This is an independent, community-built prep guide for the OSEE (EXP-401) certification. Not affiliated with or endorsed by Offensive Security. Every resource linked here is free and publicly available.
- Official References
- Module 1 - Prerequisites, Tools and Environment
- Module 2 - Custom Shellcode Creation
- Module 3 - VMware Guest-to-Host Escape
- Module 4 - Microsoft Edge Type Confusion
- Module 5 - Windows Kernel Exploitation
- Module 6 - Hyper-V Bonus
- Module 7 - Exam Prep and Strategy
- Module 8 - Tools Reference
- Module 9 - Papers and Conference Talks
- CVE Reference Table
| Resource | Link |
|---|---|
| EXP-401 Course Page | offsec.com |
| OSEE Exam Guide | help.offsec.com |
| EXP-401 Syllabus PDF | appliedtechnologyacademy.com |
These are the best community resources that already exist. Start here before anything else.
- PwnAwan/EXP-401-OSEE - curated resources and PoC exploits
- gscamelo/OSEE - another solid prep collection
- yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References - the most comprehensive link dump available
- FULLSHADE/WindowsExploitationResources
- MustafaNafizDurukan/WindowsKernelExploitationResources
- FuzzySecurity Tutorials - the classic series, still relevant
- Corelan Exploit Writing Tutorials Parts 1-11 - required reading for user-mode foundations
- "My AWE Experience!!!" by Hemali
- "AWE Course Review" by Trickster0
- "Advanced Windows Exploitation 2018 Review" by tekman
Before you write a single line of shellcode, make sure these fundamentals are solid. The course assumes you already know x64 assembly, Windows internals, the PE format, and can navigate a debugger comfortably.
- Windows Internals Part 1 (Microsoft Press) - read this cover to cover
- Intel x86-64 Software Developer Manual
- x64 Architecture Overview (Microsoft Docs)
- x64 Calling Conventions (Microsoft Docs)
- PE Format Reference (Microsoft Docs)
- EPROCESS and Kernel Structure Reference (CodeMachine)
| Tool | What it's for | Link |
|---|---|---|
| WinDbg Preview | Primary kernel and user-mode debugger | Microsoft Store |
| IDA Pro Freeware | Disassembler and decompiler | hex-rays.com |
| Ghidra | Free RE tool from NSA | ghidra-sre.org |
| x64dbg | Open-source user-mode debugger | x64dbg.com |
| rp++ | ROP gadget finder | GitHub |
| Ropper | ROP chain builder | GitHub |
| ROPgadget | Python ROP gadget tool | GitHub |
| mona.py | Exploit dev plugin for Immunity/WinDbg | GitHub |
| Process Hacker | Process and memory inspector | processhacker.sourceforge.io |
| HEVD | Intentionally vulnerable kernel driver | GitHub |
| Sickle | Shellcode and opcode generation | GitHub |
You need two VMs talking to each other over serial or KDNET. One is your debugger, one is your target. Get this working before anything else in Module 5.
- hasherezade - Part 1: Setting Up the Environment
- Setting Up Kernel Mode Debugging over KDNET (Microsoft Docs)
- Introduction to Windows Kernel Exploitation - Environment Setup (wetw0rk)
- WinDbg Kernel Debugging Cheat Sheet (OSR Online)
- Remote Kernel Debugging Over TCP/IP (Microsoft Docs)
This module is about writing shellcode that works anywhere, without hardcoded addresses or assumptions about the target environment. You need to understand PIC, PEB walking, and how to resolve Win32 APIs at runtime.
The jump from 32-bit to 64-bit changes a lot: register widths, calling conventions, shadow space, RSP alignment requirements, and how the PEB is accessed.
- x64 Architecture Overview (Microsoft Docs)
- x64 Calling Convention (Microsoft Docs)
- Windows x64 Shellcode Differences (Topher Timzen)
- NASM x64 Assembly Tutorial
- Bridging C++ and x64 Shellcode Development (Red Teaming Dojo)
- Corelan ROP and DEP Notes (64-bit context)
Every shellcode starts the same way: find kernel32.dll without any hardcoded base address. You do this by walking the PEB, parsing the export table, and resolving functions by hash. This is the foundation.
- x64 Find and Execute WinAPI via PEB (Print3M)
- Shellcoding a Reverse Shell via PEB from C (0xEct0)
- PE Parsing Technique for x86 Shellcode (Red Teaming Dojo)
- Windows Shellcode Introduction Part 1 (SecurityCafe, archived)
- ShellcodeStdio - Compiler-Optimized PIC Framework
- PIC Bindshell with RSP Alignment (mattifestation)
- Shellcode in .NET and PEB Changes (Topher Timzen)
- Export Directory Table Reference (Microsoft Docs)
Once you can resolve APIs, the next step is packaging everything into a reusable framework: find the base, walk the export table, resolve functions by hash, then run whatever payload you want.
