Vulnerability Research Handbook


This is a work-in-progress handbook on vulnerability research that's primarily focused on Windows for now. It's supposed to be a practical extension of the previous article I wrote on my thought process for vulnerability research. I'd like to fill it up as I continue to learn reversing and learn how to communicate eloquently about it.

Application Technologies

  1. Introduction to Assembly (x86, x64, ARM): common instructions, stack frames, calling conventions, function prologues and epilogues, etc.

  2. Mapping Language Constructs to ASM: object oriented programming in C++, virtual function tables, etc.

  3. Windows Internals: process tokens, interprocess communication (IPC), etc.

  4. Linux Internals: ..., etc.

  5. Mac OS Internals: ..., etc.

Offensive and Defensive Concepts

Vulnerability Classes

Each vulnerability class should have:

  • a description with visual explanation
  • basic/advanced/real examples in C and ASM
  • common roadblocks or mitigations for exploitation
Category Class Brief Description
Stack Corruption Modifying variables on stack or the IP indirectly.
Heap Corruption
Integer Overflow
Type Confusion
Out-of-Bounds Read/Write
Use After Free
Double Free
Uninitialized Memory
Integer Truncation
TOCTOU Time of Check vs Time of Use
Race Conditions

Exploit Mitigations and Counter-Mitigations

Mitigation Associated Issue Common Counter Reliability
DEP / NX Executable AND Writable Memory Segments ROP High
ASLR Deterministic Memory Addresses
Stack Canaries Overwritable IP on Stack
SafeSEH Overwritable Exception Handler
CFG Indirect Call Abuse

Sandbox Escaping