https://github.com/paulveillard/cybersecurity-windows-exploitation
A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.
https://github.com/paulveillard/cybersecurity-windows-exploitation
arm-templates arm64 cybersecurity-search-engine executable exploitation-framework kernel-methods kernel-module windows windows-exploitation windows-security x86 x86-kernel
Last synced: 3 months ago
JSON representation
A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.
- Host: GitHub
- URL: https://github.com/paulveillard/cybersecurity-windows-exploitation
- Owner: paulveillard
- License: apache-2.0
- Created: 2021-12-27T20:24:01.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-01-06T12:33:33.000Z (over 1 year ago)
- Last Synced: 2025-03-24T08:21:16.713Z (3 months ago)
- Topics: arm-templates, arm64, cybersecurity-search-engine, executable, exploitation-framework, kernel-methods, kernel-module, windows, windows-exploitation, windows-security, x86, x86-kernel
- Homepage:
- Size: 406 KB
- Stars: 42
- Watchers: 2
- Forks: 12
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Windows or ARM Exploitation
> A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.
## `What are exploits? `
[Exploits](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/exploits-malware) take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
### `Table of Contents `
- [Windows stack overflows](#windows_stack_overflows)
- [Windows heap overflows](#windows_heap_overflows)
- [Kernel based Windows overflows](#kernel_based_Windows_overflows)
- [Windows Kernel Memory Corruption](#windows_kernel_memory_corruption)
- [Return Oriented Programming](#Return_oriented_programming)
- [Windows memory protections](#Windows_memory_protections)
- [Bypassing filter and protections](#Bypassing_filter_and_protections)
- [Typical windows exploits](#Typical_windows_exploits)
- [Exploit development tutorial series](#Exploit_development_tutorial_series)
+ [Corelan Team](#corelan)
+ [Fuzzysecurity](#fuzzysecurity)
+ [Securitysift](#securitysift)
+ [Whitehatters Academy](#whitehattersacademy)
+ [TheSprawl](#TheSprawl)
+ [Expdev-Kiuhnm](#expdev-kiuhnm)
- [Tools](#tools)
- [Miscellaneous](#miscellaneous)
- [Conference Talks / Videos](#conference-talks--videos)
- [Articles / Papers](#articles--papers)
- [Resources](#resources)
- [CTF / Training Binaries](#ctf--training-binaries)
- [Books](#books)
- [Other Tools](#other-tools)
- [Courses](#courses)
- [Related Awesome Lists](#related-awesome-lists)
- [Advanced ARM](#advanced-arm)
- [Browser](#-browser)
- [Mitigation Bypass](#-mitigation-bypass)
- [Kernel](#-kernel)
- [Misc](#-misc)
## Windows stack overflows
*Stack Base Overflow Articles.*
+ [Win32 Buffer Overflows (Location, Exploitation and Prevention)](http://www.phrack.com/issues.html?issue=55&id=15#article) - by Dark spyrit [1999]
+ [Writing Stack Based Overflows on Windows](http://www.packetstormsecurity.org/papers/win/) - by Nish Bhalla’s [2005]
+ [Stack Smashing as of Today](https://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-slides.pdf) - by Hagen Fritsch [2009]
+ [SMASHING C++ VPTRS](http://phrack.org/issues/56/8.html) - by rix [2000]
## Windows heap overflows
*Heap Base Overflow Articles.*
+ [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]
+ [Exploiting the MSRPC Heap Overflow Part 1](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap.pdf) - by Dave Aitel (MS03-026) [September 2003]
+ [Exploiting the MSRPC Heap Overflow Part 2](http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap2.pdf) - by Dave Aitel (MS03-026) [September 2003]
+ [Windows heap overflow penetration in black hat](https://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt) - by David Litchfield [2004]
+ [Glibc Adventures: The Forgotten Chunk](http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf) - by François Goichon [2015]
+ [Pseudomonarchia jemallocum](http://www.phrack.org/issues/68/10.html) - by argp & huku
+ [The House Of Lore: Reloaded](http://phrack.org/issues/67/8.html) - by blackngel [2010]
+ [Malloc Des-Maleficarum](http://phrack.org/issues/66/10.html) - by blackngel [2009]
+ [free() exploitation technique](http://phrack.org/issues/66/6.html) - by huku
+ [Understanding the heap by breaking it](https://www.blackhat.com/presentations/bh-usa-07/Ferguson/Whitepaper/bh-usa-07-ferguson-WP.pdf) - by Justin N. Ferguson [2007]
+ [The use of set_head to defeat the wilderness](http://phrack.org/issues/64/9.html) - by g463
+ [The Malloc Maleficarum](http://seclists.org/bugtraq/2005/Oct/118) - by Phantasmal Phantasmagoria [2005]
+ [Exploiting The Wilderness](http://seclists.org/vuln-dev/2004/Feb/25) - by Phantasmal Phantasmagoria [2004]
+ [Advanced Doug lea's malloc exploits](http://phrack.org/issues/61/6.html) - by jp
**[`^ back to top ^`](#)**
## Kernel based Windows overflows
*Kernel Base Exploit Development Articles.*
+ [How to attack kernel based vulns on windows was done](http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/0101.html) - by a Polish group called “sec-labs” [2003]
+ [Sec-lab old whitepaper](http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm)
+ [Sec-lab old exploit](http://www.securityfocus.com/bid/8329/info)
+ [Windows Local Kernel Exploitation (based on sec-lab research)](http://www.packetstormsecurity.org/hitb04/hitb04-sk-chong.pdf) - by S.K Chong [2004]
+ [How to exploit Windows kernel memory pool](http://packetstormsecurity.nl/Xcon2005/Xcon2005_SoBeIt.pdf) - by SoBeIt [2005]
+ [Exploiting remote kernel overflows in windows](http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf) - by Eeye Security
+ [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf) - by Matt Miller
+ [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf)
+ [BH US 2007 Attacking the Windows Kernel](http://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf)
+ [Remote and Local Exploitation of Network Drivers](http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf)
+ [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1)
+ [I2OMGMT Driver Impersonation Attack](http://www.immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf)
+ [Real World Kernel Pool Exploitation](http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf)
+ [Exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf)
+ [Alyzing local privilege escalations in win32k](http://www.uninformed.org/?v=10&a=2&t=pdf)
+ [Intro to Windows Kernel Security Development](http://www.dontstuffbeansupyournose.com/trac/browser/projects/ucon09/Intro_NT_kernel_security_stuff.pdf)
