README.md

for Q/A: twitter: @_akayn

Windows Kernel Exploitation.

Static & dynamic analysis, exploits & vuln reasearch.
Mitigations bypass's

Contents

Introduction:

HEVD-Vanilla-Bug-Class's:
Exploits & Vuln Note's in order to reproduce & reuse.

• HEVD-Vanilla-Bug-Class's
  [+] Compiled-win7x86
  * Type Confusion.
  * Arbitrary Overwrite.
  * Null Pointer Dereference.
  * Pool OverFlow.
  * Stack OverFlow.
  * Use After Free.
  * Uninitialized Stack Variable.
  

kd & dev:

• ShellCode: pl.asm
  
• kernelLeaks: leak bitmap bAddr with HMValidateHandle
  

Mitigations Bypass:

Click Here!
* [RS3-Compatible] ROP Based SMEP Bypass including Gadgets & full debugging info: SmepBypassX64Win10RS3.c
* [<= RS2-Compatible] BitMap Arbitrary OverWrite: GdiExp.cc
* [!] NOTE: the above is not stable & will work 1/3 in the good case... i will fix in the future.

tutorial:

• Rop tutorial: Click Here!
  

Case Studies

Re & exploits:

• Study Case's:
  RCE:
  [+] MS17-010
  [^] Under Construction
  Other Bug Classes:
  TODO
  ...
  ...
  
  

External Resources:

• Memory-Management:
  [+] MIT.
  

• C programming:
  [+] HASH TABLE.
  

• asseambly:
  [+] TUT.
  

• HEVD & Basics:
  [+] HackSysExtremeVulnerableDriver.
  [+] B33F tuto.
  [^] Some of the Vuln Note's in the code were taken from there.
  [+] ShellCoding & kd.
  

• Mitigations:
  [+] SMEP:
  * wiki.
  * j00ru.
  * Enrique Nissim & Nicolas Economou.
  * PTE-OverWrite.
  * return oriented Programming.
  [+] k-ASLR:
  * Morten Schenk.
  [+] ReadWrite Primitives:
  * abusing gdi objects.
  

Tools:

• gadget finder.
  
• gdi-dump windbg extension.
  
• digtool fuzzer.
  
• winafl.
  

Software:

• kd.
  
• Symbols.
  
• Ida.
  
• NASM.
  
• Hxd.
  

Other:

• data struct.
  
• diffing (bindiff).
  
• diffing (diaphora).
  

See Also:

• Smep PoC.
  
• GdiExp.
  

Tnx Note!

many tnx to all the great ppl b4 me that did much work already!
& all others...