holes](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-3.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Stack Overflow](https://www.fuzzysecurity.com/tutorials/expDev/14.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Write-What-Where](https://www.fuzzysecurity.com/tutorials/expDev/15.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Null Pointer Dereference](https://www.fuzzysecurity.com/tutorials/expDev/16.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Uninitialized Stack Variable](https://www.fuzzysecurity.com/tutorials/expDev/17.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Integer Overflow](https://www.fuzzysecurity.com/tutorials/expDev/18.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e UAF](https://www.fuzzysecurity.com/tutorials/expDev/19.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Pool Overflow](https://www.fuzzysecurity.com/tutorials/expDev/20.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e GDI Bitmap Abuse (Win7-10 32/64bit)](https://www.fuzzysecurity.com/tutorials/expDev/21.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e RS2 Bitmap Necromancy](https://www.fuzzysecurity.com/tutorials/expDev/22.html)\n* [Fuzzy Security - Kernel Exploitation -\u003e Logic bugs in Razer rzpnk.sys](https://www.fuzzysecurity.com/tutorials/expDev/23.html)\n* [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)\n* [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)\n* [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)\n* [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)\n* [Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool](https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html)\n* [Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment](https://rootkits.xyz/blog/2017/06/kernel-setting-up/)\n* [Windows Kernel Exploitation Tutorial Part 2: Stack Overflow](https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/)\n* [Windows Kernel Exploitation Tutorial Part 3: Arbitrary Memory Overwrite (Write-What-Where)](https://rootkits.xyz/blog/2017/09/kernel-write-what-where/)\n* [Windows Kernel Exploitation Tutorial Part 4: Pool Feng-Shui –\u003e Pool Overflow](https://rootkits.xyz/blog/2017/11/kernel-pool-overflow/)\n* [Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference](https://rootkits.xyz/blog/2018/01/kernel-null-pointer-dereference/)\n* [Windows Kernel Exploitation Tutorial Part 6: Uninitialized Stack Variable](https://rootkits.xyz/blog/2018/01/kernel-uninitialized-stack-variable/)\n* [Windows Kernel Exploitation Tutorial Part 7: Uninitialized Heap Variable](https://rootkits.xyz/blog/2018/03/kernel-uninitialized-heap-variable/)\n* [Windows Kernel Exploitation Tutorial Part 8: Use After Free](https://rootkits.xyz/blog/2018/04/kernel-use-after-free/)\n* [Corelan Team (corelanc0d3r) Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)\n* [abatchy Kernel Exploitation 1: Setting up the environment](https://www.abatchy.com/2018/01/kernel-exploitation-1)\n* [abatchy Kernel Exploitation 2: Payloads](https://www.abatchy.com/2018/01/kernel-exploitation-2)\n* [abatchy Kernel Exploitation 3: Stack Buffer Overflow (Windows 7 x86/x64)](https://www.abatchy.com/2018/01/kernel-exploitation-3)\n* [abatchy Kernel Exploitation 4: Stack Buffer Overflow (SMEP Bypass)](https://www.abatchy.com/2018/01/kernel-exploitation-4)\n* [abatchy Kernel Exploitation 5: Integer Overflow](https://www.abatchy.com/2018/01/kernel-exploitation-5)\n* [abatchy Kernel Exploitation 6: NULL pointer dereference](https://www.abatchy.com/2018/01/kernel-exploitation-6)\n* [abatchy Kernel Exploitation 7: Arbitrary Overwrite (Win7 x86)](https://www.abatchy.com/2018/01/kernel-exploitation-7)\n* [Kernel Hacking With HEVD Part 1 - The Setup](https://sizzop.github.io/2016/07/05/kernel-hacking-with-hevd-part-1.html)\n* [Kernel Hacking With HEVD Part 2 - The Bug](https://sizzop.github.io/2016/07/06/kernel-hacking-with-hevd-part-2.html)\n* [Kernel Hacking With HEVD Part 3 - The Shellcode](https://sizzop.github.io/2016/07/07/kernel-hacking-with-hevd-part-3.html)\n* [Kernel Hacking With HEVD Part 4 - The Exploit](https://sizzop.github.io/2016/07/08/kernel-hacking-with-hevd-part-4.html)\n* [Kernel Hacking With HEVD Part 5 - The SMEP Version](https://sizzop.github.io/2016/09/13/kernel-hacking-with-hevd-part-5.html)\n* [The Path to Ring-0 Windows Edition](https://insomniasec.com/downloads/publications/The%20Path%20To%20Ring-0.pdf)\n* [DIRECTX TO THE KERNEL](https://www.zerodayinitiative.com/blog/2018/12/4/directx-to-the-kernel)\n* [Windows Kernel Graphics Driver Attack Surface](https://www.blackhat.com/docs/us-14/materials/us-14-vanSprundel-Windows-Kernel-Graphics-Driver-Attack-Surface.pdf)\n* [Root Cause of the Kernel Privilege Escalation Vulnerabilities CVE-2019-0808](http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html)\n* [Kernel Pool Overflow Exploitation In Real World – Windows 10](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-10/)\n* [Kernel Pool Overflow Exploitation In Real World – Windows 7](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/)\n* [Windows Kernel Exploitation - Exploiting HEVD x64 Use-After-Free using Generic Non-Paged Pool Feng-Shui](https://securityinsecurity.github.io/exploiting-hevd-use-after-free/)\n* [Windows Kernel Exploitation Part 1: Stack Buffer Overflows](https://pwnrip.com/windows-kernel-exploitation-part-1-stack-buffer-overflows/)\n* [Windows Kernel Exploitation Part 2: Type Confusion](https://pwnrip.com/windows-kernel-exploitation-part-2-type-confusion/)\n* [Windows Kernel Exploitation Part 3: Integer Overflow](https://pwnrip.com/windows-kernel-exploitation-part-3-integer-overflow/)\n\n## [↑](#table-of-contents) Misc\n* [Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)\n* [Windows 10 x86/wow64 Userland heap](https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/)\n\n\n**[`^        back to top        ^`](#)**\n\n\n##  `License `\nMIT License \u0026 [cc](https://creativecommons.org/licenses/by/4.0/) license\n\n\u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by/4.0/\"\u003e\u003cimg alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https://i.creativecommons.org/l/by/4.0/88x31.png\" /\u003e\u003c/a\u003e\u003cbr /\u003eThis work is licensed under a \u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by/4.0/\"\u003eCreative Commons Attribution 4.0 International License\u003c/a\u003e.\n\nTo the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.\nJust follow the [guidelines](/CONTRIBUTING.MD). Thank you!\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaulveillard%2Fcybersecurity-windows-exploitation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpaulveillard%2Fcybersecurity-windows-exploitation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaulveillard%2Fcybersecurity-windows-exploitation/lists"}