- Windows Shellcoding Step by Step Part 1 (cocomelonc)
- Malware Development and Shellcoding Series (0xPat)
- Sickle - Payload Development Framework
- OWASP Introduction to Shellcode Development (PDF, archived)
- Win32 API List (Microsoft Docs)
The end goal of most shellcode: connect back to your machine over TCP and drop a shell. Write this from scratch in PIC assembly or PIC C. Do not use msfvenom for this exercise.
- Reverse Shell Shellcode Part 2 (cocomelonc)
- Writing a Reverse Shell from C (0xect0)
- WinSock2 API Reference (Microsoft Docs)
- Msfvenom Reference (for comparison only)
Use Visual Studio to write and compile shellcode in C, then extract raw opcodes from the Release build. You need to disable /GS, runtime checks, and optimizations that break PIC code.
- Custom Windows Shellcode with Visual Studio (xacone)
- ShellcodeStdio via Visual Studio (winternl.com)
- Disabling /GS Stack Security Check (Microsoft Docs)
- Executing Shellcode Directly (Osanda Malith)
CVE-2017-4901 | Use-After-Free in the Drag-and-Drop RPCI mechanism
This is the hardest module in the course. You are exploiting a use-after-free in vmware-vmx.exe and chaining it with heap grooming, ASLR bypass, a ROP chain, and shellcode execution to break out of the VM entirely. Every technique from Module 2 gets used here.
- CVE-2017-4901 (CVE Details)
- vmware_escape PoC by rip1s (GitHub)
- How to Exploit CVE-2017-4901 (rip1s Wiki) - read this multiple times
- Awesome VM Escape Exploits (WinMin)
- The Great Escapes of VMware (BlackHat EU 2017 PDF)
You need to understand how the backdoor I/O port works, what RPCI is, and how the DnD (drag-and-drop) subsystem interacts with vmware-vmx.exe on the host.
- Open-VM-Tools Source (Backdoor I/O Port)
- Backdoor Library Source Code
- ESXi VM Escape PoC Analysis (Huntress 2025)
DEP marks memory pages as non-executable. The standard bypass is a ROP chain that calls VirtualProtect to flip the execute bit, then jumps to your shellcode.
- DEP Overview (Microsoft Docs)
- Bypassing Hardware-Enforced DEP (Skape and Skywing, 2005) - the original paper
- DEP/ASLR Bypass Whitepaper (Exploit-DB)
- Step-by-Step ROP to Bypass DEP (CyberGeeks)
- Corelan Part 10: Chaining DEP with ROP
- Universal DEP/ASLR Bypass with msvcr71.dll and mona.py (Corelan)
- Modern Windows Memory Corruption Exploits Part 1 (CyberArk)
ROP is how you bypass DEP. You chain together small instruction sequences already present in loaded modules, each ending in a ret, to build a fake call stack that does what you want.
- Return-Oriented Programming (Hovav Shacham, 2007) - the foundational paper
- ROP Emporium (practical x64 ROP challenges) - do all of these
- rp++ Multi-architecture ROP Gadget Finder
- ROPgadget Python Tool
- Ropper ROP Chain Builder
- Corelan Part 9: Introduction to Win32 Shellcoding
ASLR randomizes base addresses. You defeat it through info leaks, finding non-ASLR modules, heap spraying, or partial overwrites depending on what the target gives you.
- Corelan Part 6: Bypassing ASLR, SafeSEH, SEHOP, DEP
- Windows 10 KASLR Bypass in One WinDbg Command (CoreSecurity)
- Bypassing ASLR/DEP Whitepaper (Exploit-DB)
Before you can groom the heap you need to understand it. How the allocator works, what a chunk looks like, how the free lists are managed, and where your data lands after each alloc and free.
- Windows 8 Heap Internals (Valasek and Metz, BlackHat 2012 PDF)
- Understanding the LFH (Valasek PDF)
- Project Heapbleed: Reusable Heap Primitives (census-labs)
- Corelan Part 11: Heap Spraying Demystified
The LFH is the front-end allocator that handles commonly-sized objects. Exploiting bugs near LFH-managed memory means you need to control which bucket your allocation lands in and what neighbors it.
- Understanding the LFH (Valasek PDF)
- Heap Feng Shui in JavaScript (Alexander Sotirov, BlackHat 2007 PDF)
UAF is the bug class behind both the VMware and Edge exploits. You free an object, control what gets allocated in its place, and then trigger the stale pointer to corrupt that new object.
