https://github.com/yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References

List of Awesome Advanced Windows Exploitation References
https://github.com/yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References

List: Awesome-Advanced-Windows-Exploitation-References

Last synced: about 17 hours ago
JSON representation

List of Awesome Advanced Windows Exploitation References

• Host: GitHub
• URL: https://github.com/yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References
• Owner: yeyintminthuhtut
• License: gpl-3.0
• Created: 2019-04-02T07:03:33.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2022-01-13T12:20:19.000Z (almost 3 years ago)
• Last Synced: 2024-05-19T00:00:30.735Z (6 months ago)
• Homepage:
• Size: 36.1 KB
• Stars: 1,411
• Watchers: 65
• Forks: 330
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• Awesome-Hacking - Windows Exploitation - Advanced
• awesome-security-collection - **635**星
• ultimate-awesome - Awesome-Advanced-Windows-Exploitation-References - List of Awesome Advanced Windows Exploitation References. (Other Lists / PowerShell Lists)
• awesome-hacking-lists - yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References - List of Awesome Advanced Windows Exploitation References (Others)
• fucking-Awesome-Hacking - Windows Exploitation - Advanced

README

        
# Awesome Advanced Windows Exploitation References

List of Awesome Advanced Windows Exploitation References

This list is for anyone wishing to upgrade on their Windows Exploitation Knowledge.

Anyway, this is a living resources and will update regularly with latest research articles/talks of awesome researchers.

Kudos to all orignial authors of each research ref.

You can help by sending Pull Requests to add more information. or ping me [@yeyint_mth](https://twitter.com/yeyint_mth)

Table of Contents

=================

 * [Browser](#-browser)

 * [Mitigation Bypass](#-mitigation-bypass)

 * [Kernel](#-kernel)

 * [Misc](#-misc)

 

 

 

## [↑](#table-of-contents) Browser

* [Beginners guide to UAT exploits IE 0day exploit development](https://0xicf.wordpress.com/2012/11/18/beginners-guide-to-use-after-free-exploits-ie-0-day-exploit-development/)

* [Fuzzy Security - Spraying the Heap [Chapter 1: Vanilla EIP] – Putting Needles in the Haystack](https://www.fuzzysecurity.com/tutorials/expDev/8.html)

* [Fuzzy Security - Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)

* [Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)

* [Using the JIT Vulnerability to Pwn Microsoft Edge](http://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)

* [Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)](http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html)

* [Advanced Heapspraying Technique](https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf)

* [HeapSpray Aurora Vulnerability](http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.html)

* [Microsoft Edge Chakra JIT Type Confusion CVE-2019-0539](https://perception-point.io/resources/research/cve-2019-0539-exploitation/)

* [CVE-2019-0539 Root Cause Analysis](https://perception-point.io/resources/research/cve-2019-0539-root-cause-analysis/)

* [attacking javascript engines](http://www.phrack.org/papers/attacking_javascript_engines.html)

* [Learning browser exploitation via 33C3 CTF  feuerfuchs challenge](https://bruce30262.github.io/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/)

* [A Methodical Approach to Browser Exploitation](https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/)

* [Reducing target scope within JSC, building a JavaScript fuzzer](https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/)

* [Performing root-cause analysis of a JSC vulnerability](https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/)

* [Weaponizing a JSC vulnerability for single-click RCE](https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/)

* [Evaluating the Safari sandbox, and fuzzing WindowServer on MacOS](https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/)

* [Weaponizing a Safari sandbox escape](https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/)

* [Microsoft Edge MemGC Internals](https://hitcon.org/2015/CMT/download/day2-h-r1.pdf)

* [The ECMA and the Chakra](http://conference.hitb.org/hitbsecconf2017ams/materials/CLOSING%20KEYNOTE%20-%20Natalie%20Silvanovich%20-%20The%20ECMA%20and%20The%20Chakra.pdf)

* [Memory Corruption Exploitation In Internet Explorer](https://www.syscan360.org/slides/2012_ZH_MemoryCorruptionExploitationInInternetExplorer_MotiJoseph.pdf)

* [IE 0day Analysis And Exploit](http://vdisk.weibo.com/s/dC_SSJ6Fvb71i)

* [Write Once, Pwn Anywhere](https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf)

* [The Art of Leaks: The Return of Heap Feng Shui](https://cansecwest.com/slides/2014/The%20Art%20of%20Leaks%20-%20read%20version%20-%20Yoyo.pdf)

* [IE 11 0day & Windows 8.1 Exploit](https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE%2011%200day%20%26%20Windows%208.1%20Exploit.pdf)