+ [There’s a party at ring0 and you’re invited](http://www.cr0.org/paper/to-jt-party-at-ring0.pdf)
+ [Windows kernel vulnerability exploitation](http://vexillium.org/dl.php?call_gate_exploitation.pdf)
+ [A New CVE-2015-0057 Exploit Technology](https://www.blackhat.com/docs/asia-16/materials/asia-16-Wang-A-New-CVE-2015-0057-Exploit-Technology-wp.pdf) - by Yu Wang [2016]
+ [Exploiting CVE-2014-4113 on Windows 8.1](https://labs.bluefrostsecurity.de/publications/2016/01/07/exploiting-cve-2014-4113-on-windows-8.1/) - by Moritz Jodeit [2016]
+ [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012]
+ [Windows Kernel Exploitation ](http://www.hacking-training.com/download/WKE.pdf) - by Simone Cardona 2016
+ [Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects](https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/) - by Saif Sherei 2017
+ [Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes](http://www.slideshare.net/PeterHlavaty/windows-kernel-exploitation-this-time-font-hunt-you-down-in-4-bytes) - by keen team [2015]
+ [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/system/files/publications/2016/10/Abusing-GDI-Reloaded-ekoparty-2016_0.pdf) - [2016]
## Windows Kernel Memory Corruption
*Windows Kernel Memory Corruption Exploit Development Articles.*
+ [Remote Windows Kernel Exploitation](https://cansecwest.com/core05/windowsremotekernel.pdf) - by Barnaby Jack [2005]
+ [windows kernel-mode payload fundamentals](http://uninformed.org/index.cgi?v=3&a=4&t=sumry) - by Skape [2006]
+ [exploiting 802.11 wireless driver vulnerabilities on windows](http://www.uninformed.org/?v=6&a=2&t=sumry) - by Johnny Cache, H D Moore, skape [2007]
+ [Kernel Pool Exploitation on Windows 7](https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf) - by Tarjei Mandt [2011]
+ [Windows Kernel-mode GS Cookies and 1 bit of entropy](vexillium.org/dl.php?/Windows_Kernel-mode_GS_Cookies_subverted.pdf) - [2011]
+ [Subtle information disclosure in WIN32K.SYS syscall return values](http://j00ru.vexillium.org/?p=762) - [2011]
+ [nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques](http://j00ru.vexillium.org/?p=769) - [2011]
+ [SMEP: What is it, and how to beat it on Windows](http://j00ru.vexillium.org/?p=783) - [2011]
+ [Kernel Attacks through User-Mode Callbacks](http://www.mista.nu/research/mandt-win32k-paper.pdf) - by Tarjei Mandt [2011]
+ [Windows Security Hardening Through Kernel Address Protection](http://j00ru.vexillium.org/blog/04_12_11/Windows_Kernel_Address_Protection.pdf) - by Mateusz "j00ru" Jurczyk [2011]
+ [Reversing Windows8: Interesting Features of Kernel Security](http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing%20Windows8-Interesting%20Features%20of%20Kernel%20Security.pdf) - by MJ0011 [2012]
+ [Smashing The Atom: Extraordinary String Based Attacks](mista.nu/research/smashing_the_atom.pdf) - by Tarjei Mandt [2012]
+ [Easy local Windows Kernel exploitation](http://media.blackhat.com/bh-us-12/Briefings/Cerrudo/BH_US_12_Cerrudo_Windows_Kernel_WP.pdf) - by Cesar Cerrudo [2012]
+ [Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement](www.powerofcommunity.net/poc2012/mj0011.pdf) - by MJ0011 [2012]
+ [MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit](https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-kernel-exploit/) - [2013]
+ [KASLR Bypass Mitigations in Windows 8.1](www.alex-ionescu.com/?p=82) - [2013]
+ [First Dip Into the Kernel Pool: MS10-058](http://doar-e.github.io/blog/2014/03/11/first-dip-into-the-kernel-pool-ms10-058/) - by Jeremy [2014]
+ [Windows 8 Kernel Memory Protections Bypass](https://labs.mwrinfosecurity.com/blog/windows-8-kernel-memory-protections-bypass/) - [2014]
+ [An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113)](http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/) - by Weimin Wu [2014]
+ [Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool](http://www.alex-ionescu.com/?p=231) - [2014]
+ [Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit](https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf) - by Aaron Adams [2015]
+ [Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong)](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/08/2015-08-27_-_ncc_group_-_exploiting_ms15_061_uaf_-_release.pdf) - by Dominic Wang [2015]
+ [Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit](https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/2015-08-28_-_ncc_group_-_exploiting_cve_2015_2426_-_release.pdf) - by Cedric Halbronn [2015]
+ [Abusing GDI for ring0 exploit primitives](https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives) - by Diego Juarez [2015]
+ [Duqu 2.0 Win32k exploit analysis](https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) - [2015]
## Return Oriented Programming
+ [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
+ [Blind return-oriented programming](http://www.scs.stanford.edu/brop/bittau-brop.pdf)
+ [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)
+ [Jump-Oriented Programming: A New Class of Code-Reuse Attack](http://ftp.ncsu.edu/pub/tech/2010/TR-2010-8.pdf)
+ [Out of control: Overcoming control-flow integrity](http://www.cs.stevens.edu/~gportoka/files/outofcontrol_oakland14.pdf)
+ [ROP is Still Dangerous: Breaking Modern Defenses](http://www.cs.berkeley.edu/~daw/papers/rop-usenix14.pdf)
+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](http://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
+ [Practical Rop](http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
+ [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]
+ [Exploitation techniques and mitigations on Windows](http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
+ [A little return oriented exploitation on Windows x86 – Part 1](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
+ [A little return oriented exploitation on Windows x86 – Part 2](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
## Windows memory protections
*Windows memory protections Introduction Articles.*
+ [Data Execution Prevention](http://support.microsoft.com/kb/875352)
+ [/GS (Buffer Security Check)](http://msdn.microsoft.com/en-us/library/Aa290051)
+ [/SAFESEH](http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)
+ [ASLR](http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)
+ [SEHOP](http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
## Bypassing filter and protections
*Windows memory protections Bypass Methods Articles.*
+ [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]
