Welcome! I am Fu11shade, I specialize in 0day research and offensive Windows exploitation, this course is to fill in the gap on the internet for Windows exploitation content. I am rapidly working to finish the last few (newly added) posts, everything should be finished by the end of this week. Currently about 5-6 missing posts so far.
This page provides a pathway for learning Windows exploit development, following the provided blog posts will allow you to learn Windows exploit development from the basics, to advanced kernel exploitation on a Windows 10 system with all the mitigations enabled.
This course can all be downloaded as a polished PDF book format [coming soon!]
Basic exploitation (late 1990’s - early 2010’s era)
https://github.com/FULLSHADE/OSCE is my repository with over 25 from scratch written exploits, these exploits are in-scope of the “basic exploitation” category of this series.
Fair warning, some of the following posts are not finished yet… Most everything else is
Id | Article | Author |
---|---|---|
0 | Setting up Immunity and WinDBG with Mona.py | FullShade |
1 | Classic JMP ESP buffer overflow | FullShade |
2 | Local SEH buffer overflow | FullShade |
3 | Local SEH buffer overflow with a DEP bypass | FullShade |
4 | Remote SEH overflow with egghunters | FullShade |
5 | Remote SEH overflows & multi-stage jumps | FullShade |
6 | SEH overflows, alphanumber & unicode encoding bypass | FullShade |
7 | Bypassing SEH mitigations with DLL injection | FullShade |
8 | Code caving and backdooring PEs | FullShade |
Windows Internals theory
Id | Article | Author |
---|---|---|
9 | Understanding Windows security mitigations | FullShade |
10 | Understanding Windows memory data structures | FullShade |
11 | Understanding the PEB & WinDBG analysis | FullShade |
12 | Kernel Opaque data structures & access tokens | FullShade |
13 | Windows Kernel memory pool & vulnerabilities | FullShade |
14 | Basics of Kernel-mode driver (IRPs) & I/O requests | FullShade |
15 | IOCTL’s for kernel driver exploit development | FullShade |
Windows kernel exploitation (2010 - 2013 era)
POCs and fully completed exploits can be found here https://github.com/FULLSHADE/HEVD-Exploits, more coming thing week
Id | Article | Author |
---|---|---|
16 | Writing a Windows Kernel-Mode Driver - Part 1 | FullShade |
17 | HEVD - Windows 7 x86 Kernel Stack Overflow | FullShade |
18 | HEVD - Windows 7 x86 Kernel NULL Pointer Dereference | FullShade |
19 | HEVD - Windows 7 x86 Kernel Type Confusion | FullShade |
20 | HEVD - Windows 7 x86 Kernel Arbitrary Write | FullShade |
21 | HEVD - Windows 7 x86 Kernel Use-After-Free | FullShade |
22 | HEVD - Windows 7 x86 Kernel Interger Overflow | FullShade |
23 | HEVD - Windows 7 x86 Kernel Uninitialized Stack Variable | FullShade |
24 | HEVD - Windows 7 x86 Kernel Pool Overflow | FullShade |
25 | HEVD - Windows 7 x86_64 Kernel Stack Overflow | FullShade |
26 | HEVD - Windows 7 x86_64 Kernel Arbitrary Write | FullShade |
Advanced Windows kernel exploitation (2016 - 2020 era)
Id | Article | Author |
---|---|---|
27 | HEVD - Windows 8.1 64-bit Kernel Stack Overflow w/ SMEP | FullShade |
28 | Leaking Kernel Addresses on Windows 10 64-bit | FullShade |
29 | Abusing GDI Bitmap objects on Windows 10 64-bit | FullShade |
Hunting Windows 0days
Once you have enough Windows exploitation knowledge, you can start auditing third-party applications and drivers for 0day vulnerabilities, below are a few that have been discovered with this level of information.
- https://fullpwnops.com/cves.html
Discovered 0days by me can be found littered around my Github profile, more organization will come soon
Id | Article | Author |
---|---|---|
30 | Fuzzing drivers for 0days, discover new vulnerabilities | FullShade |