Resources for Windows Security Research

Compiled by !cpuid from the OffSec Discord server!

Here is a list of curated resources that cover various aspects of Windows security research:

Recommended Blogs

• Jan Vojtěšek's Blog
• Matteo Malvica's Blog
• Satoshi Tanda's Blog
• Le Qi Chen's Blog
• Marcus Hutchins' Blog
• Tavis Ormandy's Blog
• Robel Campbell's Blog
• Connor McGarr's Blog
• Eugene Lim's Blog
• Richard Osgood's Blog
• Yarden Shafir's Blog
• Hashim Jawad's Blog
• Alex Plaskett's Blog
• h0mbre's Blog
• k0shl's Blog
• DHN's Blog
• Project Zero's Blog

Recommended Repositories

• Morten Schenk's GitHub
• Tavis Ormandy's GitHub

Windows Notification Facility

• Gabriella Viala and Alex Ionescu's Repo
• WNF Chronicles by PWNed Coffee

Technical Deep-Dives

• Intel® 64 and IA-32 Architectures Software Developer Manuals by Intel

Windows Mitigation Bypasses and Analysis

General

• CVE-2023-36802 MSSKSRV.sys Local Privilege Escalation by Robel Campbell
• IRQLs Close Encounters of the Rootkit Kind by OffSec
• Windows Exploitation Tricks: Trapping Virtual Memory Access by James Forshaw
• Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege by James Forshaw
• Discovery and analysis of a Windows PhoneBook Use-After-Free vulnerability (CVE-2020-1530) by Symeon
• itsec stuff about fuzzing, vuln hunting and (hopefully) exploitation! by Symeon
• Part 19: Kernel Exploitation -> Logic bugs in Razer rzpnk.sys by Fuzzy Security
• I Got 99 Problem But a Kernel Pointer Ain't One by Alex Ionescu
• Windows Code Injection: Bypassing CIG Through KnownDlls by Tyranid's Lair

Intel CET

• Bypassing Intel CET with Counterfeit Objects by Matteo Malvica
• Intel CET in Action by OffSec

Windows Defender Exploit Guard (Previously EMET)

• eXtended Flow Guard Under The Microscope by OffSec
• Disarming EMET v5.0 by Matteo Memelli
• Disarming Enhanced Mitigation Experience Toolkit (EMET) by Matteo Memelli
• Bypassing Control Flow Guard in Windows 10 - Part II by Morten Schenk

Just-in-Time Compilation

Note: Some of these blog posts are iOS-related, but since JIT is used in Windows applications, I have included them here.

• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 1) by Connor McGarr
• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 2) by Connor McGarr
• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 3) by Connor McGarr
• Understanding the Risk in the Unintended Giant: JavaScript by Simon Zuckerbraun
• Check It Out: Enforcement of Bounds Checks in Native JIT Code by Simon Zuckerbraun
• Floating-Poison Math in Chakra by Simon Zuckerbraun
• Bypassing Mitigations by Attacking JIT Server in Microsoft Edge by Ivan Fratric
• JITSploitation I: A JIT Bug by Samuel Groß
• JITSploitation II: Getting Read/Write by Samuel Groß
• JITSploitation III: Subverting Control Flow by Samuel Groß

Hyper-V

• Who Contains the Containers? by James Forshaw
• A Dive in to Hyper-V Architecture & Vulnerabilities by Nicolas Joly and Joe Bialek
• First Steps in Hyper-V Research by Microsoft
• Fuzzing para-virtualized devices in Hyper-V by Microsoft

WinDbg

• WinDbg Commands
• WinDBG quick start tutorial by CodeMachine
• My WinDbg Blog

Fuzzing

• Gamozo Labs' Blog
• Google Project Zero's WinAFL
• SafeBreach & Guardicore Labs' hAFL1

