WinPwn
My study logs on Windows pwnables, plus some hopefully helpful resources.
References
These are the list of useful references I've checked out while studying Windows pwnable, dumped from my bookmarks. Note that some resources might be (heavily) outdated or partially mis-categorized.
Intro
Shellcoding
Stack Exploits
- Stack Based Buffer Overflows on x86 (Windows)
- Stack Based Buffer Overflows on x64 (Windows)
- Windows System Hacking Technique - Stack Exploit Tutorial (KR)
SEH (Structured Exception Handler)
- Structured Exception handler Exploitation
- Windows Exploit Development - Part 6: SEH Exploits
- bartender - InCTF Internationals 2019
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exceptional Behavior - x64 Structured Exception Handling
- Memory protection mechanisms in Windows
- Dive into exceptions: caution, this may be hard
- Reversing Microsoft Visual C++ Part I: Exception Handling
CFG (Control Flow Guard)
- Bypassing Control Flow Guard in Windows 10
- Exploring Control Flow Guard in Windows 10
- Windows 10 Control Flow Guard Internals
- Disarming Control Flow Guard Using Advanced Code Reuse Attacks
- Letโs talk about CFI: Microsoft Edition
- CFG Improvements in Windows 10 Anniversary Update
Heap Exploits
TIP: If you want to work on LFH with debuggers, set _NO_DEBUG_HEAP=1
- Windows 10 Nt Heap Exploitation (English version)
- winhttpd writeup: private heaps pwning on Windows
- Disclosing stack data (stack frames, GS cookies etc.) from the default heap on Windows
- Deterministic LFH
- Windows 10 Segment Heap Internals presentation & whitepaper
- Heap Overflow Exploitation on Windows 10 Explained
- Understanding the Low Fragmentation Heap
- Windows 8 Heap Internals presentation & whitepaper
- Advanced Heap Manipulation in Windows 8
- [Writeup] LazyFragmentationHeap - WCTF 2019
- Low Fragmentation Heap (LFH) Exploitation - Windows 10 Userspace
Kernel
- Windows Kernel Shellcode on Windows 10 โ Part 1
- Windows Kernel Address Leaks
- TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL โ LEVERAING WRITE-WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE presentation & whitepaper
- Windows Kernel Debugging & Exploitation Part1 โ Setting up the lab
- [Kernel Exploitation] 4: Stack Buffer Overflow (SMEP Bypass)
- A Deep Dive Analysis of Microsoftโs Kernel Virtual Address Shadow Feature
- When Kernel Debugging - Find The Page Protection of a User Mode Address
- HITCON CTF 2019 Breath of Shadow
- windows_kernel_resources
- Kernel Exploitation -> RS2 Bitmap Necromancy
- A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
- NT Diff
- Exploit Development: Leveraging Page Table Entries for Windows Kernel Exploitation
NTAPI, Syscalls, Undocumented etc.
- NTAPI Undocumented Functions
- processhacker/ntpsapi.h
- Windows System Call Tables
- An Analysis of Address Space Layout Randomization on Windows Vistaโข
- Undocumented 32-bit PEB and TEB Structures
- Vergilius Project
- Winbindex - The Windows Binaries Index
CTF Chals
- j00ru/ctf-tasks
- Awesome Windows CTF
- WCTF 2019 LazyFragmentationHeap
- Hack.lu CTF 2020 LowFunHeap
- CODEGATE 2020 CTF winterpreter & winsanity ๐
Tools
- appjaillauncher-rs
- Sysinternals Suite
- WinDbg / x64dbg
- winchecksec / checksec.py
- pdbex
- Python modules:
- pwintools (original, modified fork)
- pdbparse