Exploit development is a complex field requiring deep knowledge of various programming languages, networking, operating systems, and security principles. The following are some key areas you should focus on:
1.**Programming Languages**: You should have a strong command of at least one low-level programming language like C or C++, as understanding how these languages interact with hardware and memory is crucial for exploit development. High-level languages like Python are also important for scripting and automating tasks.
2.**Assembly Language & Reverse Engineering**: Knowledge of assembly language is essential. It is the language of the processor, and understanding it will give you insight into how software behaves at the lowest level. Coupled with reverse engineering skills, you can deconstruct and understand how software is working, even when you don't have the source code.
3.**Operating Systems**: Have a deep understanding of the internals of various operating systems (especially Windows, Linux, and possibly macOS). Focus on topics like processes, threads, memory management, and the kernel.
4.**Networking**: Strong knowledge of networking is important. You should understand TCP/IP at a minimum, but also higher-level protocols like HTTP and DNS.
5.**Buffer Overflows & Vulnerabilities**: Study common types of vulnerabilities such as buffer overflows, use-after-free, race conditions, format string vulnerabilities, and integer overflows. Understanding how these vulnerabilities occur and how they can be exploited is key.
6.**Exploitation Techniques**: Study various exploitation techniques, such as Return-oriented Programming (ROP), heap spraying, and format string exploitation. These techniques are often used in crafting exploits for known vulnerabilities.
7.**Shellcoding**: Learn how to write shellcode, which is the payload that runs after successfully exploiting a vulnerability.
8.**Fuzzing**: Fuzzing is a technique for discovering bugs and potential vulnerabilities in software. Learning how to implement intelligent fuzzing strategies could help you find new exploits.
9.**Security Tools**: Get familiar with tools used in exploit development like debuggers (GDB, WinDbg), disassemblers (IDA Pro, Ghidra), and fuzzing tools (AFL, libFuzzer).
10.**Ethics and Legal Concerns**: Remember, all these skills must be used responsibly. You should have a strong understanding of the ethics involved in hacking, and you should only attempt to exploit software in legal contexts, such as part of a job where you have been given permission to do so, or in a controlled environment for research or educational purposes.
11.**Keep up with Industry Trends**: Exploit development is a constantly evolving field. Keep yourself updated with the latest vulnerabilities, exploitation techniques, and patches. Participate in Capture The Flag (CTF) competitions and follow various security blogs and forums.
* [Kaitai Struct](https://kaitai.io/) - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
The following are some of the most popular reverse engineering tools. HOWEVER! GO TO THE [REVERSE ENGINEERING SECTION](https://github.com/The-Art-of-Hacking/art-of-hacking/blob/master/reverse_engineering/README.md) for more references.
* [Interactive Disassembler (IDA Pro)](https://www.hex-rays.com/products/ida/) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml).
* [WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
* [rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
* [Frida](https://www.frida.re/) - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
* [Empire without powershell](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
* [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
* [Phishing between the app whitelists](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
* [Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations](https://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
* [Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5](https://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html)
* [AMSI How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It](https://www.labofapenetrationtester.com/2016/09/amsi.html)
* [Keying Payloads for Scripting Languages](https://adapt-and-attack.com/2017/11/15/keying-payloads-for-scripting-languages/)
* [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/)
* [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-2-of-2/)
* [Microsoft Office – NTLM Hashes via Frameset](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [Abusing Microsoft Word Features for Phishing: “subDoc”](https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/)
* [code signing certificate cloning attacks and defenses](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
* [userland api monitoring and code injection detection](https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565)
+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](https://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](https://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
+ [Practical Rop](https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
+ [Exploitation techniques and mitigations on Windows](https://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
+ [A little return oriented exploitation on Windows x86 – Part 1](https://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
+ [A little return oriented exploitation on Windows x86 – Part 2](https://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
*Exploid Development Tutorial Series Base on Windows Operation System Articles.*
<aname="corelan"/>
- Corelan Team
+ [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
+ [Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/)
+ [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/)
+ [Exploit writing tutorial part 3b : SEH Based Exploits – just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/)
+ [Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/)
+ [Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)
+ [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
+ [Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/)
+ [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/)
+ [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)
+ [Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
+ [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
-<aname="fuzzysecurity"/>Fuzzysecurity
+ [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html)
+ [Windows Exploit Development – Part 1: The Basics](https://www.securitysift.com/windows-exploit-development-part-1-basics/)
+ [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
+ [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](https://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
+ [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
+ [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](https://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
+ [Windows Exploit Development – Part 6: SEH Exploits](https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
+ [Windows Exploit Development – Part 7: Unicode Buffer Overflows](https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)