* [IE11 Sandbox Escapes Presentation](https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf)

* [Spartan 0day & Exploit](https://github.com/exp-sky/HitCon-2015-spartan-0day-exploit)

* [Look Mom, I don't use Shellcode](https://www.syscan360.org/slides/2016_SH_Moritz_Jodeit_Look_Mom_I_Dont_Use_Shellcode.pdf)

* [Windows 10 x64 edge 0day and exploit](https://github.com/exp-sky/HitCon-2016-Windows-10-x64-edge-0day-and-exploit/blob/master/Windows%2010%20x64%20edge%200day%20and%20exploit.pdf)

* [1-Day Browser & Kernel Exploitation](http://powerofcommunity.net/poc2017/andrew.pdf)

* [The Secret of ChakraCore: 10 Ways to Go Beyond the Edge](http://conference.hitb.org/hitbsecconf2017ams/materials/D1T2%20-%20Linan%20Hao%20and%20Long%20Liu%20-%20The%20Secret%20of%20ChakraCore.pdf)

* [From Out of Memory to Remote Code Execution](https://speakerd.s3.amazonaws.com/presentations/c0a3e7bc0dca407cbafb465828ff204a/From_Out_of_Memory_to_Remote_Code_Execution_Yuki_Chen_PacSec2017_final.pdf)

* [Attacking WebKit Applications by exploiting memory corruption bugs](https://cansecwest.com/slides/2015/Liang_CanSecWest2015.pdf)

* [CVE-2018-5129: Out-of-bounds write with malformed IPC messages](https://infinite.loopsec.com.au/cve-2018-5129-how-i-found-my-first-cve)

* [it-sec catalog browser exploitation chapter](https://www.it-sec-catalog.info/browser_exploitation.html)

* [ZDI-18-428: An MsEdge InfoLeak Story](https://rce.wtf/2018/12/12/ZDI-18-428-An-MsEdge-InfoLeak-Story.html)

* [AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation](https://github.com/exp-sky/AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation/blob/master/Chakra%20vulnerability%20and%20exploit%20bypass%20all%20system%20mitigation.pdf)

* [IE 0day Analysis And Exploit](https://github.com/exp-sky/XKungFoo-2013/blob/master/IE%200day%20Analysis%20And%20Exploit.pdf)

* [Attacking Client-Side JIT Compilers v2](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf)

* [The Return of the JIT Part 1](https://rh0dev.github.io/blog/2017/the-return-of-the-jit/)

* [The Return of the JIT Part 2](https://rh0dev.github.io/blog/2017/the-return-of-the-jit-part-2/)

* [Using the JIT vulnerability to Pwning Microsoft Edge](https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Li-Using-the-JIT-Vulnerability-to-Pwning-Microsoft-Edge.pdf)

* [From Assembly to JavaScript and Back](https://gsec.hitb.org/materials/sg2018/D1%20-%20Turning%20Memory%20Errors%20into%20Code%20Execution%20with%20Client-Side%20Compilers%20-%20Robert%20Gawlik.pdf)

* [Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox](https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/)

* [Exploiting CVE-2020-0041 - Part 2: Escalating to root](https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/)

## [↑](#table-of-contents) Mitigation Bypass

* [Disarming EMET v5.0](https://www.offensive-security.com/vulndev/disarming-emet-v5-0/)

* [Disarming and Bypassing EMET 5.1](https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/)

* [Universal DEP/ASLR bypass with msvcr71.dll and mona.py](https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/)

* [Chaining DEP with ROP – the Rubik’s[TM] Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)

* [Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)

* [Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)](https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/)

* [Disarming Enhanced Mitigation Experience Toolkit (EMET)](https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/)

* [Simple EMET EAF bypass](http://casual-scrutiny.blogspot.com/2015/01/simple-emet-eaf-bypass.html)

* [Exploit Dev 101: Bypassing ASLR on Windows](https://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html)

* [Bypassing Control Flow Guard in Windows 10](https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10)

* [Bypassing Control Flow Guard in Windows 10 - Part II](https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii)

* [BYPASS CONTROL FLOW GUARD COMPREHENSIVELY](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)

* [CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE](https://www.blackhat.com/docs/asia-17/materials/asia-17-Li-Cross-The-Wall-Bypass-All-Modern-Mitigations-Of-Microsoft-Edge.pdf)

* [How to find the vulnerability to bypass the Control Flow Guard](https://cansecwest.com/slides/2017/CSW2017_HenryLi_How_to_find_the_vulnerability_to_bypass_the_ControlFlowGuard.pdf)

