Awesome
WinKernel-Resources
A list of excellent resources for anyone trying to deepen their understanding with regards to Windows Kernel Exploitation and general low level security.
Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related really.
Important Info
- React OS Win32k
- Geoff Chappell - Kernel-Mode Windows
- HEVD Vulnerable driver
- FLARE Kernel Shellcode Loader
- Vergilius - Undocumented kernel structures
- Windows X86-64 System Call Table
- Vulnerable Driver Megathread
Must watch
- ⭐ Kernel Mode Threats and Practical Defenses
- ⭐ Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
- ⭐ The Life & Death of Kernel Object Abuse
- ⭐ Windows 10 Mitigation Improvements
Windows Rootkits
Talks / video recordings
- 11 part playlist - Rootkits: What they are, and how to find them
- Hooking Nirvana
- Alex Ionescu - Advancing the State of UEFI Bootkits
- BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
- Numchecker: A System Approach for Kernel Rootkit Detection
- DEF CON 26 - Ring 0 Ring 2 Rootkits Bypassing Defenses
- Black Hat Windows 2001 - Kernel Mode Rootkits
- Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)
- RTFM SigSegv1 - From corrupted memory dump to rootkit detection
Articles / papers
- Dissecting Turla Rootkit Malware Using Dynamic Analysis
- A quick insight into the Driver Signature Enforcement
- WINDOWS DRIVER SIGNING BYPASS BY DERUSB
- A Basic Windows DKOM Rootkit
- Manipulating ActiveProcessLinks to Hide Processes in Userland
Windows kernel mitigations
Talks / video recordings
- BlueHat v18 || Hardening hyper-v through offensive security research
- BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - this is cfg not kCFG
- BlueHat v18 || Mitigation Bypass: The Past, Present, and Future
- Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
- Windows 10 Mitigation Improvements (really good talk)
- Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot
- Examining the Guardians of Windows 10 Security - Chuanda Ding
- Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
- A Dive in to Hyper-V Architecture & Vulnerabilities
- the last kaslr leak
- BlueHat v18 || A mitigation for kernel toctou vulnerabilities
- REcon 2013 - I got 99 problems but a kernel pointer ain't one
- SMEP: What is it, and how to beat it on Windows
- BlueHat IL 2020 - David Weston - Keeping Windows Secure
- Advancing Windows Security — David Weston
- OffensiveCon18 - The Evolution of CFI Attacks and Defenses
Articles / papers
General mitigation papers
- Hardening Windows 10 with zero-day exploit mitigations
- TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL
kASLR
- KASLR Bypass Mitigations in Windows 8.1
- Devlopment of a new Windows 10 KASLR bypass - in one winDBG command
SMEP
- Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming
- Return Oriented Programming Tutorial
- Stack Buffer Overflow (SMEP Bypass)
- Windows 10 x64 and Bypassing SMEP
- SMEP: What is it, and how to beat it on Windows
CET
- Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity
- A Technical Look at Intel’s Control-flow Enforcement Technology
- Control-flow Enforcement Technology Specification
- Intel CET Answers Call to Protect Against Common Malware Threats
- R.I.P ROP: CET Internals in Windows 20H1
Windows kernel shellcode
Articles / papers
- Loading Kernel Shellcode
- Windows Kernel Shellcodes - a compendium
- Windows Kernel Shellcode on Windows 10 – Part 1
- Windows Kernel Shellcode on Windows 10 – Part 2
- Windows Kernel Shellcode on Windows 10 – Part 3
- Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
- Token Abuse for Privilege Escalation in Kernel
- Introduction to Shellcode Development
- Introduction to Windows shellcode development – Part 1
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
- Exploring Injected Threads
Windows kernel exploitation
Talks / video recordings
- HITB2016AMS - Kernel Exploit Hunting And Mitigation
- Ilja van Sprundel: Windows drivers attack surface
- REcon 2015 - This Time Font hunt you down in 4 bytes
- Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
- Windows kernel exploitation techniques - Adrien Garin - LSE Week 2016
- Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1
- Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2
- The 3 Way06 Practical Windows Kernel Exploitation
- Reverse Engineering and Bug Hunting on KMDF Drivers
- Binary Exploit Mitigation and Bypass History - not just kernel
- Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
- REcon 2015 - Reverse Engineering Windows AFD.sys
- Windows Kernel Graphics Driver Attack Surface
- Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
- Black Hat USA 2013 - Smashing The Font Scaler Engine in Windows Kernel
Articles / papers
- Kernel Exploit Sample Hunting and Mining Contents
- The entire GreyHatHacker site has great writeups
- BlueKeep: A Journey from DoS to RCE (CVE-2019-0708)
- Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation
- Windows Drivers are True’ly Tricky
- Taking apart a double zero-day sample discovered in joint hunt with ESET
- Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
- Kernel Pool Overflow Exploitation in Real World: Windows 10
- Kernel Pool Overflow Exploitation in Real World - Windows 7
- Kernel Pool Exploitation on Windows 7
- Easy local Windows Kernel exploitation
- Exploiting CVE-2014-4113
- Pwn2Own 2014 - AFD.sys Dangling Pointer Vulnerability
- Symantec Endpoint protection 0day
- Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393
- nt!_SEP_TOKEN_PRIVILEGES - Single Write EoP Protect
- Token Abuse for Privilege Escalation in Kernel
Windows kernel GDI exploitation
Talks / video recordings