Presentations and Walkthroughs

• The Info Leak Era on Software Exploitation by Fermin J. Serna
• Windows 10 Mitigation Improvements by David Weston and Matt Miller
• Windows 10 Segment Heap Internals by Mark Vincent Yason
• Taking Windows 10 Kernel Exploitation to the next level by Morten Schenk
• PowerShell as an attack platform by Morten Schenk
• Data-Only Pwning Microsoft Windows Kernel by Nikita Tarakanov
• Advanced Heap Manipulation in Windows 8 by Zhenhua Liu
• Demystifying Windows Kernel Exploitation by Abusing GDI Objects by Saif El Sherei
• Exploiting Hardcore Pool Corruptions in MS Windows Kernel by Nikita Tarakanov
• Windows kernel exploitation techniques by Adrien Garin
• Practical Windows Kernel Exploitation by Spencer McIntyre
• Over The Edge: Pwning The Windows Kernel by Rancho Han
• Theres a party at ring0 by Tavis Ormandy and Julien Tinnes
• Extreme Privilege Escalation On Windows 8 UEFI Systems by Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell
• Windows privilege escalation using 3rd party services by Kacper Szurek
• Practical Windows Privilege Escalation by Andrew Smith
• Windows Kernel Vulnerability Research and Exploitation by Gilad Bakas
• Hackingz Ze Komputerz - Exploiting CAPCOM.SYS Part 1 by OJ Reeves
• Hackingz Ze Komputerz - Exploiting CAPCOM.SYS Part 2 by OJ Reeves
• ROP mitigations and Control Flow Guard - the end of code reuse attacks? by Matthias Ganz
• Building Windows Kernel Fuzzer by Jaanus Kääp

Books

• Windows Kernel Programming by Pavel Yosifovich
• Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition by Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, David A. Solomon
• Windows Internals, Part 2, 7th Edition by Andrea Allievi, Mark E. Russinovich, Alex Ionescu, David A. Solomon
• What Makes it Page? The Windows 7 (x64) Virtual Memory Manager by Enrico Martignetti

Courses

• EXP-301 by OffSec
• EXP-401 by OffSec
• Windows Internal Architecture by CodeMachine
• Windows Malware Techniques by CodeMachine
• Windows Kernel Internals by CodeMachine
• Windows Kernel Rootkits by CodeMachine
• SEC760: Advanced Exploit Development for Penetration Testers by SANS
• Corelan Advanced - Heap Exploitation by Corelan
• Corelan Bootcamp - Stack Exploitation by Corelan

Advisories

The best way to get better at vulnerability research is to practice. As a result, I have compiled a list of some advisories Google's Project Zero has produced that may help in facilitating what real bugs look like in Windows.

AFD

• Windows Kernel pool-based out-of-bound reads due to bugs in the implementation of bind() in afd.sys and tcpip.sys

Avalon

• Microsoft Windows Presentation Foundation memory disclosure via uninitialized transient array