+ [Creating Arbitrary Shellcode In Unicode Expanded Strings](http://www.net-security.org/dl/articles/unicodebo.pdf) - by Chris Anley
+ [Advanced windows exploitation](http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt) - by Dave Aitel [2003]
+ [Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server](http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf) - by David Litchfield
+ [Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)](http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt) - by Matt Conover in cansecwest 2004
+ [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) - by Matt Miller [2004]
+ [IE exploit and used a technology called Heap Spray](http://www.exploit-db.com/exploits/612)
+ [Bypassing hardware-enforced DEP](http://www.uninformed.org/?v=2&a=4&t=pdf) - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
+ [Exploiting Freelist[0] On XP Service Pack 2](http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service%20Pack%202.pdf) - by Brett Moore [2005]
+ [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf)
+ [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf)
+ [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1)
+ [Heap Feng Shui in JavaScript](http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf) by Alexander sotirov [2007]
+ [Understanding and bypassing Windows Heap Protection](http://kkamagui.springnote.com/pages/1350732/attachments/579350) - by Nicolas Waisman [2007]
+ [Heaps About Heaps](http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt) - by Brett moore [2008]
+ [Bypassing browser memory protections in Windows Vista](http://taossa.com/archive/bh08sotirovdowd.pdf) - by Mark Dowd and Alex Sotirov [2008]
+ [Attacking the Vista Heap](http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf) - by ben hawkes [2008]
+ [Return oriented programming Exploitation without Code Injection](http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf) - by Hovav Shacham (and others ) [2008]
+ [Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) - by Cesar Cerrudo [2008]
+ [Defeating DEP Immunity Way](http://www.immunityinc.com/downloads/DEPLIB.pdf) - by Pablo Sole [2008]
+ [Practical Windows XP2003 Heap Exploitation](http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf) - by John McDonald and Chris Valasek [2009]
+ [Bypassing SEHOP](http://www.sysdream.com/articles/sehop_en.pdf) - by Stefan Le Berre Damien Cauquil [2009]
+ [Interpreter Exploitation : Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) - by Dionysus Blazakis[2010]
+ [Write-up of Pwn2Own 2010](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf) - by Peter Vreugdenhil
+ [All in one 0day presented in rootedCON](http://wintercore.com/downloads/rootedcon_0day_english.pdf) - by Ruben Santamarta [2010]
+ [DEP/ASLR bypass using 3rd party](http://web.archive.org/web/20130820021520/http://abysssec.com/files/The_Arashi.pdf) - by Shahin Ramezany [2013]
+ [Bypassing EMET 5.0](http://blog.sec-consult.com/2014/10/microsoft-emet-armor-against-zero-days.html) - by René Freingruber [2014]
## Typical windows exploits
+ [Real-world HW-DEP bypass Exploit](http://www.exploit-db.com/exploits/3652) - by Devcode
+ [Bypassing DEP by returning into HeapCreate](http://www.metasploit.com/redmine/projects/framework/repository/revisions/7246/entry/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb) - by Toto
+ [First public ASLR bypass exploit by using partial overwrite ](http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/email/ani_loadimage_chunksize.rb) - by Skape
+ [Heap spray and bypassing DEP](http://skypher.com/SkyLined/download/www.edup.tudelft.nl/%7Ebjwever/exploits/InternetExploiter2.zip) - by Skylined
+ [First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8833/raw/modules/exploits/windows/fileformat/adobe_libtiff.rb)
+ [Exploit codes of bypassing browsers memory protections](http://phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections-code.zip)
+ [PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1](http://www.argeniss.com/research/Churrasco.zip) - by Cesar Cerrudo
+ [PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2](http://www.argeniss.com/research/Churrasco2.zip) - by Cesar Cerrudo
+ [An exploit works from win 3.1 to win 7](http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip) - by Tavis Ormandy KiTra0d
+ [Old ms08-067 metasploit module multi-target and DEP bypass](http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb)
+ [PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass](http://www.exploit-db.com/exploits/12189)
+ [SMBv2 Exploit](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8916/raw/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb) - by Stephen Fewer
+ [Microsoft IIS 7.5 remote heap buffer overflow](http://www.phrack.org/issues/68/12.html) - by redpantz
+ [Browser Exploitation Case Study for Internet Explorer 11](https://labs.bluefrostsecurity.de/files/Look_Mom_I_Dont_Use_Shellcode-WP.pdf) - by Moritz Jodeit [2016]
## Exploit development tutorial series
*Exploid Development Tutorial Series Base on Windows Operation System Articles.*
- Corelan Team
+ [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
+ [Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/)
+ [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/)
+ [Exploit writing tutorial part 3b : SEH Based Exploits – just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/)
+ [Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/)
+ [Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)
+ [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
+ [Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/)
+ [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/)
+ [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)
+ [Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
+ [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
- Fuzzysecurity
+ [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html)
+ [Part 2: Saved Return Pointer Overflows](https://www.fuzzysecurity.com/tutorials/expDev/2.html)
+ [Part 3: Structured Exception Handler (SEH)](https://www.fuzzysecurity.com/tutorials/expDev/3.html)
+ [Part 4: Egg Hunters](https://www.fuzzysecurity.com/tutorials/expDev/4.html)
+ [Part 5: Unicode 0x00410041](https://www.fuzzysecurity.com/tutorials/expDev/5.html)
+ [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html)
+ [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)
+ [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