- Abusing GDI for ring0 exploit primitives Evolution
- Demystifying Windows Kernel Exploitation by Abusing GDI Objects
- CommSec D1 - The Life & Death of Kernel Object Abuse
- Kernel Object Abuse by Type Isolation
Articles / papers
- Turning CVE-2017-14961 into full arbitrary read / write with PALETTE objects
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- The zero-day exploits of Operation WizardOpium
- Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
- Abusing GDI Objects for ring0 Primitives Revolution
- https://www.coresecurity.com/core-labs/articles/abusing-gdi-for-ring0-exploit-primitives
- A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
- CSW2017 Peng qiu shefang zhong win32k dark_composition
- Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
Windows kernel Win32k.sys research
Talks / video recordings
Articles / papers
- CVE-2020-1054 Analysis
- TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln
- One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild
- Reverse Engineering the Win32k Type Isolation Mitigation
- A new exploit for zero-day vulnerability CVE-2018-8589
- Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
- Exploring CVE-2015-1701 — A Win32k Elevation of Privilege Vulnerability Used in Targeted Attacks
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free
- New zero-day vulnerability CVE-2019-0859 in win32k.sys
- Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks
- Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo
- Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame
- Windows Kernel Local Denial-of-Service #4: nt!NtAccessCheck and family
- Windows Kernel Local Denial-of-Service #5: win32k!NtGdiGetDIBitsInternal
- Windows win32k.sys menus and some “close, but no cigar” bugs
- Windows Kernel Internals - Win32K.sys
Windows Kernel logic bugs
Talks / video recordings
Articles / papers
- A vulnerable driver: lesson almost learned
- CVE-2020-12138 - Privilege Escalation in ATI Technologies Inc. Driver atillk64.sys
- CVE-2019-18845 - Viper RGB Driver Local Privilege Escalation
- CVE-2020-8808 - CORSAIR iCUE Driver Local Privilege Escalation
- Logic bugs in Razer rzpnk.sys
- Dell SupportAssist Driver - Local Privilege Escalation
- MSI ntiolib.sys/winio.sys local privilege escalation
- CVE-2019-8372 - Local Privilege Elevation in LG Kernel Driver
- Reading Physical Memory using Carbon Black's Endpoint driver
- ASUS UEFI Update Driver Physical Memory Read/Write
- Privilege escalation vulnerabilities found in over 40 Windows Drivers
- Blackat - KERNEL MODE THREATS AND PRACTICAL DEFENSES
- Weaponizing vulnerable driver for privilege escalation— Gigabyte Edition!
Windows kernel driver development
Talks / video recordings
- Windows Kernel Programming - 14 part playlist
- Windows Driver Development - 19 part playlist
- Developing Kernel Drivers with Modern C++ - Pavel Yosifovich
Articles / papers
- Winsock Kernel Overview Topics
- Driver Development Part 1: Introduction to Drivers
- Driver Development Part 2: Introduction to Implementing IOCTLs
- Driver Development Part 3: Introduction to driver contexts
- Driver Development Part 4: Introduction to device stacks
- Creating IOCTL Requests in Drivers
- Windows Drivers Part 2: IOCTLs
- Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Windows Internals
Talks / video recordings
- Pluralsight - Windows Internals 1
- Pluralsight - Windows Internals 2
- Pluralsight - Windows Internals 3
- Pluralsight - Windows 10 Internals: Systems and Processes
- Pluralsight - Windows 10 Internals - Threads, Memory and Security
- Alex Ionescu Insection: AWEsomely Exploiting Shared Memory Objects
- Windows Internals
- Windows 10 Segment Heap Internals
- Windows Kernel Vulnerability Research and Exploitation - Gilad Bakas
- NIC 5th Anniversary - Windows 10 internals
- Black Hat USA 2012 - Windows 8 Heap Intervals
Articles / papers
- Whitepaper - WINDOWS 10 SEGMENT HEAP INTERNALS
- The Quest for the SSDTs
- System Service Descriptor Table - SSDT
- Interrupt Descriptor Table - IDT
- Exploring Process Environment Block
- Windows Pool Manager
- Parsing PE File Headers with C++
- Digging Into Handles, Callbacks & ObjectTypes
Advanced Windows debugging
Talks / video recordings
- Hacking Livestream #28: Windows Kernel Debugging Part I
- Hacking Livestream #29: Windows Kernel Debugging Part II
- Hacking Livestream #30: Windows Kernel Debugging Part III
- WinDbg Basics for Malware Analysis
- Windows Debugging and Troubleshooting
- CNIT 126 10: Kernel Debugging with WinDbg
- Windows Kernel Debugging Part I
- Microsoft Patch Analysis for Exploitation
- Windows Kernel Debugging Fundamentals
Articles / papers
- Debug Tutorial Part 1: Beginning Debugging Using CDB and NTSD
- Debug Tutorial Part 2: The Stack
- Debug Tutorial Part 3: The Heap
- Debug Tutorial Part 4: Writing WINDBG Extensions
- Debug Tutorial Part 5: Handle Leaks
- Debug Tutorial Part 6: Navigating The Kernel Debugge
- Debug Tutorial Part 7: Locks and Synchronization Objects
- Getting Started with WinDbg - kernelmode
- Windows Debuggers: Part 1: A WinDbg Tutorial
0days - APT advanced malware research
Talks / video recordings
- W32.Duqu: The Precursor to the Next Stuxnet
- Kernel Mode Threats and Practical Defenses
- Selling 0-Days to Governments and Offensive Security Companies
Malware Samples
As far as advanced malware research is concerned i thought it fitting to include a sub-catagory here dedicated to publically available Malware. Rootkits, Bootkits and related low level security and development items to be exact, not just for windows but other platforms as well. Find the list below.
