This is a work-in-progress handbook on vulnerability research that's primarily focused on Windows for now. It's supposed to be a practical extension of the previous article I wrote on my thought process for vulnerability research. I'd like to fill it up as I continue to learn reversing and learn how to communicate eloquently about it.
Introduction to Assembly (x86, x64, ARM): common instructions, stack frames, calling conventions, function prologues and epilogues, etc.
Mapping Language Constructs to ASM: object oriented programming in C++, virtual function tables, etc.
Windows Internals: process tokens, interprocess communication (IPC), etc.
Linux Internals: ..., etc.
Mac OS Internals: ..., etc.
Offensive and Defensive Concepts
Each vulnerability class should have:
- a description with visual explanation
- basic/advanced/real examples in C and ASM
- common roadblocks or mitigations for exploitation
|Stack Corruption||Modifying variables on stack or the IP.|
|Use After Free|
|TOCTOU||Time of Check vs Time of Use|
Exploit Mitigations and Counter-Mitigations
|Mitigation||Associated Issue||Common Counter||Reliability|
|DEP / NX||Executable AND Writable Memory Segments||ROP||High|
|ASLR||Deterministic Memory Addresses|
|Stack Canaries||Overwritable IP on Stack|
|SafeSEH||Overwritable Exception Handler|
|CFG||Indirect Call Abuse|
|SMAP / SMEP|