+ [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
+ [Part 10: Kernel Exploitation -> Stack Overflow](http://www.fuzzysecurity.com/tutorials/expDev/14.html)
+ [Part 11: Kernel Exploitation -> Write-What-Where](http://www.fuzzysecurity.com/tutorials/expDev/15.html)
+ [Part 12: Kernel Exploitation -> Null Pointer Dereference](http://www.fuzzysecurity.com/tutorials/expDev/16.html)
+ [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](http://www.fuzzysecurity.com/tutorials/expDev/17.html)
+ [Part 14: Kernel Exploitation -> Integer Overflow](http://www.fuzzysecurity.com/tutorials/expDev/18.html)
+ [Part 15: Kernel Exploitation -> UAF](http://www.fuzzysecurity.com/tutorials/expDev/19.html)
+ [Part 16: Kernel Exploitation -> Pool Overflow](http://www.fuzzysecurity.com/tutorials/expDev/20.html)
+ [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](http://www.fuzzysecurity.com/tutorials/expDev/21.html)
+ [Heap Overflows For Humans 101](http://www.fuzzysecurity.com/tutorials/mr_me/2.html)
+ [Heap Overflows For Humans 102](http://www.fuzzysecurity.com/tutorials/mr_me/3.html)
+ [Heap Overflows For Humans 102.5](http://www.fuzzysecurity.com/tutorials/mr_me/4.html)
+ [Heap Overflows For Humans 103](http://www.fuzzysecurity.com/tutorials/mr_me/5.html)
+ [Heap Overflows For Humans 103.5](http://www.fuzzysecurity.com/tutorials/mr_me/6.html)
- Securitysift
+ [Windows Exploit Development – Part 1: The Basics](http://www.securitysift.com/windows-exploit-development-part-1-basics/)
+ [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
+ [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
+ [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
+ [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
+ [Windows Exploit Development – Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
+ [Windows Exploit Development – Part 7: Unicode Buffer Overflows](http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)
- Whitehatters Academy
+ [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
+ [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)
+ [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)
+ [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)
+ [Backdoor 103: Fully Undetected](https://www.whitehatters.academy/backdoor-103-fully-undetected/)
+ [Backdoor 102](https://www.whitehatters.academy/backdoor-102/)
+ [Backdoor 101](https://www.whitehatters.academy/backdoor101-vysec/)
- TheSprawl
+ [corelan - integer overflows - exercise solution](http://thesprawl.org/research/corelan-integer-overflows-exercise-solution/)
+ [heap overflows for humans - 102 - exercise solution](http://thesprawl.org/research/heap-overflows-humans-102-exercise-solution/)
+ [exploit exercises - protostar - final levels](http://thesprawl.org/research/exploit-exercises-protostar-final/)
+ [exploit exercises - protostar - network levels](http://thesprawl.org/research/exploit-exercises-protostar-network/)
+ [exploit exercises - protostar - heap levels](http://thesprawl.org/research/exploit-exercises-protostar-heap/)
+ [exploit exercises - protostar - format string levels](http://thesprawl.org/research/exploit-exercises-protostar-format/)
+ [exploit exercises - protostar - stack levels](http://thesprawl.org/research/exploit-exercises-protostar-stack/)
+ [open security training - introduction to software exploits - uninitialized variable overflow](http://thesprawl.org/research/ost-introduction-software-exploits-uninit-overflow/)
+ [open security training - introduction to software exploits - off-by-one](http://thesprawl.org/research/ost-introduction-exploits-offbyone/)
+ [open security training - introduction to re - bomb lab secret phase](http://thesprawl.org/research/ost-introduction-re-bomb-secret-phase/)
+ [open security training - introductory x86 - buffer overflow mystery box](http://thesprawl.org/research/ost-introductory-x86-buffer-overflow-mystery-box/)
+ [corelan - tutorial 10 - exercise solution](http://thesprawl.org/research/corelan-tutorial-10-exercise-solution/)
+ [corelan - tutorial 9 - exercise solution](http://thesprawl.org/research/corelan-tutorial-9-exercise-solution/)
+ [corelan - tutorial 7 - exercise solution](http://thesprawl.org/research/corelan-tutorial-7-exercise-solution/)
+ [getting from seh to nseh](http://thesprawl.org/research/seh-to-nseh/)
+ [corelan - tutorial 3b - exercise solution](http://thesprawl.org/research/corelan-tutorial-3b-exercise-solution/)
- Expdev-Kiuhnm
+ [WinDbg](http://expdev-kiuhnm.rhcloud.com/2015/05/17/windbg/)
+ [Mona 2](http://expdev-kiuhnm.rhcloud.com/2015/05/19/mona-2/)
+ [Structure Exception Handling (SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/19/structured-exception-handling-seh/)
+ [Heap](http://expdev-kiuhnm.rhcloud.com/2015/05/20/heap/)
+ [Windows Basics](http://expdev-kiuhnm.rhcloud.com/2015/05/20/windows-basics/)
+ [Shellcode](http://expdev-kiuhnm.rhcloud.com/2015/05/22/shellcode/)
+ [Exploitme1 (ret eip overwrite)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme1-ret-eip-overwrite/)
+ [Exploitme2 (Stack cookies & SEH)](http://expdev-kiuhnm.rhcloud.com/2015/05/26/exploitme2-stack-cookies-seh-2/)
+ [Exploitme3 (DEP)](http://expdev-kiuhnm.rhcloud.com/2015/05/27/exploitme3-dep/)
+ [Exploitme4 (ASLR)](http://expdev-kiuhnm.rhcloud.com/2015/05/28/exploitme4-aslr/)
+ [Exploitme5 (Heap Spraying & UAF)](http://expdev-kiuhnm.rhcloud.com/2015/05/29/exploitme5-heap-spraying-uaf/)
+ [EMET 5.2](http://expdev-kiuhnm.rhcloud.com/2015/05/29/emet-5-2-2/)
+ [Internet Explorer 10 - Reverse Engineering IE](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-reverse-engineering-ie/)
+ [Internet Explorer 10 - From one-byte-write to full process space read/write](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie-10-from-one-byte-write-to-full-process-space-readwrite/)
+ [Internet Explorer 10 - God Mode (1)](http://expdev-kiuhnm.rhcloud.com/2015/05/31/ie10-god-mode-1/)
+ [Internet Explorer 10 - God Mode (2)](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-god-mode-2/)
+ [Internet Explorer 10 - Use-After-Free bug](http://expdev-kiuhnm.rhcloud.com/2015/06/01/ie10-use-free-bug/)
+ [Internet Explorer 11 - Part 1](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-1/)
+ [Internet Explorer 11 - Part 2](http://expdev-kiuhnm.rhcloud.com/2015/06/02/ie11-part-2/)
## Tools
*Disassemblers, debuggers, and other static and dynamic analysis tools.*
+ [angr](https://github.com/angr/angr) - Platform-agnostic binary analysis
framework developed at UCSB's Seclab.