Rootkits
- Spectre
- Windows Hijack
- SCShell
- Phys-MEM R/w
- KernelHiddenExecute
- Gina_Public
- driverless-basic-driver
- SMB Door
- BypassDriverDetection
- UTK Module
- cheat-driver
- HWIDFaker
- puppetstrings
- XHunter
- ETR-Zero
- WinDriver x32
- WinDriver x64
- CSurage's Rootkit
- Greenkit Rootkit
- R77-Rootkit
- WinReg-Rootkit
- Multiple Windows Rootkits
- DRV-Hide
- FakeMBR
- PTBBypass
- KungFu-Malware
- Trojan - Cockrroach
Bootkits
- umap
- rk2017
- ChangeDiskSector
- Uefi_HelloWorld
- ShitDrv
- DarkCloud
- Rovnix
- TinyXPB
- Win64-Rovnix-VBR-Bootkit
- Gozi-MBR
- vector-edk
- booty
Articles / papers
- AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
- The zero-day exploits of Operation WizardOpium
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- EternalBlue – Everything There Is To Know
- Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255
Video game cheating (kernel mode stuff sometimes)
Talks / video recordings
Articles / papers
- drvmap - driver manual mapper using capcom
- All methods of retrieving unique identifiers(HWIDs) on your PC
- Driver aka Kernel Mode cheating
Hyper-V and VM / sandbox escape
Talks / video recordings
- Vulnerability Exploitation In Docker Container Environments
- Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
- REcon 2014 - Breaking Out of VirtualBox through 3D Acceleration
- 36C3 - The Great Escape of ESXi
- BlueHat v18 || Straight outta VMware
- Hardening hyper-v through offensive security research
- A Driver in to Hyper v Architecture&Vulnerabilities
- The HyperV Architecture and its Memory Manager
- Ring 0 to Ring -1 Exploitation with Hyper-V IPC
- Exploiting the Hyper-V IDE Emulator to Escape the Virtual Machine
- A Dive in to Hyper-V Architecture & Vulnerabilities
Articles / papers
- Hyper-V memory internals. EXO partition memory access
- Ventures into Hyper-V - Fuzzing hypercalls
- Fuzzing para-virtualized devices in Hyper-V
- First Steps in Hyper-V Research
- Windows Sandbox Attack Surface Analysis
Fuzzing
Talks / video recordings
- HITBGSEC 2016 - Fuzzing The Windows Kernel
- Windows Kernel Vulnerability Research and Exploitation
- Bugs on the Windshield: Fuzzing the Windows Kernel
- Windows Kernel Fuzzing for Intermediate Learners
- Windows Kernel Fuzzing For Beginners - Ben Nagy
- Disobey 2018 - Building Windows Kernel fuzzer
- For The Win: The Art Of The Windows Kernel Fuzzing
- RECON 2019 - Vectorized Emulation Putting it all together
Articles / papers
- A year of Windows kernel font fuzzing #1: the results
- A year of Windows kernel font fuzzing #2: the techniques
Windows browser exploitation
Talks / video recordings
Interesting Books
- Windows Internals, Part 1 (Pavel Yosifovich, and some others)
- Windows 10 System Programming, Part 1 (Pavel Yosifovich)
- Windows 10 System Programming, Part 2 (Pavel Yosifovich)
- Windows Kernel Programming (Pavel Yosifovich)
- Rootkits: Subverting the Windows Kernel
- The Rootkit Arsenal
- Intel® 64 and IA-32 Architectures Software Developer Manuals
Related certifications and courses
Courses
- Advanced Windows Exploitation (AWE)
- Sans 660
- Sans 760
- Corelan "Bootcamp" training
- Corelan "Advanced" training
Certifications
- Offensive Security Exploitation Expert (OSEE)
- Giac GXPN