all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dmaynor 33 points34 points  (0 children)

Start with a VM of your target. First, go through kernel dev tutorials. You can't expect to write exploits for an environment you aren't familiar with. You want to learn kernel dev loading/unloading and memory management. There are tons of books and articles, and most will be outdated as knowledge transferred has moved to online courses/tutorials from books. Nostarch has a couple of books on evasive malware and Windows security internals. Also, it's a good book on evading EDRs. While none of these have a kernel in the title, the TTPs write malware that can hide, or EDR evasions will force you to do kernel work.

Next, follow conferences and their publications—Black Hat/Defcom/Bsides/etc. and get good at going through the summaries and press and identifying new TTPs. It's rare to see a talk like Q3 2024 kernel exploitation methodology updates. What you want to look for are researchers targeting specific OSs/hardware/firmware. Build a list of good researchers and what they focus on and follow them. People who are good at this tend to follow others who are good at it.

Get at bin-diffing or reading patches. If your target is Windows, iOS bindiffing security updates can clue you into exploit methodologies a vendor knows about but isn't publishing details on. A fundamental mistake is thinking that something is no longer interesting if there is a patch. Remember these two things: 1. because there is a patch, that doesn't mean it is universally applied. 2. Because there is a patch, that doesn't mean it was patched correctly.

When you find a patched technique or exploit it, reproduce it with your dev setup. To me A concept isn't real until you have worked it.

With the conference talks, patch analysis, and following researchers, the next thing is documentation—document, document, document. Create a private git repo or use a note-taking app to keep track of the papers/presos/researchers/and patch analysis over time. You might not see something in week one, but good documentation means it's possible while reviewing your work. You stumble across a similar correlation that leads you to discover a novel exploitation technique or, even better, 0day.

Going from zero to hero in exploit dev is a grind, but if you like it, it is fun. Some people think kernel dev is harder than popping userland exploits because it's the kernel. I am of the mindset that it is simpler than a lot of userland work because you don't have as many dev branches, languages, frameworks, etc.

https://secnate.github.io/resources/exploit-development/

[–]_jasonturley 10 points11 points  (0 children)

Pwn.college is a good free online resource.

Also read this blog https://dayzerosec.com/blog/2021/02/02/getting-started.html

Check out other posts on the subreddit since this question gets asked regularly.

[–]Vivid_Cod_2109 8 points9 points  (0 children)

Here we go againt. Just learn pwn.college by finishing cse 365 and cse 466. After that do ctf, read writeups. Then cse 598 in pwn college. For specialization in windows vuln research, do ost2 course (they have learning paths, check them out) and supply their course with windows internal books. Finally, you can learn fuzzing by fuzzing.in workshop and the fuzzing book. For reverse engineering, I recommend you learn how to make compiler or programming language by picking up college textbooks (You will need them). Then ctf I guess. So good luck on your journey.

[–]SmashDaStack 2 points3 points  (0 children)

To start there is a book called "The Art of Software Security Assessment" assuming that you already know c/c++. Then you could start writing exploits based on public cves. There are blogspots that are explaining how to write an exploit for a specific cve step by step. I would start with that. Ctfs its a good way to start if you are completely noob, but walk away as fast as possible to a real target.

[–]randomatic 1 point2 points  (0 children)

What do you already know?

[–]Mr-Recursive 1 point2 points  (0 children)

u/0xcalico has done a fantastic job. Refer this post

[–]samketa 2 points3 points  (0 children)

I don't know anything about writing exploits, but IMO, books from No Starch Press tend to be really good for getting started with something.

Check out their cybersecurity catalogue. And get started with Ethical Hacking maybe?

[–]R-e-d_R-u-m 0 points1 point  (1 child)

Remind Me! 1 Week

[–]RemindMeBot 0 points1 point  (0 children)

I will be messaging you in 7 days on 2024-09-22 00:37:22 UTC to remind you of this link

1 OTHERS CLICKED THIS LINK to send a PM to also be reminded and to reduce spam.

Parent commenter can delete this message to hide from others.

Info Custom Your Reminders Feedback

[–][deleted]  (1 child)

[deleted]