+ [BARF](https://github.com/programa-stic/barf-project) - Multiplatform, open
source Binary Analysis and Reverse engineering Framework.
+ [Binary Ninja](https://binary.ninja/) - Multiplatform binary analysis IDE supporting
various types of binaries and architecturs. Scriptable via Python.
+ [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for
reverse engineering based on graph visualization.
+ [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare.
+ [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for
binary analysis and reversing, with support for many architectures and
bindings in several languages.
+ [codebro](https://github.com/hugsy/codebro) - Web based code browser using
clang to provide basic code analysis.
+ [dnSpy](https://github.com/0xd4d/dnSpy) - .NET assembly editor, decompiler
and debugger.
+ [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A
modular debugger with a Qt GUI.
+ [GDB](http://www.sourceware.org/gdb/) - The GNU debugger.
+ [GEF](https://github.com/hugsy/gef) - GDB Enhanced Features, for exploiters
and reverse engineers.
+ [hackers-grep](https://github.com/codypierce/hackers-grep) - A utility to
search for strings in PE executables including imports, exports, and debug
symbols.
+ [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows
disassembler and debugger, with a free evaluation version.
+ [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for
malware analysis and more, with a Python API.
+ [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables.
+ [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils,
for static analysis of Linux binaries.
+ [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows
executables.
+ [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis
+ [PEDA](https://github.com/longld/peda) - Python Exploit Development
Assistance for GDB, an enhanced display with added commands.
+ [pestudio](https://winitor.com/) - Perform static analysis of Windows
executables.
+ [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) -
Advanced monitoring tool for Windows programs.
+ [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware
analysis.
+ [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with
debugger support.
+ [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis.
+ [strace](http://sourceforge.net/projects/strace/) - Dynamic analysis for
Linux executables.
+ [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool
for x86 and x86_64.
+ [Vivisect](https://github.com/vivisect/vivisect) - Python tool for
malware analysis.
+ [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
## `Conference Talks / Videos `
* [Exploitation on ARM](https://www.youtube.com/watch?v=kykVyJ0dm8Y) - Itzhak Avraham - Defcon 18 (2010)
* [ARM Exploitation ROPMAP](https://www.youtube.com/watch?v=VDyf_tJ8IUg) - Long Le - Blackhat USA (2011)
* [Advanced ARM Exploitation](https://www.youtube.com/watch?v=gdsPydfBfSA) - Stephen Ridley & Stephen Lawler - Blackhat USA (2012)
* [ARM Assembly and Shellcode Basics](https://www.youtube.com/watch?v=BhjJBuX0YCU) - Saumil Shah - 44CON (2017)
* [Heap Overflow Exploits for Beginners (ARM Exploitation Tutorial)](https://www.youtube.com/watch?v=L8Ya7fBgEzU) - Billy Ellis (2017)
* [Introduction to Exploitation on ARM64](https://www.youtube.com/watch?v=xVyH68HFsQU) - Billy Ellis - Codetalks (2018)
* [Make ARM Shellcode Great Again](https://www.youtube.com/watch?v=9tx293lbGuc) - Saumil Shah - Hack.lu (2018)
* [ARM Memory Tagging, how it improves C++ memory safety](https://www.youtube.com/watch?v=iP_iHroclgM) - Kostya Serebryany - LLVM (2018)
* [Breaking Samsung's ARM Trustzone](https://i.blackhat.com/USA-19/Thursday/us-19-Peterlin-Breaking-Samsungs-ARM-TrustZone.pdf)
* [Hacker Nightmares: Giving Hackers a Headache with Exploit Mitigations](https://www.youtube.com/watch?v=riQ-WyYrxh4) - Azeria - Virtual Arm Research Summit (2020)
## `Articles / Papers `
* [ARM Assembly Basics Series](https://azeria-labs.com/writing-arm-assembly-part-1/) - Azeria
* [ARM Binary Exploitation Series](https://azeria-labs.com/writing-arm-shellcode/) - Azeria
* [Smashing the ARM Stack](https://www.merckedsecurity.com/blog/smashing-the-arm-stack-part-1) - Mercked Security
* [Introduction to ARMv8 64-bit Architecture](https://quequero.org/2014/04/introduction-to-arm-architecture/) - pnuic
* [Alphanumeric RISC ARM Shellcode](http://phrack.org/issues/66/12.html) - (Phrack) - Yves Younan, Pieter Philippaerts
* [Return-Oriented Programming on a Cortex-M Processor](https://ieeexplore.ieee.org/document/8029521)
* [3or ARM Exploitation Series](https://blog.3or.de/arm-exploitation-return-oriented-programming.html) - Dimitrios Slamaris
* [Developing StrongARM/Linux Shellcode](http://www.phrack.com/issues/58/10.html) - (Phrack) - funkysh
* [Reversing and Exploiting ARM Binaries](http://www.mathyvanhoef.com/2013/12/reversing-and-exploiting-arm-binaries.html) - Mathy Vanhoef
* [ARM Exploitation for IoT Series](https://quequero.org/2017/07/arm-exploitation-iot-episode-1/) - Andrea Sindoni
* [Reverse Engineering of ARM Microcontrollers](https://rdomanski.github.io/Reverse-engineering-of-ARM-Microcontrollers/) - Rdomanski
* [ARM64 Reversing and Exploitation - Part 1: ARM Instruction Set + Simple Heap Overflow](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 2: Use After Free](
https://8ksec.io/arm64-reversing-and-exploitation-part-2-use-after-free/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 3: A Simple ROP Chain](
https://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 4: Using Mprotect() To Bypass NX Protection](
https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 5: Writing Shellcode](
https://8ksec.io/arm64-reversing-and-exploitation-part-5-writing-shellcode-8ksec-blogs/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 6: Exploiting An Uninitialized Stack Variable Vulnerability](
