WinPwn

My study logs on Windows pwnables, plus some hopefully helpful resources.

References

These are the list of useful references I've checked out while studying Windows pwnable, dumped from my bookmarks. Note that some resources might be (heavily) outdated or partially mis-categorized.

Intro

• Intro to Windows Exploit Techniques for Linux PWNers

Shellcoding

• Basics of Windows shellcode writing
• Writing shellcodes for Windows x64

Stack Exploits

• Stack Based Buffer Overflows on x86 (Windows)
• Stack Based Buffer Overflows on x64 (Windows)
• Windows System Hacking Technique - Stack Exploit Tutorial (KR)

SEH (Structured Exception Handler)

• Structured Exception handler Exploitation
• Windows Exploit Development - Part 6: SEH Exploits
• bartender - InCTF Internationals 2019
• Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
• Exceptional Behavior - x64 Structured Exception Handling
• Memory protection mechanisms in Windows
• Dive into exceptions: caution, this may be hard
• Reversing Microsoft Visual C++ Part I: Exception Handling

CFG (Control Flow Guard)

• Bypassing Control Flow Guard in Windows 10
• Exploring Control Flow Guard in Windows 10
• Windows 10 Control Flow Guard Internals
• Disarming Control Flow Guard Using Advanced Code Reuse Attacks
• Let’s talk about CFI: Microsoft Edition
• CFG Improvements in Windows 10 Anniversary Update

Heap Exploits

TIP: If you want to work on LFH with debuggers, set _NO_DEBUG_HEAP=1

• Windows 10 Nt Heap Exploitation (English version)
• winhttpd writeup: private heaps pwning on Windows
• Disclosing stack data (stack frames, GS cookies etc.) from the default heap on Windows
• Deterministic LFH
• Windows 10 Segment Heap Internals presentation & whitepaper
• Heap Overflow Exploitation on Windows 10 Explained
• Understanding the Low Fragmentation Heap
• Windows 8 Heap Internals presentation & whitepaper
• Advanced Heap Manipulation in Windows 8
• [Writeup] LazyFragmentationHeap - WCTF 2019
• Low Fragmentation Heap (LFH) Exploitation - Windows 10 Userspace

Kernel

• Windows Kernel Shellcode on Windows 10 – Part 1
• Windows Kernel Address Leaks
• TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL – LEVERAING WRITE-WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE presentation & whitepaper
• Windows Kernel Debugging & Exploitation Part1 – Setting up the lab
• [Kernel Exploitation] 4: Stack Buffer Overflow (SMEP Bypass)
• A Deep Dive Analysis of Microsoft’s Kernel Virtual Address Shadow Feature
• When Kernel Debugging - Find The Page Protection of a User Mode Address
• HITCON CTF 2019 Breath of Shadow
• windows_kernel_resources
• Kernel Exploitation -> RS2 Bitmap Necromancy
• A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
• NT Diff
• Exploit Development: Leveraging Page Table Entries for Windows Kernel Exploitation

NTAPI, Syscalls, Undocumented etc.

• NTAPI Undocumented Functions
• processhacker/ntpsapi.h
• Windows System Call Tables
• An Analysis of Address Space Layout Randomization on Windows Vista™
• Undocumented 32-bit PEB and TEB Structures
• Vergilius Project
• Winbindex - The Windows Binaries Index

CTF Chals

• j00ru/ctf-tasks
• Awesome Windows CTF
• WCTF 2019 LazyFragmentationHeap
• Hack.lu CTF 2020 LowFunHeap
• CODEGATE 2020 CTF winterpreter & winsanity 😉

Tools

• appjaillauncher-rs
• Sysinternals Suite
• WinDbg / x64dbg
• winchecksec / checksec.py
• pdbex
• Python modules:
  • pwintools (original, modified fork)
  • pdbparse

(Automated) Deployment

• Running Windows Server 2k16 with Docker under Linux, KVM or Virtualbox
• Building the perfect Windows Server 2016 reference image
• Answer files (unattend.xml)
• Creating an Offline MDT Deployment Media
• TechBench by WZT
• UUP dump
• UUP Generation Project