Resources
Here are some resources I’ve gathered over the years. Some of the links may or may not still be working. If not, throw try using archive.org.
Other Resource Lists
NT Heap
- For the most up to date information:
- Maybe not up to date, but still useful:
- Windows 7:
Segment Heap
- These are the most up to date (at the time of writing). They are labeled as kernel-mode, however, they are more accurate for user-mode than most other resources:
- Not up to date, but still useful:
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Windows-Heap-Backed-Pool-The-Good-The-Bad-And-The-Encoded.pdf
- https://speakerdeck.com/scwuaptx/windows-kernel-heap-segment-heap-in-windows-kernel-part-1
- https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf
- https://www.youtube.com/watch?v=XxlzK0CLFN0
- https://media.blackhat.com/bh-us-12/Briefings/Valasek/BH_US_12_Valasek_Windows_8_Heap_Internals_Slides.pdf
Stack CTFs
- https://thegreycorner.com/vulnserver.html
- https://github.com/stephenbradshaw/vulnserver
- Can also be used to learn DEP and ALSR (with leak) bypasses.
Heap CTFs
- https://zaratec.io/awesome-windows-ctf/
- LazyFragmentationHeap
- Archangel Michael’s Storage
- dadadb
Stack Resources
- x64 Calling Convention (Fastcall): https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention?view=msvc-170
- x64 Software Conventions (alignment, calling conventions, etc.): https://learn.microsoft.com/en-us/cpp/build/x64-software-conventions?view=msvc-170
- Full list of calling conventions: https://learn.microsoft.com/en-us/cpp/cpp/argument-passing-and-naming-conventions?view=msvc-170
- x64 Exception Handling: https://codemachine.com/articles/x64_deep_dive.html
Blogs
- Kernel
- https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
- This is only part 1. It also has links to other interesting posts.
- https://www.ibm.com/think/x-force/critically-close-to-zero-day-exploiting-microsoft-kernel-streaming-service
- https://www.ibm.com/think/x-force/little-bug-that-could
- https://whereisk0shl.top/post/isolate-me-from-sandbox-explore-elevation-of-privilege-of-cng-key-isolation
- https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/
- https://www-sysnet-pe-kr.translate.goog/2/0/12068?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
Tools
WinDBG (Plugins, Guides, Etc.)
Exploit Lists
Writeups
- Heap
- https://mrt4ntr4.github.io/Windows-Heap-Exploitation-dadadb/
- https://github.com/scwuaptx/CTF/tree/master/2019-writeup/hitcon/dadadb
- See associated PDF writeup, it’s better than the Markdown version.
- https://blog.null2root.org/blog/2020/02/07/LazyFragmentationHeap-WCTF2019-writeup.html
- https://pwnfirstsear.ch/2020/12/09/hitconctf2020-archangel
- https://github.com/scwuaptx/CTF/blob/master/2020-writeup/hitcon/MichaelStorage/MichaelStorage.pdf
Tutorials & Guides
Misc
- PPL: https://blog.slowerzs.net/posts/pplsystem/
- https://www.youtube.com/watch?v=5xteW8Tm410 – Referenced in above.
- Process injection via COM & Links to COM resources: https://www.mdsec.co.uk/2022/04/process-injection-via-component-object-model-com-irundowndocallback/
- CFG Bypass via RPC: https://iamelli0t.github.io/2021/04/10/RPC-Bypass-CFG.html#windows-rpc-introduction-and-exploitation
- CFG Bypass: https://www.slideshare.net/slideshow/object-oriented-exploitation-new-techniques-in-windows-mitigation-bypass/65131707#62