- Exploiting CVE-2017-4901 Full Analysis (rip1s)
- Browser UAF Exploitation (Connor McGarr, MS13-055 IE8)
- Use-After-Free Exploit Development (Exploit-DB PDF)
- Exploiting HEVD UAF x64 with Non-Paged Pool Feng-Shui
- CVE-2015-0057: win32k UAF (Exploit-DB)
When your overflow does not land on a stack you control, you use a stack pivot gadget to redirect RSP to attacker-controlled memory where you have already staged your ROP chain.
- FuzzySecurity Tutorial Part 13: Stack Pivoting
- FuzzySecurity Tutorial Part 7: ROP Gadgets
- SMEP Bypass via Stack Pivoting (Connor McGarr)
The host process vmware-vmx.exe has WDEG mitigations enabled including ROP mitigations, export address filtering, and import address filtering. You need to understand what each one does before you can bypass them.
CVE-2019-0567 | Type Confusion in the Chakra JavaScript Engine
Three-stage exploit chain. Stage 1 gets a read/write primitive in the renderer. Stage 2 defeats CFG and ACG. Stage 3 escapes the AppContainer sandbox. Each stage builds on the last and all of them are defeated by techniques unique to modern browsers.
You need to understand how ChakraCore represents JavaScript objects, how the JIT compiler works, what auxSlots are, how NaN boxing works, and the difference between inline and auxiliary property storage.
- ChakraCore Open-Source JS Engine (GitHub)
- CVE-2019-0567 Part 1: Environment Setup and Vulnerability Analysis (Connor McGarr)
- Attacking Edge Through the JavaScript Compiler (Bruno Keith)
- Project Zero Issue for CVE-2019-0567
InitProto is incorrectly marked side-effect-free by the JIT. When this assumption is violated during a type transition, the optimizer corrupts the auxSlots pointer, giving you a type confusion.
- CVE-2019-0567 Part 1: Vulnerability Analysis (Connor McGarr)
- DayZeroSec: CVE-2019-0567 Summary
- Perception Point: CVE-2019-0539 Sister Vulnerability Analysis
Corrupt the auxSlots pointer to point to a second object. Use two DataView instances to turn the type confusion into a stable arbitrary read and write primitive. NaN boxing lets you read 64-bit pointers correctly.
- CVE-2019-0567 Part 2: R/W Primitive Development (Connor McGarr)
- DataView API (MDN Web Docs)
- Attacking Edge Through the JS Compiler (Bruno Keith)
Use your read/write primitive to leak a vtable pointer, calculate module offsets, and then overwrite the vtable to redirect execution into your ROP chain.
CFG validates the target of every indirect call. You bypass it by finding a call target that is not protected, or by corrupting a pointer that CFG does not check.
- Bypassing CFG on Windows 10 (BlackHat 2014 PDF)
- Bypassing Control Flow Guard in Windows 10 (Improsec)
- Cross The Wall: Bypass All Mitigations in Edge (BlackHat 2017 PDF)
ACG prevents the content process from mapping new executable memory or modifying existing code pages. The bypass abuses the out-of-process JIT server using RPC calls from the content process.
- CVE-2019-0567 Part 3: ACG Bypass via RPC (Connor McGarr)
- ACG Reference (Microsoft Docs)
- CVE-2017-8637: ACG Bypass via Edge Out-of-Process JIT (MSRC)
- Attacking Edge Through the JS Compiler (Bruno Keith)
Sometimes you cannot execute code at all. Instead you use your read/write primitive to directly modify security-relevant data: flags, tokens, ACL entries, or dispatch tables, without ever running your own shellcode.
- Non-Control-Data Attacks Are Realistic Threats (Chen et al., 2005)
- yeyintminthuhtut: Data-Only Attack References
The Edge renderer runs inside an AppContainer. Getting code execution in the renderer is not enough. You need to abuse the JIT server or broker process, which runs with more privilege, to fully escape the sandbox.
- Chromium Sandbox Architecture
- Cross The Wall: Bypass All Mitigations in Edge (BlackHat 2017 PDF)
- Project Zero Blog: Edge and Chrome Sandbox Research
Kernel exploitation means running code at ring 0. A single mistake crashes the machine. You need to understand pool internals, how the kernel handles user-mode interactions, and how to manipulate kernel data structures like tokens and callbacks without triggering any of the hardware mitigations (SMEP, SMAP, KVAS).
Understand the full picture: ring 0 vs ring 3, IRQL levels, how syscalls work, how IOCTLs reach driver handlers, and what the KPCR/KTHREAD/EPROCESS chain looks like in memory.
