Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related. Mostly talks and videos that I enjoyed watching.
- terminus project
- React OS Win32k
- Geoff Chappell - Kernel-Mode Windows
- HEVD Vulnerable driver
- FLARE Kernel Shellcode Loader
- Vergilius - Undocumented kernel structures
- Windows X86-64 System Call Table
- Vulnerable Driver Megathread
- ⭐ Kernel Mode Threats and Practical Defenses
- ⭐ Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
- ⭐ The Life & Death of Kernel Object Abuse
- ⭐ Windows 10 Mitigation Improvements
Talks / video recordings
- 11 part playlist - Rootkits: What they are, and how to find them
- Hooking Nirvana
- Alex Ionescu - Advancing the State of UEFI Bootkits
- BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
- Numchecker: A System Approach for Kernel Rootkit Detection
- DEF CON 26 - Ring 0 Ring 2 Rootkits Bypassing Defenses
- Black Hat Windows 2001 - Kernel Mode Rootkits
- Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)
- RTFM SigSegv1 - From corrupted memory dump to rootkit detection
Articles / papers
- Dissecting Turla Rootkit Malware Using Dynamic Analysis
- A quick insight into the Driver Signature Enforcement
- WINDOWS DRIVER SIGNING BYPASS BY DERUSB
- A Basic Windows DKOM Rootkit
- Manipulating ActiveProcessLinks to Hide Processes in Userland
Talks / video recordings
- BlueHat v18 || Hardening hyper-v through offensive security research
- BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - this is cfg not kCFG
- BlueHat v18 || Mitigation Bypass: The Past, Present, and Future
- Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
- Windows 10 Mitigation Improvements (really good talk)
- Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot
- Examining the Guardians of Windows 10 Security - Chuanda Ding
- Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
- A Dive in to Hyper-V Architecture & Vulnerabilities
- the last kaslr leak
- BlueHat v18 || A mitigation for kernel toctou vulnerabilities
- REcon 2013 - I got 99 problems but a kernel pointer ain't one
- SMEP: What is it, and how to beat it on Windows
- BlueHat IL 2020 - David Weston - Keeping Windows Secure
- Advancing Windows Security — David Weston
- OffensiveCon18 - The Evolution of CFI Attacks and Defenses
Articles / papers
General mitigation papers
- Hardening Windows 10 with zero-day exploit mitigations
- TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL
kASLR
- KASLR Bypass Mitigations in Windows 8.1
- Devlopment of a new Windows 10 KASLR bypass - in one winDBG command
SMEP
- Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming
- Return Oriented Programming Tutorial
- Stack Buffer Overflow (SMEP Bypass)
- Windows 10 x64 and Bypassing SMEP
- SMEP: What is it, and how to beat it on Windows
CET
- Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity
- A Technical Look at Intel’s Control-flow Enforcement Technology
- Control-flow Enforcement Technology Specification
- Intel CET Answers Call to Protect Against Common Malware Threats
- R.I.P ROP: CET Internals in Windows 20H1
Articles / papers
- Loading Kernel Shellcode
- Windows Kernel Shellcodes - a compendium
- Windows Kernel Shellcode on Windows 10 – Part 1
- Windows Kernel Shellcode on Windows 10 – Part 2
- Windows Kernel Shellcode on Windows 10 – Part 3
- Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
- Token Abuse for Privilege Escalation in Kernel
- Introduction to Shellcode Development
- Introduction to Windows shellcode development – Part 1
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
- Exploring Injected Threads
Talks / video recordings
- HITB2016AMS - Kernel Exploit Hunting And Mitigation
- Ilja van Sprundel: Windows drivers attack surface
- REcon 2015 - This Time Font hunt you down in 4 bytes
- Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
- Windows kernel exploitation techniques - Adrien Garin - LSE Week 2016
- Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1
- Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2
- The 3 Way06 Practical Windows Kernel Exploitation
- Reverse Engineering and Bug Hunting on KMDF Drivers
- Binary Exploit Mitigation and Bypass History - not just kernel
- Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
- REcon 2015 - Reverse Engineering Windows AFD.sys
- Windows Kernel Graphics Driver Attack Surface
- Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
- Black Hat USA 2013 - Smashing The Font Scaler Engine in Windows Kernel
Articles / papers
- Kernel Exploit Sample Hunting and Mining Contents
- The entire GreyHatHacker site has great writeups
- BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
- Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation
- Windows Drivers are True’ly Tricky
- Taking apart a double zero-day sample discovered in joint hunt with ESET
- Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
- Kernel Pool Overflow Exploitation in Real World: Windows 10
- Kernel Pool Overflow Exploitation in Real World - Windows 7
- Kernel Pool Exploitation on Windows 7
- Easy local Windows Kernel exploitation
- Exploiting CVE-2014-4113
- Pwn2Own 2014 - AFD.sys Dangling Pointer Vulnerability
- Symantec Endpoint protection 0day
- Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393
- nt!_SEP_TOKEN_PRIVILEGES - Single Write EoP Protect
- Token Abuse for Privilege Escalation in Kernel
Talks / video recordings
- Abusing GDI for ring0 exploit primitives Evolution
- Demystifying Windows Kernel Exploitation by Abusing GDI Objects
- CommSec D1 - The Life & Death of Kernel Object Abuse
- Kernel Object Abuse by Type Isolation
Articles / papers
- Turning CVE-2017-14961 into full arbitrary read / write with PALETTE objects
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- The zero-day exploits of Operation WizardOpium
- Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
- Abusing GDI Objects for ring0 Primitives Revolution
- https://www.coresecurity.com/core-labs/articles/abusing-gdi-for-ring0-exploit-primitives
- A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
- CSW2017 Peng qiu shefang zhong win32k dark_composition
- Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
Talks / video recordings
Articles / papers
- CVE-2020-1054 Analysis
- TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
- One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild
- Reverse Engineering the Win32k Type Isolation Mitigation
- A new exploit for zero-day vulnerability CVE-2018-8589
- Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
- Exploring CVE-2015-1701 — A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free
- New zero-day vulnerability CVE-2019-0859 in win32k.sys
- Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks
- Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo
- Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame
- Windows Kernel Local Denial-of-Service #4: nt!NtAccessCheck and family
- Windows Kernel Local Denial-of-Service #5: win32k!NtGdiGetDIBitsInternal
- Windows win32k.sys menus and some “close, but no cigar” bugs
- Windows Kernel Internals - Win32K.sys
Talks / video recordings
Articles / papers
- A vulnerable driver: lesson almost learned
- CVE-2020-12138 - Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys
- CVE-2019-18845 - Viper RGB Driver Local Privilege Escalation
- CVE-2020-8808 - CORSAIR iCUE Driver Local Privilege Escalation
- Logic bugs in Razer rzpnk.sys
- Dell SupportAssist Driver - Local Privilege Escalation
- MSI ntiolib.sys/winio.sys local privilege escalation
- CVE-2019-8372 - Local Privilege Elevation in LG Kernel Driver
- Reading Physical Memory using Carbon Black's Endpoint driver
- ASUS UEFI Update Driver Physical Memory Read/Write
- Privilege escalation vulnerabilities found in over 40 Windows Drivers
- Blackat - KERNEL MODE THREATS AND PRACTICAL DEFENSES
- Weaponizing vulnerable driver for privilege escalation— Gigabyte Edition!