https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 7: Bypassing ASLR And NX](
https://8ksec.io/arm64-reversing-and-exploitation-part-7-bypassing-aslr-and-nx/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 8: Exploiting An Integer Overflow Vulnerability](
https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 9 :Exploiting An Off By One Overflow Vulnerability](
https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/) - 8ksec
* [ARM64 Reversing and Exploitation - Part 10: Intro To Arm Memory Tagging Extension (MTE)](
https://8ksec.io/arm64-reversing-and-exploitation-part-10-intro-to-arm-memory-tagging-extension-mte/) - 8ksec
## Resources
* [ARM Architecture Reference Manual](http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.subset.architecture.reference/index.html)
* [Online ARM Assembler](https://azm.azerialabs.com/)
* [ARM TEE Reversing and Exploitation](https://github.com/enovella/TEE-reversing)
## CTF / Training Binaries
* [Exploit Me](https://github.com/bkerler/exploit_me)
* [Exploit Challenges](https://github.com/Billy-Ellis/Exploit-Challenges)
* [Azeria ARM Lab](https://azeria-labs.com/emulate-raspberry-pi-with-qemu/)
## `Books `
* [Practical Reverse Engineering](https://www.wiley.com/en-us/Practical+Reverse+Engineering%3A+x86%2C+x64%2C+ARM%2C+Windows+Kernel%2C+Reversing+Tools%2C+and+Obfuscation-p-9781118787311) (Chapter 2) - Bruce Dang, Alexandre Gazet and Elias Bachalany
* [Beginners Guide to Exploitation on ARM](https://zygosec.com/book.html) - Volumes 1 & 2 - Billy Ellis
* [ARM Assembly Language: Fundamentals & Techniques](https://www.amazon.co.uk/ARM-Assembly-Language-Fundamentals-Techniques/dp/1439806101) - William Hohl
## `Other Tools `
* [Ropper](https://github.com/sashs/Ropper)
## `Courses `
* [Azeria ARM Training](https://training.azeria-labs.com/)
* [Pentest Academy ARM Assembly](https://www.pentesteracademy.com/course?id=46)
* [Pentest Academy Reverse Engineering for ARM Platforms](https://www.pentesteracademy.com/course?id=49)
* [IHackArm Offensive ARM Exploitation](https://ihackarm.com/)
## `Related Awesome Lists `
* [Cybersecurity Android Security](https://github.com/paulveillard/cybersecurity-android-security)
* [Awesome iOS Security](https://github.com/ashishb/osx-and-ios-security-awesome)
* [Awesome IoT Hacks](https://github.com/nebgnahz/awesome-iot-hacks)
* [Awesome Exploit Development](https://github.com/FabioBaroni/awesome-exploit-development)
## [↑](#advanced-arm) Browser
* [Beginners guide to UAT exploits IE 0day exploit development](https://0xicf.wordpress.com/2012/11/18/beginners-guide-to-use-after-free-exploits-ie-0-day-exploit-development/)
* [Fuzzy Security - Spraying the Heap [Chapter 1: Vanilla EIP] – Putting Needles in the Haystack](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
* [Fuzzy Security - Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
* [Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)
* [Using the JIT Vulnerability to Pwn Microsoft Edge](http://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)
* [Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)](http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html)
* [Advanced Heapspraying Technique](https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf)
* [HeapSpray Aurora Vulnerability](http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.html)
* [Microsoft Edge Chakra JIT Type Confusion CVE-2019-0539](https://perception-point.io/resources/research/cve-2019-0539-exploitation/)
* [CVE-2019-0539 Root Cause Analysis](https://perception-point.io/resources/research/cve-2019-0539-root-cause-analysis/)
* [attacking javascript engines](http://www.phrack.org/papers/attacking_javascript_engines.html)
* [Learning browser exploitation via 33C3 CTF feuerfuchs challenge](https://bruce30262.github.io/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/)
* [A Methodical Approach to Browser Exploitation](https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/)
* [Reducing target scope within JSC, building a JavaScript fuzzer](https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/)
* [Performing root-cause analysis of a JSC vulnerability](https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/)
* [Weaponizing a JSC vulnerability for single-click RCE](https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/)
* [Evaluating the Safari sandbox, and fuzzing WindowServer on MacOS](https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/)
* [Weaponizing a Safari sandbox escape](https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/)
* [Microsoft Edge MemGC Internals](https://hitcon.org/2015/CMT/download/day2-h-r1.pdf)
* [The ECMA and the Chakra](http://conference.hitb.org/hitbsecconf2017ams/materials/CLOSING%20KEYNOTE%20-%20Natalie%20Silvanovich%20-%20The%20ECMA%20and%20The%20Chakra.pdf)
* [Memory Corruption Exploitation In Internet Explorer](https://www.syscan360.org/slides/2012_ZH_MemoryCorruptionExploitationInInternetExplorer_MotiJoseph.pdf)
* [IE 0day Analysis And Exploit](http://vdisk.weibo.com/s/dC_SSJ6Fvb71i)
* [Write Once, Pwn Anywhere](https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf)
* [The Art of Leaks: The Return of Heap Feng Shui](https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf)
* [IE 11 0day & Windows 8.1 Exploit](https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE%2011%200day%20%26%20Windows%208.1%20Exploit.pdf)
* [IE11 Sandbox Escapes Presentation](https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf)
* [Spartan 0day & Exploit](https://github.com/exp-sky/HitCon-2015-spartan-0day-exploit)
* [Look Mom, I don't use Shellcode](https://www.syscan360.org/slides/2016_SH_Moritz_Jodeit_Look_Mom_I_Dont_Use_Shellcode.pdf)
* [Windows 10 x64 edge 0day and exploit](https://github.com/exp-sky/HitCon-2016-Windows-10-x64-edge-0day-and-exploit/blob/master/Windows%2010%20x64%20edge%200day%20and%20exploit.pdf)