- Windows Kernel Driver Programming Overview (Microsoft Docs)
- EPROCESS and Kernel Structure Reference (CodeMachine)
- Alex Ionescu Windows Internals Talks (YouTube)
- Windows Internals Part 1 (Mark Russinovich)
HackSys Extreme Vulnerable Driver is the standard training target. It has every major kernel bug class implemented intentionally in both x86 and x64. Start every technique here before touching real targets.
- HEVD Repository (GitHub)
- HEVD Pre-compiled Releases (x86/x64)
- Introduction to Windows Kernel Exploitation with HEVD (wetw0rk)
- HEVD Kernel Exploitation Saga Writeup
- xct/windows-kernel-exploits (GitHub)
The classic kernel privilege escalation. Walk the EPROCESS list to find the System process, copy its token into your process's token field, and return to user mode as NT AUTHORITY\SYSTEM.
- Token Stealing and SMEP Bypass on Windows 10 x64 (Connor McGarr)
- Starting with Kernel Exploitation Part 3: Token Stealing (hasherezade)
- How Kernel Exploits Abuse Tokens (ired.team)
- PINKPANTHER: Handcrafted Token Stealing Shellcode (GitHub)
- Windows Kernel Exploitation Part 3: Arbitrary Memory Overwrite (Exploit-DB PDF)
Overflow a kernel stack buffer to overwrite the return address. If GS cookies are present you need a way around them first. Then you either land on shellcode directly or use a kernel ROP chain.
- Starting with Kernel Exploitation Part 2: Stack Overflows (hasherezade)
- HEVD x64 Stack Overflow (wetw0rk)
- Kernel Stack Overflow Exploitation (Osanda Malith)
Overwrite HalDispatchTable+0x8 with the address of your shellcode. Then call NtQueryIntervalProfile from user mode to trigger the overwritten pointer inside the kernel.
- FuzzySecurity Tutorial Part 15: Write-What-Where via HalDispatchTable
- Kernel Write-What-Where via HalDispatchTable (rootkits.xyz)
- Windows Kernel Exploitation Part 3: Write-What-Where (Exploit-DB PDF)
Pool overflows and UAF in the non-paged or paged pool. You need to groom the pool to get your target allocation in the right place before triggering the bug.
- Exploiting HEVD UAF x64 with Pool Feng-Shui
- Pool Overflow Exploitation Since Windows 10 19H1 (SSTIC 2020 PDF)
- CVE-2021-21551: Dell BIOS Driver Pool Exploitation (CrowdStrike)
- Windows 10 Pool Memory Internals (windows-internals.com)
SMEP (CR4 bit 20) prevents the CPU from executing user-mode pages while in ring 0. The standard bypass is a ROP gadget that clears the bit before jumping to your shellcode. PTE manipulation is another option.
- SMEP: What it is and How to Beat it (Andrea Fortuna)
- Token Stealing and SMEP Bypass on Windows 10 x64 (Connor McGarr)
- HEVD x64 Stack Overflow with SMEP Bypass (rootkits.xyz)
- yeyintminthuhtut: SMEP Bypass References
The win32k subsystem can call back into user mode during kernel execution. If the kernel does not re-validate object state after the callback returns, an attacker can corrupt that state during the window.
- Kernel Attacks Through User-Mode Callbacks (Tarjei Mandt, BlackHat 2011 PDF) - essential reading
- CVE-2011-1974: Win32k Callback Vulnerability (Exploit-DB)
- MS15-061: Win32k UAF via xxxSetClassLong Callback (Exploit-DB)
Overwrite kernel callback pointers like PsSetCreateProcessNotifyRoutine entries or I/O completion callbacks. When the kernel triggers one of those callbacks your code runs in ring 0.
- Windows Driver Kit (Microsoft Docs)
- Vulnerable Driver Files (PwnAwan EXP-401 Repo)
- Windows Kernel Security Mitigations (Microsoft MSRC Blog)
Not always on the main syllabus but directly relevant. Understanding the hypervisor layer helps with both kernel exploitation technique and with the VMware module.