Talks / video recordings
- Windows Kernel Programming - 14 part playlist
- Windows Driver Development - 19 part playlist
- Developing Kernel Drivers with Modern C++ - Pavel Yosifovich
Articles / papers
- Winsock Kernel Overview Topics
- Driver Development Part 1: Introduction to Drivers
- Driver Development Part 2: Introduction to Implementing IOCTLs
- Driver Development Part 3: Introduction to driver contexts
- Driver Development Part 4: Introduction to device stacks
- Creating IOCTL Requests in Drivers
- Windows Drivers Part 2: IOCTLs
- Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Talks / video recordings
- Pluralsight - Windows Internals 1
- Pluralsight - Windows Internals 2
- Pluralsight - Windows Internals 3
- Pluralsight - Windows 10 Internals: Systems and Processes
- Pluralsight - Windows 10 Internals - Threads, Memory and Security
- Alex Ionescu Insection: AWEsomely Exploiting Shared Memory Objects
- Windows Internals
- Windows 10 Segment Heap Internals
- Windows Kernel Vulnerability Research and Exploitation - Gilad Bakas
- NIC 5th Anniversary - Windows 10 internals
- Black Hat USA 2012 - Windows 8 Heap Intervals
Articles / papers
- Whitepaper - WINDOWS 10 SEGMENT HEAP INTERNALS
- The Quest for the SSDTs
- System Service Descriptor Table - SSDT
- Interrupt Descriptor Table - IDT
- Exploring Process Environment Block
- Windows Pool Manager
- Parsing PE File Headers with C++
- Digging Into Handles, Callbacks & ObjectTypes
Talks / video recordings
- Hacking Livestream #28: Windows Kernel Debugging Part I
- Hacking Livestream #29: Windows Kernel Debugging Part II
- Hacking Livestream #30: Windows Kernel Debugging Part III
- WinDbg Basics for Malware Analysis
- Windows Debugging and Troubleshooting
- CNIT 126 10: Kernel Debugging with WinDbg
- Windows Kernel Debugging Part I
- Microsoft Patch Analysis for Exploitation
- Windows Kernel Debugging Fundamentals
Articles / papers
- Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD
- Debug Tutorial Part 2: The Stack
- Debug Tutorial Part 3: The Heap
- Debug Tutorial Part 4: Writing WINDBG Extensions
- Debug Tutorial Part 5: Handle Leaks
- Debug Tutorial Part 6: Navigating The Kernel Debugge
- Debug Tutorial Part 7: Locks and Synchronization Objects
- Getting Started with WinDbg - kernelmode
- Windows Debuggers: Part 1: A WinDbg Tutorial
Talks / video recordings
- W32.Duqu: The Precursor to the Next Stuxnet
- Kernel Mode Threats and Practical Defenses
- Selling 0-Days to Governments and Offensive Security Companies
Articles / papers
- AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
- The zero-day exploits of Operation WizardOpium
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- EternalBlue – Everything There Is To Know
- Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255
Talks / video recordings
Articles / papers
- drvmap - driver manual mapper using capcom
- All methods of retrieving unique identifiers(HWIDs) on your PC
- Driver aka Kernel Mode cheating
Talks / video recordings
- Vulnerability Exploitation In Docker Container Environments
- Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
- REcon 2014 - Breaking Out of VirtualBox through 3D Acceleration
- 36C3 - The Great Escape of ESXi
- BlueHat v18 || Straight outta VMware
- Hardening hyper-v through offensive security research
- A Driver in to Hyper v Architecture&Vulnerabilities
- The HyperV Architecture and its Memory Manager
- Ring 0 to Ring -1 Exploitation with Hyper-V IPC
- Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine
- A Dive in to Hyper-V Architecture & Vulnerabilities
Articles / papers
- Hyper-V memory internals. EXO partition memory access
- Ventures into Hyper-V - Fuzzing hypercalls
- Fuzzing para-virtualized devices in Hyper-V
- First Steps in Hyper-V Research
- Windows Sandbox Attack Surface Analysis
Talks / video recordings
- HITBGSEC 2016 - Fuzzing The Windows Kernel
- Windows Kernel Vulnerability Research and Exploitation
- Bugs on the Windshield: Fuzzing the Windows Kernel
- Windows Kernel Fuzzing for Intermediate Learners
- Windows Kernel Fuzzing For Beginners - Ben Nagy
- Disobey 2018 - Building Windows Kernel fuzzer
- For The Win: The Art Of The Windows Kernel Fuzzing
- RECON 2019 - Vectorized Emulation Putting it all together
Articles / papers
- A year of Windows kernel font fuzzing #1: the results
- A year of Windows kernel font fuzzing #2: the techniques
Talks / video recordings
- Windows Internals, Part 1 (Pavel Yosifovich, and some others)
- Windows 10 System Programming, Part 1 (Pavel Yosifovich)
- Windows 10 System Programming, Part 2 (Pavel Yosifovich)
- Windows Kernel Programming (Pavel Yosifovich)
- Rootkits: Subverting the Windows Kernel
- The Rootkit Arsenal
- Intel® 64 and IA-32 Architectures Software Developer Manuals
Courses
- Advanced Windows Exploitation (AWE)
- Sans 660
- Sans 760
- Corelan "Bootcamp" training
- Corelan "Advanced" training
Certifications
- Offensive Security Exploitation Expert (OSEE)
- Giac GXPN