All credits go to akayn on Github. This repo is just a preserved version of his repository before it was deleted.

Windows Kernel Exploitation.

Static & dynamic analysis, exploits & vuln reasearch.
Mitigations bypass's

Contents:

HEVD-Vanilla-Bug-Class's:
Exploits & Vuln Note's in order to reproduce & reuse.

• HEVD-Vanilla-Bug-Class's
  [+] Compiled-win7x86
  * Type Confusion.
  * Arbitrary Overwrite.
  * Null Pointer Dereference.
  * Pool OverFlow.
  * Stack OverFlow.
  * Use After Free.
  * Uninitialized Stack Variable.
  

kd & dev:

• ShellCode: pl.asm
  
• kernelLeaks: leak bitmap bAddr with HMValidateHandle
  

Mitigations Bypass:

• [RS3-Compatible] ROP Based SMEP Bypass including Gadgets & full debugging info: SmepBypassX64Win10RS3.c
  
• [<= RS2-Compatible] BitMap Arbitrary OverWrite: GdiExp.cc
  
• [!] NOTE: the above is not stable & will work 1/10 in the good case... i will fix in the future.

Re & exploits:

• Study Case's:
  [+] TODO
  ...
  ...
  
  

External Resources:

• Memory-Management:
  [+] MIT.
  

• C programming:
  [+] HASH TABLE.
  

• asseambly:
  [+] TUT.
  

• HEVD & Basics:
  [+] HackSysExtremeVulnerableDriver.
  [+] B33F tuto.
  [^] Some of the Vuln Note's in the code were taken from there.
  [+] ShellCoding & kd.
  

• Mitigations:
  [+] SMEP:
  * wiki.
  * j00ru.
  * Enrique Nissim & Nicolas Economou.
  * PTE-OverWrite.
  * return oriented Programming.
  [+] k-ASLR:
  * Morten Schenk.
  [+] ReadWrite Primitives:
  * abusing gdi objects.
  

Tools:

• gadget finder.
  
• gdi-dump windbg extension.
  
• digtool fuzzer.
  
• winafl.
  

Software:

• kd.
  
• Symbols.
  
• Ida.
  
• NASM.
  
• Hxd.
  

See Also:

• Smep PoC.
  
• GdiExp.
  

Credits

many tnx to all the great ppl b4 me that did much work already!

• HackSys Team.
  
• b33f.
  
• cn33liz.
  
• tekwizz123.
  
• GradiusX.
  
• sam-b.
  

& all others...