- Hyper-V Architecture (Microsoft Docs)
- Advanced Windows 10 Kernel Exploitation (Morten Schenk, DEF CON 25)
- WindowsExploitationResources Hyper-V Section (FULLSHADE)
- 72-hour exam with two assignments
- 75 points needed to pass (each assignment is worth up to 50 points, 25 for partial credit)
- Penetration test report in PDF format due within 24 hours after the exam window closes
- Official OSEE Exam Guide
These are the targets the community recommends for building skills that directly apply to the exam.
| CVE | Description | Writeup |
|---|---|---|
| CVE-2021-21551 | Dell BIOS Driver pool LPE | CrowdStrike |
| CVE-2017-8601 | Windows JScript type confusion | Exploit-DB |
| CVE-2015-5736 | Fortinet FortiClient | Exploit-DB |
| CVE-2014-4113 | Win32k UAF (MS14-058) | Exploit-DB |
| CVE-2011-2005 | NDIS LPE (MS11-080) | Exploit-DB |
| CVE-2017-4901 | VMware guest-to-host escape | rip1s GitHub |
| CVE-2019-0567 | Edge Chakra type confusion | Connor McGarr |
| HEVD | All kernel bug classes | GitHub |
Go through this in order. Do not skip ahead to the browser stuff until you can write a kernel exploit from scratch.
- Complete Corelan exploit writing tutorials Parts 1 through 11
- Exploit HEVD stack overflow on x86 then x64
- Exploit HEVD write-what-where via
HalDispatchTable - Exploit HEVD pool UAF with non-paged pool feng shui
- Write a custom PIC reverse shell in x64 assembly
- Read both Valasek heap internals PDFs cover to cover
- Analyze CVE-2017-4901 (VMware) using the rip1s wiki and source code
- Build CVE-2019-0567 by following all three Connor McGarr posts
- Write a full penetration test report for each exploit you build
- Read every AWE course review to calibrate your expectations for the exam
- WinDbg Full Documentation (Microsoft Docs)
- WinDbg Quick Reference (OSR Online)
- WinDbg Commands Cheat Sheet (briolidz)
- Kernel Mode WinDbg Extensions (Microsoft Docs)
- pwntools (Linux-focused but useful for scaffolding)
- Sickle: Shellcode and Opcode Generation
- ctypes: Calling Windows APIs from Python
- Volatility3: Memory Analysis for Kernel Structure Research
- WinAFL: Windows Fuzzing (Google Project Zero)
- AFL++: Modern Fuzzing Framework
- BinDiff: Binary Comparison and Patch Diffing
- Diaphora: IDA Pro Binary Diffing Plugin
| Paper | Year | Link |
|---|---|---|
| Return-Oriented Programming (Shacham) | 2007 | ACM |
| ROP Without Returns (Checkoway et al.) | 2010 | ACM |
| Non-Control-Data Attacks (Chen et al.) | 2005 | ACM |
| Bypassing Hardware-Enforced DEP (Skape, Skywing) | 2005 | Archive |
| Heap Feng Shui in JavaScript (Sotirov) | 2007 | BlackHat PDF |
| Talk | Event | Link |
|---|---|---|
| Kernel Attacks Through User-Mode Callbacks (Tarjei Mandt) | BlackHat 2011 | |
| The Great Escapes of VMware | BlackHat EU 2017 | |
| Cross The Wall: Bypass All Mitigations in Edge | BlackHat US 2017 | |
| Bypassing Control Flow Guard on Windows 10 | BlackHat US 2014 | |
| Advanced Windows 10 Kernel Exploitation (Morten Schenk) | DEF CON 25 | YouTube |
| Platform | What it covers | Link |
|---|---|---|
| ROP Emporium | Practical ROP x64 | ropemporium.com |
| RET2 Wargames | Exploit development | wargames.ret2.systems |
| pwn.college | Binary and kernel exploitation | pwn.college |
| OpenSecurityTraining2 | Architecture and exploitation, free | ost2.fyi |
| Nightmare | Binary exploitation course | guyinatuxedo.github.io |
| LiveOverflow | Exploitation YouTube series | YouTube |
| exploit.education | Vulnerable VMs | exploit.education |
| CVE | Application | Bug Class | Module |
|---|---|---|---|
| CVE-2017-4901 | VMware Workstation | Use-After-Free (DnD RPCI) | 3 |
| CVE-2019-0567 | Microsoft Edge / Chakra | Type Confusion (JIT) | 4 |
| CVE-2019-0539 | Microsoft Edge / Chakra | Type Confusion | 4 |
| CVE-2017-8637 | Microsoft Edge | ACG Bypass (JIT Server) | 4 |
| CVE-2017-8601 | Windows JScript | Type Confusion | 4 |
| CVE-2021-21551 | Dell BIOSConnect | Pool Overflow (LPE) | 5 |
| CVE-2014-4113 | win32k.sys | Use-After-Free | 5 |
| CVE-2015-0057 | win32k.sys | Use-After-Free (Callback) | 5 |
| CVE-2011-2005 | NDIS | Buffer Overflow | 5 |
Independent community resource. Not affiliated with Offensive Security.