Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related. Mostly talks and videos that I enjoyed watching.
These are all resources that I have personally used and gone through
Talks / video recordings
- 11 part playlist - Rootkits: What they are, and how to find them
- Hooking Nirvana
- Alex Ionescu - Advancing the State of UEFI Bootkits
- BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
- Numchecker: A System Approach for Kernel Rootkit Detection
- DEF CON 26 - Ring 0 Ring 2 Rootkits Bypassing Defenses
- Black Hat Windows 2001 - Kernel Mode Rootkits
- Black Hat Windows 2004 - DKOM (Direct Kernel Object Manipulation)
- RTFM SigSegv1 - From corrupted memory dump to rootkit detection
Articles / papers
- Dissecting Turla Rootkit Malware Using Dynamic Analysis
- A quick insight into the Driver Signature Enforcement
- WINDOWS DRIVER SIGNING BYPASS BY DERUSB
- A Basic Windows DKOM Rootkit
Talks / video recordings
- Hacking Livestream #28: Windows Kernel Debugging Part I
- Hacking Livestream #29: Windows Kernel Debugging Part II
- Hacking Livestream #30: Windows Kernel Debugging Part III
- WinDbg Basics for Malware Analysis
- Windows Debugging and Troubleshooting
- CNIT 126 10: Kernel Debugging with WinDbg
- Windows Kernel Debugging Part I
Articles / papers
Talks / video recordings
- Kernel Mode Threats and Practical Defenses
- Selling 0-Days to Governments and Offensive Security Companies
Articles / papers
Talks / video recordings
Articles / papers
Talks / video recordings
- Vulnerability Exploitation In Docker Container Environments
- Modern Exploitation of the SVGA Device for Guest-to-Host Escapes
- REcon 2014 - Breaking Out of VirtualBox through 3D Acceleration
- 36C3 - The Great Escape of ESXi
Articles / papers
Talks / video recordings
Articles / papers
- Reverse Engineering the Win32k Type Isolation Mitigation
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free
- New zero-day vulnerability CVE-2019-0859 in win32k.sys
- Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks
Talks / video recordings
- BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - this is cfg not kCFG
- Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
- Windows 10 Mitigation Improvements (really good talk)
- Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot
- Examining the Guardians of Windows 10 Security - Chuanda Ding
- Analysis of the Attack Surface of Windows 10 Virtualization-Based Security
- A Dive in to Hyper-V Architecture & Vulnerabilities
- the last kaslr leak
- REcon 2013 - I got 99 problems but a kernel pointer ain't one
- REcon 2013 - Inside EMET 4 0
Articles / papers
- SMEP: What is it, and how to beat it on Windows
- TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL
- (Devlopment of a new Windows 10 KASLR bypass - in one winDBG command)[https://www.offensive-security.com/vulndev/development-of-a-new-windows-10-kaslr-bypass-in-one-windbg-command/]
Talks / video recordings
- Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)
- Windows kernel exploitation techniques - Adrien Garin - LSE Week 2016
- Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 1
- Hackingz Ze Komputerz - Exploiting CAPCOM.SYS - Part 2
- The 3 Way06 Practical Windows Kernel Exploitation
- Reverse Engineering and Bug Hunting on KMDF Drivers
- Binary Exploit Mitigation and Bypass History - not just kernel
- Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level
- REcon 2015 - Reverse Engineering Windows AFD.sys
- Windows Kernel Graphics Driver Attack Surface
- Understanding TOCTTOU in the Windows Kernel Font Scaler Engine
- Black Hat USA 2013 - Smashing The Font Scaler Engine in Windows Kernel
Articles / papers
- Windows Drivers are True’ly Tricky
- Taking apart a double zero-day sample discovered in joint hunt with ESET
- Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
- Kernel Pool Overflow Exploitation in Real World: Windows 10
- Kernel Pool Overflow Exploitation in Real World - Windows 7
- Kernel Pool Exploitation on Windows 7
- Easy local Windows Kernel exploitation
- Exploiting CVE-2014-4113
- Pwn2Own 2014 - AFD.sys Dangling Pointer Vulnerability
- Symantec Endpoint protection 0day
Talks / video recordings
- Abusing GDI for ring0 exploit primitives Evolution
- Demystifying Windows Kernel Exploitation by Abusing GDI Objects
- CommSec D1 - The Life & Death of Kernel Object Abuse
- Kernel Object Abuse by Type Isolation
Articles / papers
- Zero-day exploit (CVE-2018-8453) used in targeted attacks
- The zero-day exploits of Operation WizardOpium
- Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
- Abusing GDI Objects for ring0 Primitives Revolution
- A Tale Of Bitmaps: Leaking GDI Objects Post Windows 10 Anniversary Edition
Talks / video recordings
- Windows Kernel Programming - 14 part playlist
- Windows Driver Development - 19 part playlist
- Developing Kernel Drivers with Modern C++ - Pavel Yosifovich
Talks / video recordings
- Windows Internals
- Windows 10 Segment Heap Internals
- Windows Kernel Vulnerability Research and Exploitation - Gilad Bakas
- NIC 5th Anniversary - Windows 10 internals
Talks / video recordings
- Windows Kernel Vulnerability Research and Exploitation
- Bugs on the Windshield: Fuzzing the Windows Kernel
- Windows Kernel Fuzzing for Intermediate Learners
- Windows Kernel Fuzzing For Beginners - Ben Nagy
- Disobey 2018 - Building Windows Kernel fuzzer
- For The Win: The Art Of The Windows Kernel Fuzzing
- RECON 2019 - Vectorized Emulation Putting it all together
Articles / papers
- A year of Windows kernel font fuzzing #1: the results
- A year of Windows kernel font fuzzing #2: the techniques
- Windows Internals, Part 1 (Pavel Yosifovich, and some others)
- Windows 10 System Programming, Part 1 (Pavel Yosifovich)
- Windows 10 System Programming, Part 2 (Pavel Yosifovich)
- Windows Kernel Programming (Pavel Yosifovich)
- Rootkits: Subverting the Windows Kernel
- The Rootkit Arsenal
- Intel® 64 and IA-32 Architectures Software Developer Manuals