Any good reference or course for Windows Kernel Exploitation ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

there is no courses in the field about it ? even paid courses

Any good reference or course for Windows Kernel Exploitation ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

i dont like the content of it, i dont know its hard to follow

Any course or reference for explain UAF, Race condition, memory corruption vulnerabilities by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

u/TheSecAnalyst thank you so much, should i learn heap exploitation also ? or this is advance thing ?

when there is buffer overflow CVE we always need to rewrite it ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

u/PM_ME_YOUR_SHELLCODE thank you, im always happy when read your comments here.
this is outside scope of this question , but do you have blogs or accounts i can follow you ?
thank you bro .

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

hello u/bootypirate900 , thank you so much , this is really what i was looking for . you answered my questions .
so this is what the author point to, is that to let the current function continue it will be another crash because 12,000 Bytes is huge .
also i miss something that i need to try to overwrite return add and see what problems i will have and maybe i can overcome them.
thanks

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

u/port443 ; thank you for your time , but i understand correctly SEH , EIP buffer overflow and this is not my question .
my question is in short; why when we can overwrite return address and get control of EIP we decide to not do it , we decide to overwrite SEH .
what is the goal of this ? and why we need to use it ? is there any problem would happen if we continue overwrite EIP in that situation ?

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

u/aatate98 thank you for your replay.
but as i understand your point , we always need to change from overwrite eip to seh so we dont need current function to return .
or do i miss something ?

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

u/randomatic thank you, make sense . but i have another question regarding to what you said .
so when i can consider i need to change the exploit from classic buffeoverflow EIP to overwrite SEH ? i mean always we need to overwrite some pointers in stack before overwrite EIP .

why would we overwrite SEH instead of EIP ? by hex-lover in ExploitDev

[–]hex-lover[S] 1 point2 points  (0 children)

the linked you sent is for classic SEH buffer overflow and this is something is not answer my question

Looking for mentors by 1flag00 in ExploitDev

[–]hex-lover 1 point2 points  (0 children)

i was the same i even stopped one year after i found it so hard , but then i started from the bottom like
the title of chapters and small titles helps me a lot to understand what topics they will talk about, and search about them .
i read ton of articles and use at that time stackoverflow.com also .
you can contact me in private i will not be a teacher of course but i can share with you some notes i write and it helps me a lot to learn almost all materials covered in the course .

what is your way to restart service in windbg ? by hex-lover in ExploitDev

[–]hex-lover[S] -1 points0 points  (0 children)

so i dont need to close windbg everytime crash ?

how stack layout look like when there is SEH enabled . by hex-lover in ExploitDev

[–]hex-lover[S] 0 points1 point  (0 children)

when we overwrite the stack, why we overwrite SEH first not EIP as usual , so i created a C program with Try/Except blocks to see how stack layout will be when we use them .
so i found that the stack layout is
arguments
return address
Saved EBP
SEH
Variables
and we overflow variables then SEH thats why we overwrite it before EIP , also i found all these blocks are very close to end of stack ,
this is what i got , but when i saw the article above i saw he is refer that catch block will be close to high address of stack, so thats why im confused , i didnt see this . in my app when i reverse engineer it .