* [Bypassing Memory Mitigation Using Data-Only Exploitation Technique](https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Bing%20Sun%20and%20Chong%20Xu%20-%20Bypassing%20Memory%20Mitigation%20Using%20Data-Only%20Exploitation%20Techniques.pdf)

* [CHAKRA JIT CFG BYPASS](https://theori.io/research/chakra-jit-cfg-bypass)

* [SMEP: What is it, and how to beat it on Windows](https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/)

* [ROP for SMEP bypass](https://rce.wtf/2017/09/24/P4wning-the-windows-kernel-with-ROP.html)

* [HEVD Exploits – Windows 10 x64 Stack Overflow SMEP Bypass](https://h0mbre.github.io/HEVD_Stackoverflow_SMEP_Bypass_64bit/)

* [HEVD: kASLR + SMEP Bypass](https://fluidattacks.com/blog/hevd-smep-bypass/)

* [Smashing The Browser](https://github.com/demi6od/Smashing_The_Browser)

* [Browser security mitigations against memory corruption vulnerabilities](https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/edit)

## [↑](#table-of-contents) Kernel

* [Windows Kernel Pool Spraying](http://trackwatch.com/windows-kernel-pool-spraying/)

* [Windows Kernel Exploitation Basics - Part 1 : Introduction to DVWDDriver](http://poppopret.blogspot.com/2011/06/windows-kernel-exploitation-part-1.html)

* [Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part.html)

* [Windows Kernel Exploitation Basics - Part 3 : Arbitrary Memory Overwrite exploitation using LDT](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_2423.html)

* [Windows Kernel Exploitation Basics - Part 4 : Stack-based Buffer Overflow exploitation (bypassing cookie)](http://poppopret.blogspot.com/2011/07/windows-kernel-exploitation-basics-part_16.html)

* [Arbitrary Write primitive in Windows kernel (HEVD)](https://blahcat.github.io/2017/08/31/arbitrary-write-primitive-in-windows-kernel-hevd/)

* [MS11-080 Exploit – A Voyage into Ring Zero](https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/)

* [Windows kernel pool spraying fun - Part 1 - Determine kernel object size](https://theevilbit.blogspot.com/2017/09/pool-spraying-fun-part-1.html)

* [Windows kernel pool spraying fun - Part 2 - More objects](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-2.html)

* [Windows kernel pool spraying fun - Part 3 - Let's make holes](https://theevilbit.blogspot.com/2017/09/windows-kernel-pool-spraying-fun-part-3.html)

* [Fuzzy Security - Kernel Exploitation -> Stack Overflow](https://www.fuzzysecurity.com/tutorials/expDev/14.html)

* [Fuzzy Security - Kernel Exploitation -> Write-What-Where](https://www.fuzzysecurity.com/tutorials/expDev/15.html)

* [Fuzzy Security - Kernel Exploitation -> Null Pointer Dereference](https://www.fuzzysecurity.com/tutorials/expDev/16.html)

* [Fuzzy Security - Kernel Exploitation -> Uninitialized Stack Variable](https://www.fuzzysecurity.com/tutorials/expDev/17.html)

* [Fuzzy Security - Kernel Exploitation -> Integer Overflow](https://www.fuzzysecurity.com/tutorials/expDev/18.html)

* [Fuzzy Security - Kernel Exploitation -> UAF](https://www.fuzzysecurity.com/tutorials/expDev/19.html)

* [Fuzzy Security - Kernel Exploitation -> Pool Overflow](https://www.fuzzysecurity.com/tutorials/expDev/20.html)

* [Fuzzy Security - Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](https://www.fuzzysecurity.com/tutorials/expDev/21.html)

* [Fuzzy Security - Kernel Exploitation -> RS2 Bitmap Necromancy](https://www.fuzzysecurity.com/tutorials/expDev/22.html)

* [Fuzzy Security - Kernel Exploitation -> Logic bugs in Razer rzpnk.sys](https://www.fuzzysecurity.com/tutorials/expDev/23.html)

* [Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)

* [Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)

* [Intro to Windows kernel exploitation 3/N: My first Driver exploit](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-3-my-first-driver-exploit/)

* [Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-more-of-the-hacksys-driver/)

* [Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool](https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html)

* [Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment](https://rootkits.xyz/blog/2017/06/kernel-setting-up/)

* [Windows Kernel Exploitation Tutorial Part 2: Stack Overflow](https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/)

* [Windows Kernel Exploitation Tutorial Part 3: Arbitrary Memory Overwrite (Write-What-Where)](https://rootkits.xyz/blog/2017/09/kernel-write-what-where/)