* [1-Day Browser & Kernel Exploitation](http://powerofcommunity.net/poc2017/andrew.pdf)
* [The Secret of ChakraCore: 10 Ways to Go Beyond the Edge](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Linan%20Hao%20and%20Long%20Liu%20-%20The%20Secret%20of%20ChakraCore.pdf)
* [From Out of Memory to Remote Code Execution](https://speakerd.s3.amazonaws.com/presentations/c0a3e7bc0dca407cbafb465828ff204a/From_Out_of_Memory_to_Remote_Code_Execution_Yuki_Chen_PacSec2017_final.pdf)
* [Attacking WebKit Applications by exploiting memory corruption bugs](https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf)
* [CVE-2018-5129: Out-of-bounds write with malformed IPC messages](https://infinite.loopsec.com.au/cve-2018-5129-how-i-found-my-first-cve)
* [it-sec catalog browser exploitation chapter](https://www.it-sec-catalog.info/browser_exploitation.html)
* [ZDI-18-428: An MsEdge InfoLeak Story](https://rce.wtf/2018/12/12/ZDI-18-428-An-MsEdge-InfoLeak-Story.html)
* [AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation](https://github.com/exp-sky/AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation/blob/master/Chakra%20vulnerability%20and%20exploit%20bypass%20all%20system%20mitigation.pdf)
* [IE 0day Analysis And Exploit](https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf)
* [Attacking Client-Side JIT Compilers v2](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf)
* [The Return of the JIT Part 1](https://rh0dev.github.io/blog/2017/the-return-of-the-jit/)
* [The Return of the JIT Part 2](https://rh0dev.github.io/blog/2017/the-return-of-the-jit-part-2/)
* [Using the JIT vulnerability to Pwning Microsoft Edge](https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)
* [From Assembly to JavaScript and Back](https://gsec.hitb.org/materials/sg2018/D1%20-%20Turning%20Memory%20Errors%20into%20Code%20Execution%20with%20Client-Side%20Compilers%20-%20Robert%20Gawlik.pdf)
* [Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox](https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/)
* [Exploiting CVE-2020-0041 - Part 2: Escalating to root](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/)
## [↑](#table-of-contents) Mitigation Bypass
* [Disarming EMET v5.0](https://www.offensive-security.com/vulndev/disarming-emet-v5-0/)
* [Disarming and Bypassing EMET 5.1](https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/)
* [Universal DEP/ASLR bypass with msvcr71.dll and mona.py](https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/)
* [Chaining DEP with ROP – the Rubik’s[TM] Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
* [Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
* [Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)](https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/)
* [Disarming Enhanced Mitigation Experience Toolkit (EMET)](https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)
* [Simple EMET EAF bypass](http://casual-scrutiny.blogspot.com/2015/01/simple-emet-eaf-bypass.html)
* [Exploit Dev 101: Bypassing ASLR on Windows](https://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html)
* [Bypassing Control Flow Guard in Windows 10](https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10)
* [Bypassing Control Flow Guard in Windows 10 - Part II](https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii)
* [BYPASS CONTROL FLOW GUARD COMPREHENSIVELY](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)
* [CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE](https://www.blackhat.com/docs/asia-17/materials/asia-17-Li-Cross-The-Wall-Bypass-All-Modern-Mitigations-Of-Microsoft-Edge.pdf)
* [How to find the vulnerability to bypass the Control Flow Guard](https://cansecwest.com/slides/2017/CSW2017_HenryLi_How_to_find_the_vulnerability_to_bypass_the_ControlFlowGuard.pdf)
* [Bypassing Memory Mitigation Using Data-Only Exploitation Technique](https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Bing%20Sun%20and%20Chong%20Xu%20-%20Bypassing%20Memory%20Mitigation%20Using%20Data-Only%20Exploitation%20Techniques.pdf)
* [CHAKRA JIT CFG BYPASS](https://theori.io/research/chakra-jit-cfg-bypass)
* [SMEP: What is it, and how to beat it on Windows](https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/)
* [ROP for SMEP bypass](https://rce.wtf/2017/09/24/P4wning-the-windows-kernel-with-ROP.html)
* [Smashing The Browser](https://github.com/demi6od/Smashing_The_Browser)
* [Browser security mitigations against memory corruption vulnerabilities](https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/edit)
## [↑](#table-of-contents) Kernel
* [Windows Kernel Pool Spraying](http://trackwatch.com/windows-kernel-pool-spraying/)
* [Windows Kernel Exploitation Basics - Part 1 : Introduction to DVWDDriver](http://poppopret.blogspot.com/2011/06/windows-kernel-exploitation-part-1.html)
* [Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html)
* [Windows Kernel Exploitation Basics - Part 3 : Arbitrary Memory Overwrite exploitation using LDT](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_2423.html)
* [Windows Kernel Exploitation Basics - Part 4 : Stack-based Buffer Overflow exploitation (bypassing cookie)](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_16.html)
* [Arbitrary Write primitive in Windows kernel (HEVD)](https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/)
* [MS11-080 Exploit – A Voyage into Ring Zero](https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/)
* [Windows kernel pool spraying fun - Part 1 - Determine kernel object size](https://theevilbit.blogspot.com/2017/09/pool-spraying-fun-part-1.html)
* [Windows kernel pool spraying fun - Part 2 - More objects](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-2.html)
* [Windows kernel pool spraying fun - Part 3 - Let's make holes](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-3.html)
* [Fuzzy Security - Kernel Exploitation -> Stack Overflow](https://www.fuzzysecurity.com/tutorials/expDev/14.html)
