Skip to content

Instantly share code, notes, and snippets.

@vxcute

vxcute/WindowsInternalsReadings.md

Last active February 20, 2024 17:58
Show Gist options
  • Save vxcute/6f850da82578b3fe6a10b65496bb6ec8 to your computer and use it in GitHub Desktop.
Save vxcute/6f850da82578b3fe6a10b65496bb6ec8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
WindowsInternalsReadings.md

Windows Kernel Learning: https://mirokaku.github.io/Blog/categories/Windows-kernel-learning/

Journey Into the Object Manager Executive Subsystem: Handles: https://ntamonsec.blogspot.com/2020/06/journey-into-object-manager-executive-handles.html

Random Windows Kernel Articles: https://codemachine.com/articles.html

Journey Into the Object Manager Executive Subsystem: Object Header and Object Type: https://ntamonsec.blogspot.com/2020/05/journey-into-object-manager-executive.html

Windows Exploitation Tricks (All Articles)

Reversing Windows Internals (Part 1) – Digging Into Handles, Callbacks & ObjectTypes: https://rayanfam.com/topics/reversing-windows-internals-part1/

Inside Windows Page Frame Number Part1: https://rayanfam.com/topics/inside-windows-page-frame-number-part1/

Inside Windows Page Frame Number Part2: https://rayanfam.com/topics/inside-windows-page-frame-number-part2/

Fooling Windows about its internal CPU: https://rayanfam.com/topics/fooling-windows-about-cpu/

Why you should not always trust MSDN: Finding Real Access Rights Needed By Handles: https://rayanfam.com/topics/finding-the-real-access-rights-needed-by-handles/

Call Gates’ Ring Transitioning in IA-32 Mode: https://rayanfam.com/topics/call-gates-ring-transitioning-in-ia-32-mode/

Change User-Mode application’s virtual address through Kernel Debugging: https://rayanfam.com/topics/change-user-mode-applications-virtual-address-through-kernel-debugging/

Anti Kernel Debugging: https://shhoya.github.io/antikernel_introduction.html

Kernel Message Box: https://shhoya.github.io/kernelmsgbox.html

LdrLoadDll Hooking(Old): https://shhoya.github.io/ldrloadhook.html

Manually Find DriverEntry(Old): https://shhoya.github.io/driverentry.html

Circumventing Windows Defender ATP's user-mode APC Injection sensor from Kernel-mode: http://rce4fun.blogspot.com/2019/04/circumventing-windows-defender-atps.html

Examining the user-mode APC injection sensor introduced in Windows 10 build 1809: http://rce4fun.blogspot.com/2019/03/examining-user-mode-apc-injection.html

VirtualProtectEx to bypass ASLR : A specific case study: http://rce4fun.blogspot.com/2019/02/virtualprotectex-to-bypass-aslr.html

Exploring Virtual Address Descriptors under Windows 10: http://rce4fun.blogspot.com/2017/06/exploring-virtual-address-descriptors.html

Windows Internals - Thread resumption and synchronization objects: http://rce4fun.blogspot.com/2015/02/windows-internals-thread-resumption-and.html

Windows Thread Suspension Internals Part 1: http://rce4fun.blogspot.com/2014/11/windows-thread-suspension-internals.html

Windows Thread Suspension Internals Part 2: http://rce4fun.blogspot.com/2014/11/windows-thread-suspension-internals_29.html

Windows Internals - A look into SwapContext routine: http://rce4fun.blogspot.com/2014/09/windows-internals-look-into-swapcontext.html

Windows Internals - Quantum end context switching: http://rce4fun.blogspot.com/2014/08/windows-internals-quantum-end-context.html

OkayToCloseProcedure callback kernel hook: http://rce4fun.blogspot.com/2014/07/okaytocloseprocedure-callback-kernel_9.html

Retrieving an exported function address within a loaded module: http://rce4fun.blogspot.com/2014/04/retrieving-exported-function-address.html

Anti-debugging trick - Checking for the Low Fragmentation Heap: http://rce4fun.blogspot.com/2014/02/anti-debugging-trick-checking-for-low.html

Writing drivers to perform kernel-level SSDT hooking: https://www.unknowncheats.me/forum/c-and-c-/59147-writing-drivers-perform-kernel-level-ssdt-hooking.html

Hooking the System Service Dispatch Table (SSDT): https://resources.infosecinstitute.com/topic/hooking-system-service-dispatch-table-ssdt/

Patch Guard Analysis: https://blog.tetrane.com/downloads/Tetrane_PatchGuard_Analysis_RS4_v1.00.pdf

Patchguard: Detection of Hypervisor Based Introspection [P1]: https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p1/

Patchguard: Detection of Hypervisor Based Introspection [P2]: https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/

Syscall Hooking via Extended Feature Enable Register (EFER): https://revers.engineering/syscall-hooking-via-extended-feature-enable-register-efer/

Detecting Hypervisor Presence on Windows 10: https://revers.engineering/detecting-hypervisor-presence-on-windows-10/

Superseding Driver Altitude Checks on Windows: https://revers.engineering/superseding-driver-altitude-checks-on-windows/

Hiding Drivers on Windows 10: https://revers.engineering/hiding-drivers-on-windows-10/

Converting Virtual Linear Addresses to Physical Addresses: https://revers.engineering/converting-virtual-linear-addresses-to-physical-addresses/

Reading MSRs from UserMode: https://revers.engineering/reading-msrs-from-usermode/

Custom GetProcAddress and GetModuleHandle Implementation (x64): https://revers.engineering/custom-getprocaddress-and-getmodulehandle-implementation-x64/

Recovering Deleted Windows Files [Breakdown and Theory]: https://revers.engineering/recovering-deleted-windows-files-breakdown-and-theory/

Structure of Security Identifiers: https://revers.engineering/structure-of-security-identifiers/

Usermode Debugger Check Prevention: https://revers.engineering/usermode-debugger-check-prevention/

Breaking Down System Routines #1 [NtQuerySection]: https://revers.engineering/breaking-down-system-routines-1-ntquerysection/

Breaking Down System Routines #2 [NtQuerySystemInformation]: https://revers.engineering/breaking-down-system-routines-2-ntquerysysteminformation/

SizeOfStackReserve Denial Of Service: https://revers.engineering/sizeofstackreserve-denial-of-service/

Using Flags of RTL_USER_PROCESS_PARAMETERS for Anti-Debugging: https://revers.engineering/using-flags-of-rtl_user_process_parameters-for-anti-debugging/

https://vx-underground.org/papers.html (All WindowsVX Papers)

https://halove23.blogspot.com/2021/02/windows-installer-file-read-0day_12.html

Windows Process Internals (Part 1/5): https://eforensicsmag.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-by-kirtar-oza/

BLOGS:

http://waleedassar.blogspot.com/

http://www.alex-ionescu.com/

https://www.tiraniddo.dev/

https://repnz.github.io/posts/

https://windows-internals.com/pages/internals-blog/

https://codemachine.com/articles.html

https://secret.club/author/jonas-l

https://www.geoffchappell.com/index.htm?ta=9

https://www.vergiliusproject.com/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment