Welcome! I am Fu11shade, I specialize in 0day research and offensive Windows exploitation, this course is to fill in the gap on the internet for Windows exploitation content. I am rapidly working to finish the last few (newly added) posts, everything should be finished by the end of this week. Currently about 5-6 missing posts so far.

This page provides a pathway for learning Windows exploit development, following the provided blog posts will allow you to learn Windows exploit development from the basics, to advanced kernel exploitation on a Windows 10 system with all the mitigations enabled.

This course can all be downloaded as a polished PDF book format [coming soon!]

Basic exploitation (late 1990’s - early 2010’s era)

https://github.com/FULLSHADE/OSCE is my repository with over 25 from scratch written exploits, these exploits are in-scope of the “basic exploitation” category of this series.

Fair warning, some of the following posts are not finished yet… Most everything else is

0Setting up Immunity and WinDBG with Mona.pyFullShade
1Classic JMP ESP buffer overflowFullShade
2Local SEH buffer overflowFullShade
3Local SEH buffer overflow with a DEP bypassFullShade
4Remote SEH overflow with egghuntersFullShade
5Remote SEH overflows & multi-stage jumpsFullShade
6SEH overflows, alphanumber & unicode encoding bypassFullShade
7Bypassing SEH mitigations with DLL injectionFullShade
8Code caving and backdooring PEsFullShade

Windows Internals theory

9Understanding Windows security mitigationsFullShade
10Understanding Windows memory data structuresFullShade
11Understanding the PEB & WinDBG analysisFullShade
12Kernel Opaque data structures & access tokensFullShade
13Windows Kernel memory pool & vulnerabilitiesFullShade
14Basics of Kernel-mode driver (IRPs) & I/O requestsFullShade
15IOCTL’s for kernel driver exploit developmentFullShade

Windows kernel exploitation (2010 - 2013 era)

POCs and fully completed exploits can be found here https://github.com/FULLSHADE/HEVD-Exploits, more coming thing week

16Writing a Windows Kernel-Mode Driver - Part 1FullShade
17HEVD - Windows 7 x86 Kernel Stack OverflowFullShade
18HEVD - Windows 7 x86 Kernel NULL Pointer DereferenceFullShade
19HEVD - Windows 7 x86 Kernel Type ConfusionFullShade
20HEVD - Windows 7 x86 Kernel Arbitrary WriteFullShade
21HEVD - Windows 7 x86 Kernel Use-After-FreeFullShade
22HEVD - Windows 7 x86 Kernel Interger OverflowFullShade
23HEVD - Windows 7 x86 Kernel Uninitialized Stack VariableFullShade
24HEVD - Windows 7 x86 Kernel Pool OverflowFullShade
25HEVD - Windows 7 x86_64 Kernel Stack OverflowFullShade
26HEVD - Windows 7 x86_64 Kernel Arbitrary WriteFullShade

Advanced Windows kernel exploitation (2016 - 2020 era)

27HEVD - Windows 8.1 64-bit Kernel Stack Overflow w/ SMEPFullShade
28Leaking Kernel Addresses on Windows 10 64-bitFullShade
29Abusing GDI Bitmap objects on Windows 10 64-bitFullShade

Hunting Windows 0days

Once you have enough Windows exploitation knowledge, you can start auditing third-party applications and drivers for 0day vulnerabilities, below are a few that have been discovered with this level of information.

  • https://fullpwnops.com/cves.html

Discovered 0days by me can be found littered around my Github profile, more organization will come soon

30Fuzzing drivers for 0days, discover new vulnerabilitiesFullShade