* [Fuzzy Security - Kernel Exploitation -> Write-What-Where](https://www.fuzzysecurity.com/tutorials/expDev/15.html)
* [Fuzzy Security - Kernel Exploitation -> Null Pointer Dereference](https://www.fuzzysecurity.com/tutorials/expDev/16.html)
* [Fuzzy Security - Kernel Exploitation -> Uninitialized Stack Variable](https://www.fuzzysecurity.com/tutorials/expDev/17.html)
* [Fuzzy Security - Kernel Exploitation -> Integer Overflow](https://www.fuzzysecurity.com/tutorials/expDev/18.html)
* [Fuzzy Security - Kernel Exploitation -> UAF](https://www.fuzzysecurity.com/tutorials/expDev/19.html)
* [Fuzzy Security - Kernel Exploitation -> Pool Overflow](https://www.fuzzysecurity.com/tutorials/expDev/20.html)
* [Fuzzy Security - Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](https://www.fuzzysecurity.com/tutorials/expDev/21.html)
* [Fuzzy Security - Kernel Exploitation -> RS2 Bitmap Necromancy](https://www.fuzzysecurity.com/tutorials/expDev/22.html)
* [Fuzzy Security - Kernel Exploitation -> Logic bugs in Razer rzpnk.sys](https://www.fuzzysecurity.com/tutorials/expDev/23.html)
* [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
* [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)
* [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)
* [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)
* [Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool](https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html)
* [Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment](https://rootkits.xyz/blog/2017/06/kernel-setting-up/)
* [Windows Kernel Exploitation Tutorial Part 2: Stack Overflow](https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/)
* [Windows Kernel Exploitation Tutorial Part 3: Arbitrary Memory Overwrite (Write-What-Where)](https://rootkits.xyz/blog/2017/09/kernel-write-what-where/)
* [Windows Kernel Exploitation Tutorial Part 4: Pool Feng-Shui –> Pool Overflow](https://rootkits.xyz/blog/2017/11/kernel-pool-overflow/)
* [Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference](https://rootkits.xyz/blog/2018/01/kernel-null-pointer-dereference/)
* [Windows Kernel Exploitation Tutorial Part 6: Uninitialized Stack Variable](https://rootkits.xyz/blog/2018/01/kernel-uninitialized-stack-variable/)
* [Windows Kernel Exploitation Tutorial Part 7: Uninitialized Heap Variable](https://rootkits.xyz/blog/2018/03/kernel-uninitialized-heap-variable/)
* [Windows Kernel Exploitation Tutorial Part 8: Use After Free](https://rootkits.xyz/blog/2018/04/kernel-use-after-free/)
* [Corelan Team (corelanc0d3r) Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
* [abatchy Kernel Exploitation 1: Setting up the environment](https://www.abatchy.com/2018/01/kernel-exploitation-1)
* [abatchy Kernel Exploitation 2: Payloads](https://www.abatchy.com/2018/01/kernel-exploitation-2)
* [abatchy Kernel Exploitation 3: Stack Buffer Overflow (Windows 7 x86/x64)](https://www.abatchy.com/2018/01/kernel-exploitation-3)
* [abatchy Kernel Exploitation 4: Stack Buffer Overflow (SMEP Bypass)](https://www.abatchy.com/2018/01/kernel-exploitation-4)
* [abatchy Kernel Exploitation 5: Integer Overflow](https://www.abatchy.com/2018/01/kernel-exploitation-5)
* [abatchy Kernel Exploitation 6: NULL pointer dereference](https://www.abatchy.com/2018/01/kernel-exploitation-6)
* [abatchy Kernel Exploitation 7: Arbitrary Overwrite (Win7 x86)](https://www.abatchy.com/2018/01/kernel-exploitation-7)
* [Kernel Hacking With HEVD Part 1 - The Setup](https://sizzop.github.io/2016/07/05/kernel-hacking-with-hevd-part-1.html)
* [Kernel Hacking With HEVD Part 2 - The Bug](https://sizzop.github.io/2016/07/06/kernel-hacking-with-hevd-part-2.html)
* [Kernel Hacking With HEVD Part 3 - The Shellcode](https://sizzop.github.io/2016/07/07/kernel-hacking-with-hevd-part-3.html)
* [Kernel Hacking With HEVD Part 4 - The Exploit](https://sizzop.github.io/2016/07/08/kernel-hacking-with-hevd-part-4.html)
* [Kernel Hacking With HEVD Part 5 - The SMEP Version](https://sizzop.github.io/2016/09/13/kernel-hacking-with-hevd-part-5.html)
* [The Path to Ring-0 Windows Edition](https://insomniasec.com/downloads/publications/The%20Path%20To%20Ring-0.pdf)
* [DIRECTX TO THE KERNEL](https://www.zerodayinitiative.com/blog/2018/12/4/directx-to-the-kernel)
* [Windows Kernel Graphics Driver Attack Surface](https://www.blackhat.com/docs/us-14/materials/us-14-vanSprundel-Windows-Kernel-Graphics-Driver-Attack-Surface.pdf)
* [Root Cause of the Kernel Privilege Escalation Vulnerabilities CVE-2019-0808](http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html)
* [Kernel Pool Overflow Exploitation In Real World – Windows 10](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-10/)
* [Kernel Pool Overflow Exploitation In Real World – Windows 7](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/)
* [Windows Kernel Exploitation - Exploiting HEVD x64 Use-After-Free using Generic Non-Paged Pool Feng-Shui](https://securityinsecurity.github.io/exploiting-hevd-use-after-free/)
* [Windows Kernel Exploitation Part 1: Stack Buffer Overflows](https://pwnrip.com/windows-kernel-exploitation-part-1-stack-buffer-overflows/)
* [Windows Kernel Exploitation Part 2: Type Confusion](https://pwnrip.com/windows-kernel-exploitation-part-2-type-confusion/)
* [Windows Kernel Exploitation Part 3: Integer Overflow](https://pwnrip.com/windows-kernel-exploitation-part-3-integer-overflow/)
## [↑](#table-of-contents) Misc
* [Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)
* [Windows 10 x86/wow64 Userland heap](https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/)
**[`^ back to top ^`](#)**
## `License `
MIT License & [cc](https://creativecommons.org/licenses/by/4.0/) license
This work is licensed under a Creative Commons Attribution 4.0 International License.
To the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.
Just follow the [guidelines](/CONTRIBUTING.MD). Thank you!