Welcome! I am Fu11shade, I specialize in 0day research and offensive Windows exploitation, this course is to fill in the gap on the internet for Windows exploitation content. I am rapidly working to finish the last few (newly added) posts, everything should be finished by the end of this week. Currently about 5-6 missing posts so far.
This page provides a pathway for learning Windows exploit development, following the provided blog posts will allow you to learn Windows exploit development from the basics, to advanced kernel exploitation on a Windows 10 system with all the mitigations enabled.
This course can all be downloaded as a polished PDF book format [coming soon!]
Basic exploitation (late 1990’s - early 2010’s era)
https://github.com/FULLSHADE/OSCE is my repository with over 25 from scratch written exploits, these exploits are in-scope of the “basic exploitation” category of this series.
Fair warning, some of the following posts are not finished yet… Most everything else is
| Id | Article | Author |
|---|---|---|
| 0 | Setting up Immunity and WinDBG with Mona.py | FullShade |
| 1 | Classic JMP ESP buffer overflow | FullShade |
| 2 | Local SEH buffer overflow | FullShade |
| 3 | Local SEH buffer overflow with a DEP bypass | FullShade |
| 4 | Remote SEH overflow with egghunters | FullShade |
| 5 | Remote SEH overflows & multi-stage jumps | FullShade |
| 6 | SEH overflows, alphanumber & unicode encoding bypass | FullShade |
| 7 | Bypassing SEH mitigations with DLL injection | FullShade |
| 8 | Code caving and backdooring PEs | FullShade |
Windows Internals theory
| Id | Article | Author |
|---|---|---|
| 9 | Understanding Windows security mitigations | FullShade |
| 10 | Understanding Windows memory data structures | FullShade |
| 11 | Understanding the PEB & WinDBG analysis | FullShade |
| 12 | Kernel Opaque data structures & access tokens | FullShade |
| 13 | Windows Kernel memory pool & vulnerabilities | FullShade |
| 14 | Basics of Kernel-mode driver (IRPs) & I/O requests | FullShade |
| 15 | IOCTL’s for kernel driver exploit development | FullShade |
Windows kernel exploitation (2010 - 2013 era)
POCs and fully completed exploits can be found here https://github.com/FULLSHADE/HEVD-Exploits, more coming thing week
| Id | Article | Author |
|---|---|---|
| 16 | Writing a Windows Kernel-Mode Driver - Part 1 | FullShade |
| 17 | HEVD - Windows 7 x86 Kernel Stack Overflow | FullShade |
| 18 | HEVD - Windows 7 x86 Kernel NULL Pointer Dereference | FullShade |
| 19 | HEVD - Windows 7 x86 Kernel Type Confusion | FullShade |
| 20 | HEVD - Windows 7 x86 Kernel Arbitrary Write | FullShade |
| 21 | HEVD - Windows 7 x86 Kernel Use-After-Free | FullShade |
| 22 | HEVD - Windows 7 x86 Kernel Interger Overflow | FullShade |
| 23 | HEVD - Windows 7 x86 Kernel Uninitialized Stack Variable | FullShade |
| 24 | HEVD - Windows 7 x86 Kernel Pool Overflow | FullShade |
| 25 | HEVD - Windows 7 x86_64 Kernel Stack Overflow | FullShade |
| 26 | HEVD - Windows 7 x86_64 Kernel Arbitrary Write | FullShade |
Advanced Windows kernel exploitation (2016 - 2020 era)
| Id | Article | Author |
|---|---|---|
| 27 | HEVD - Windows 8.1 64-bit Kernel Stack Overflow w/ SMEP | FullShade |
| 28 | Leaking Kernel Addresses on Windows 10 64-bit | FullShade |
| 29 | Abusing GDI Bitmap objects on Windows 10 64-bit | FullShade |
Hunting Windows 0days
Once you have enough Windows exploitation knowledge, you can start auditing third-party applications and drivers for 0day vulnerabilities, below are a few that have been discovered with this level of information.
- https://fullpwnops.com/cves.html
Discovered 0days by me can be found littered around my Github profile, more organization will come soon
| Id | Article | Author |
|---|---|---|
| 30 | Fuzzing drivers for 0days, discover new vulnerabilities | FullShade |