* [Windows Kernel Exploitation Tutorial Part 4: Pool Feng-Shui –> Pool Overflow](https://rootkits.xyz/blog/2017/11/kernel-pool-overflow/)

* [Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference](https://rootkits.xyz/blog/2018/01/kernel-null-pointer-dereference/)

* [Windows Kernel Exploitation Tutorial Part 6: Uninitialized Stack Variable](https://rootkits.xyz/blog/2018/01/kernel-uninitialized-stack-variable/)

* [Windows Kernel Exploitation Tutorial Part 7: Uninitialized Heap Variable](https://rootkits.xyz/blog/2018/03/kernel-uninitialized-heap-variable/)

* [Windows Kernel Exploitation Tutorial Part 8: Use After Free](https://rootkits.xyz/blog/2018/04/kernel-use-after-free/)

* [Corelan Team (corelanc0d3r) Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)

* [abatchy Kernel Exploitation 1: Setting up the environment](https://www.abatchy.com/2018/01/kernel-exploitation-1)

* [abatchy Kernel Exploitation 2: Payloads](https://www.abatchy.com/2018/01/kernel-exploitation-2)

* [abatchy Kernel Exploitation 3: Stack Buffer Overflow (Windows 7 x86/x64)](https://www.abatchy.com/2018/01/kernel-exploitation-3)

* [abatchy Kernel Exploitation 4: Stack Buffer Overflow (SMEP Bypass)](https://www.abatchy.com/2018/01/kernel-exploitation-4)

* [abatchy Kernel Exploitation 5: Integer Overflow](https://www.abatchy.com/2018/01/kernel-exploitation-5)

* [abatchy Kernel Exploitation 6: NULL pointer dereference](https://www.abatchy.com/2018/01/kernel-exploitation-6)

* [abatchy Kernel Exploitation 7: Arbitrary Overwrite (Win7 x86)](https://www.abatchy.com/2018/01/kernel-exploitation-7)

* [Kernel Hacking With HEVD Part 1 - The Setup](https://sizzop.github.io/2016/07/05/kernel-hacking-with-hevd-part-1.html)

* [Kernel Hacking With HEVD Part 2 - The Bug](https://sizzop.github.io/2016/07/06/kernel-hacking-with-hevd-part-2.html)

* [Kernel Hacking With HEVD Part 3 - The Shellcode](https://sizzop.github.io/2016/07/07/kernel-hacking-with-hevd-part-3.html)

* [Kernel Hacking With HEVD Part 4 - The Exploit](https://sizzop.github.io/2016/07/08/kernel-hacking-with-hevd-part-4.html)

* [Kernel Hacking With HEVD Part 5 - The SMEP Version](https://sizzop.github.io/2016/09/13/kernel-hacking-with-hevd-part-5.html)

* [The Path to Ring-0 Windows Edition](https://insomniasec.com/downloads/publications/The%20Path%20To%20Ring-0.pdf)

* [DIRECTX TO THE KERNEL](https://www.zerodayinitiative.com/blog/2018/12/4/directx-to-the-kernel)

* [Windows Kernel Graphics Driver Attack Surface](https://www.blackhat.com/docs/us-14/materials/us-14-vanSprundel-Windows-Kernel-Graphics-Driver-Attack-Surface.pdf)

* [Root Cause of the Kernel Privilege Escalation Vulnerabilities CVE-2019-0808](http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html)

* [Kernel Pool Overflow Exploitation In Real World – Windows 10](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-10/)

* [Kernel Pool Overflow Exploitation In Real World – Windows 7](http://trackwatch.com/kernel-pool-overflow-exploitation-in-real-world-windows-7/)

* [Windows Kernel Exploitation - Exploiting HEVD x64 Use-After-Free using Generic Non-Paged Pool Feng-Shui](https://securityinsecurity.github.io/exploiting-hevd-use-after-free/)

* [Windows Kernel Exploitation Part 1: Stack Buffer Overflows](https://pwnrip.com/windows-kernel-exploitation-part-1-stack-buffer-overflows/)

* [Windows Kernel Exploitation Part 2: Type Confusion](https://pwnrip.com/windows-kernel-exploitation-part-2-type-confusion/)

* [Windows Kernel Exploitation Part 3: Integer Overflow](https://pwnrip.com/windows-kernel-exploitation-part-3-integer-overflow/)

## [↑](#table-of-contents) Misc

* [Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)

* [Windows 10 x86/wow64 Userland heap](https://www.corelan.be/index.php/2016/07/05/windows-10-x86wow64-userland-heap/)