A concise, practical reference that connects Windows internals to real-world exploitation and detection: fundamentals, modern mitigations, evasion techniques, hands-on exploit development, and detection/playbooks. It’s example-driven and written for experienced analysts, reverse engineers, and anti-exploit engineers who want a focused, usable reference.
Authorship & process: The content is authored and maintained by the repository maintainer. To help explain difficult concepts and speed drafting, AI tools were used to produce initial drafts and examples; the author manually reviewed, corrected, and verified all content. This project is a learning effort and will be refined over time.
Work in progress: this is the first public version and will be actively maintained — expect updates, improvements, and new chapters over time.
- Part 1 – Fundamentals builds the mental model (processes, memory, loader, NT boundary, APC/callbacks, IPC).
- Part 2 – Exploitation Mitigations explains modern defenses and trust controls that shape tradecraft.
- Part 3 – Anti-Reversing & Evasion catalogs techniques to resist analysis and bypass sensors.
- Part 4 – Practical Exploitation applies fundamentals in hands-on exploitation (userland plus kernel primer).
- Part 5 – Detection & Countermeasures provides playbooks, hunting workflows, and case studies.
Each chapter is concise, cross-referenced, and includes realistic code snippets plus a short “Why this matters” section.
This repository is an educational reference for defensive research and learning. Do not run examples on production systems or public networks. Use isolated VMs with snapshots and no network egress when experimenting. Runnable payloads, raw shellcode blobs, operational C2 artifacts, and ready-to-execute exploit chains have been redacted or replaced with annotated pseudo-code. Do not upload compiled malware, weaponized binaries, or operational infrastructure.
- Build a Windows-centric exploitation mindset (user↔kernel boundaries, object model, loader, memory).
- Understand mitigation interactions (DEP/ASLR/CFG/CET, WDAC/CI/VBS/PPL, PatchGuard) and bypass surfaces.
- Master evasion tradecraft (anti-debug/anti-disassembly, sandbox/VM checks, unhooking, AMSI/ETW tampering).
- Execute reliable exploits (buffer overflows, UAF, ROP/JOP, shellcode) and structure fuzzing/exploit-dev workflows.
- Operationalize detection (ETW playbooks, YARA/CAPA/Sigma triage, case-driven analysis).
- Introduction
- Processes & Threads
- Windows Loader & Image Activation
- Memory & Virtual Address Space
- Object Manager & Handles
- Syscalls & the NTAPI Boundary
- Scheduling, APCs & Callback Surfaces
- IPC (ALPC, RPC, COM, Pipes)
- DEP / NX / W^X
- ASLR / KASLR
- Compiler & Hardware CFI: CFG, CET (Shadow Stack/IBT)
- Trust & Integrity: Secure Boot, WDAC, Code Integrity, PatchGuard, VBS/HVCI, PPL
- Compiler & EH Hardening (/GS, SafeSEH/SEHOP, EHCONT)
- Anti-Debugging
- Anti-Disassembly
- Sandbox & VM Evasion
- Process Injection & Hooking
- AMSI & Script Host Internals
- Telemetry Tampering & Unhooking (ETW, Direct Syscalls)
- Rootkits & Bootkits
- Buffer Overflows
- Use-After-Free & Type Confusion
- ROP & JOP
- Shellcoding
- Fuzzing & Exploit Development
- Kernel Exploitation Primer
- Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats — Kyle Cucci
- Rootkits and Bootkits: Reversing Modern Malware and Next-Generation Threats — Matrosov, Rodionov, Bratus
- Penetration Testing: A Hands-On Introduction to Hacking — Georgia Weidman
- MITRE ATT&CK — the standard knowledge base for adversary tactics & techniques; useful to map detection strategies and hunting playbooks.
- Microsoft Docs — Windows driver & developer docs (official reference for APIs, WDK, driver samples and platform-specific behavior).
- Sysinternals (Microsoft) — Process Explorer, Procmon, Autoruns and other runtime triage tools and writeups used daily by defenders and reversers.