Defender

• Windows Defender: Controlled Folder Bypass through UNC Path

DirectWrite

• Microsoft DirectWrite / AFDKO stack corruption in OpenType font handling due to out-of-bounds cubeStackDepth
• Microsoft DirectWrite / AFDKO stack corruption in OpenType font handling due to negative cubeStackDepth
• Microsoft DirectWrite / AFDKO stack corruption in OpenType font handling due to negative nAxes
• Microsoft DirectWrite / AFDKO stack-based buffer overflow in do_set_weight_vector_cube for large nAxes
• Microsoft DirectWrite / AFDKO use of uninitialized memory while freeing resources in var_loadavar
• Microsoft DirectWrite / AFDKO interpreter stack underflow in OpenType font handling due to missing CHKUFLOW
• Microsoft DirectWrite / AFDKO stack corruption in OpenType font handling due to incorrect handling of blendArray
• Microsoft DirectWrite / AFDKO heap-based buffer overflow in OpenType font handling in readEncoding
• Microsoft DirectWrite / AFDKO heap-based buffer overflow in OpenType font handling in readFDSelect
• Microsoft DirectWrite / AFDKO heap-based buffer overflow in OpenType font handling in readCharset
• Microsoft DirectWrite / AFDKO heap-based buffer overflow due to integer overflow in readTTCDirectory
• Microsoft DirectWrite / AFDKO heap-based out-of-bounds read/write in OpenType font handling due to unbounded iFD
• Microsoft DirectWrite / AFDKO heap-based buffer overflow in OpenType font handling in readStrings
• Microsoft DirectWrite / AFDKO stack corruption in OpenType font handling while processing CFF blend DICT operator
• Microsoft DirectWrite / AFDKO out-of-bounds read in OpenType font handling due to undefined FontName index
• Microsoft DirectWrite / AFDKO multiple bugs in OpenType font handling related to the "post" table
• Microsoft DirectWrite / AFDKO NULL pointer dereferences in OpenType font handling while accessing empty dynarrays
• Microsoft DirectWrite / AFDKO heap-based out-of-bounds read/write in OpenType font handling due to empty ROS strings
• Microsoft DirectWrite / AFDKO insufficient integer overflow check in dnaGrow
• Microsoft DirectWrite / AFDKO read of uninitialized BuildCharArray memory in OpenType font handling
• Microsoft DirectWrite invalid read in SplicePixel while processing OTF fonts
• Microsoft DirectWrite out-of-bounds read in sfac_GetSbitBitmap while processing TTF fonts
• Microsoft DirectWrite heap-based buffer overflow in fsg_ExecuteGlyph while processing variable TTF fonts

DotNet

• Windows: ManagementObject Arbitrary .NET Serialization RCE
• .NET Partial-Trust bypass via browser command-line injection in System.Windows.Forms.Help

Microsoft Edge

• Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement
• Microsoft Edge: Type confusion in CssParser::RecordProperty
• Microsoft Edge: textarea.defaultValue memory disclosure
• Microsoft Edge: Out-of-bounds read in CInputDateTimeScrollerElement::_SelectValueInternal
• Microsoft Edge: ACG bypass using DuplicateHandle
• Microsoft Edge: Memory corruption with Object.setPrototypeOf
• Microsoft Edge: ACG bypass using UnmapViewOfFile
• Microsoft Edge: ACG bypass with OpenProcess()
• Microsoft Edge: Chakra: Bugs in InitializeNumberFormat and InitializeDateTimeFormat
• Windows: Edge/IE Isolated Private Namespace Insecure Boundary Descriptor EoP
• Windows: Edge/IE Isolated Private Namespace Insecure DACL EoP

Fontsub

• Microsoft Font Subsetting DLL returning a dangling pointer via MergeFontPackage
• Microsoft Font Subsetting DLL heap-based out-of-bounds read in MergeFonts
• Microsoft Font Subsetting DLL heap-based out-of-bounds read in GetGlyphIdx
• Microsoft Font Subsetting DLL double free in MergeFormat12Cmap / MakeFormat12MergedGlyphList
• Microsoft Font Subsetting DLL heap corruption in ComputeFormat4CmapData
• Microsoft Font Subsetting DLL heap corruption in FixSbitSubTables
• Microsoft Font Subsetting DLL heap corruption in ReadTableIntoStructure
• Microsoft Font Subsetting DLL heap corruption in ReadAllocFormat12CharGlyphMapList
• Microsoft Font Subsetting DLL heap-based out-of-bounds read in WriteTableFromStructure
• Microsoft Font Subsetting DLL heap corruption in MakeFormat12MergedGlyphList
• Microsoft Font Subsetting DLL heap-based out-of-bounds read in FixSbitSubTableFormat1

GDI32.dll

• Windows gdi32.dll multiple issues in the EMF CREATECOLORSPACEW record handling
• Windows gdi32.dll multiple issues in the EMF COMMENT_MULTIFORMATS record handling
• Windows gdi32.dll heap-based buffer overflow in ExtEscape() triggerable via EMR_EXTESCAPE EMF record
• Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure in multiple DIB-related EMF record handlers
• Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure in EMR_SETDIBITSTODEVICE and possibly other records

GDI+

• Microsoft GDI+ out-of-bounds write due to invalid pointer arithmetic in DecodeCompressedRLEBitmap
• Microsoft GDI+ rendering of uninitialized heap bytes as pixels when handling malformed RLE-compressed bitmaps
• Microsoft GDI+ out-of-bounds reads due to invalid pointer arithmetic in ValidateBitmapInfo
• Microsoft GDI+ heap-based buffer overflow in the handling of EMR_EXTTEXTOUTA and EMR_POLYTEXTOUTA records
• Microsoft GDI+ out-of-bounds reads in DIB palette handling in ValidateBitmapInfo
• Microsoft GDI+ out-of-bounds read in gdiplus!GetRECTSForPlayback

Hyper-V

• Hyper-V vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow
• Windows: Double Dereference in NtEnumerateKey Elevation of Privilege
• Windows: Server Silo Registry Key Symbolic Link EoP
• Windows Containers: ContainerUser has Elevated Privileges
• Windows Containers: AppSilo Object Manager Root Directory EoP
• Windows Containers: Host Registry Virtual Registry Provider Bypass EoP
• Windows: Container Manager Service CmsRpcSrv_CreateContainer EoP
• Windows: Container Manager Service CmsRpcSrv_MapVirtualDiskToContainer EoP
• Windows: Container Manager Service Arbitrary Object Directory Creation EoP
• Windows: Container Manager Service CmsRpcSrv_MapNamedPipeToContainer EoP

ICM32.dll

• Microsoft Color Management Module (icm32.dll) out-of-bounds read in icm32!Fill_ushort_ELUTs_from_lut16Tag
• Microsoft Color Management Module (icm32.dll) out-of-bounds read in icm32!LHCalc3toX_Di16_Do16_Lut8_G32

Windows Kernel

• Windows Kernel ATMFD.DLL DoS via unlimited CharString program execution
• Windows Kernel ATMFD.DLL out-of-bounds reads from the input CharString stream
• Windows Kernel ATMFD.DLL off-by-x oob reads/writes relative to the operand stack
• Windows Kernel ATMFD.DLL kernel pool memory disclosure via uninitialized transient array
• Windows Kernel ATMFD.DLL read/write-what-where in LOAD and STORE operators
• Windows Kernel ATMFD.DLL pool-based buffer overflow in Counter Control Hints
• Windows Kernel ATMFD.DLL pool-based buffer underflow due to integer overflow in STOREWV
• Windows Kernel ATMFD.DLL unlimited out-of-bounds stack manipulation via BLEND operator
• Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in the IUP[] program instruction
• Windows Kernel ATMFD.DLL OTF font processing: pool-based buffer overflow with malformed GPOS table
• Windows Kernel win32k.sys TTF font processing: pool-based buffer overflow in win32k!scl_ApplyTranslation
• Windows Kernel ATMFD.DLL out-of-bounds reads from the input CharString stream
• Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x34072 / ATMFD+0x3407b)
• Windows Kernel ATMFD.DLL invalid memory access due to malformed CFF table (ATMFD+0x3440b / ATMFD+0x3440e)
• Windows Kernel ATMFD.DLL write to uninitialized address due to malformed CFF table
• Windows Kernel ATMFD.DLL out-of-bounds read due to malformed Name INDEX in the CFF table
• Windows Kernel ATMFD.DLL out-of-bounds read due to malformed FDSelect offset in the CFF table
• Windows Kernel win32k.sys TTF font processing: out-of-bounds pool memory access in win32k!fsc_RemoveDups
• Windows Kernel win32k.sys TTF font processing: out-of-bounds pool write in win32k!fsc_BLTHoriz