A curated collection of tools, study materials, and community resources for mastering the EXP-401 Advanced Windows Exploitation course and earning the Offensive Security Exploitation Expert certification.
Building custom shellcode from scratch for x86_64 architecture. Covers Win32 API internals, position-independent code, calling conventions in 64-bit systems, and developing a versatile shellcode framework including reverse shell payloads.
Escaping from a guest OS to the host by exploiting vulnerabilities in VMware Workstation. Covers VMware internals, use-after-free vulnerability analysis, heap memory management, LFH exploitation, and virtual table manipulation.
Browser sandbox escape via type confusion vulnerabilities in Microsoft Edge (Chakra engine). Covers JIT process injection, ASLR/DEP/CFG bypass, and advanced ROP chain construction against modern mitigations.
Local privilege escalation by exploiting vulnerabilities in third-party kernel drivers. Covers kernel driver analysis, callback function manipulation, and escalation from user-mode to SYSTEM privileges.
Kernel privilege escalation via win32k subsystem vulnerabilities. Covers Windows kernel subsystem internals, user-mode callback abuse, and exploitation of native OS kernel components.
The primary debugger for OSEE. Master kernel and user-mode debugging, breakpoints, memory inspection, and extension commands. Non-negotiable for EXP-401.
learn.microsoft.com ↗ DisassemblerIndustry-standard interactive disassembler and decompiler. Essential for static analysis of target binaries, identifying vulnerability patterns, and understanding complex code paths.
hex-rays.com ↗ DisassemblerNSA's open-source reverse engineering framework. Free alternative to IDA with excellent decompiler support. Great for supplementary analysis and scripting automation.
ghidra-sre.org ↗ VirtualizationRequired for the course lab environment. Must support running 3 VMs simultaneously. VMware is also a case study target in Module 2 — understand its internals deeply.
vmware.com ↗ IDE / CompilerFor developing and debugging exploit code in C/C++. The MSVC compiler and debugger integration is critical for building PoCs and shellcode loaders.
visualstudio.microsoft.com ↗ ScriptingExploit scripting, automation, ROP gadget finding, and PoC development. Libraries like pwntools, struct, and ctypes are invaluable for exploit prototyping.
python.org ↗ Exploit UtilityTools for searching ROP gadgets in binaries. Essential for building ROP chains to bypass DEP/ASLR and construct code-reuse attacks against modern mitigations.
github.com ↗ System AnalysisProcess Explorer, Process Monitor, VMMap, and other tools for understanding Windows internals during exploit development. Critical for heap analysis and process introspection.
learn.microsoft.com ↗By Yosifovich, Ionescu, Russinovich, Solomon. The definitive reference on Windows kernel architecture, memory management, processes, and security mechanisms. Required reading.
By Anley, Heasman, Lindner, Richarte. Covers exploit discovery and development techniques across platforms. Excellent foundation for understanding vulnerability classes.
By Perla & Oldani. Covers attacking the kernel across OS platforms. Essential reading for Modules 4 and 5 on kernel driver and win32k exploitation.
By Dang, Gazet, Bachaalany. x86/x64 architecture, Windows kernel internals, and reverse engineering methodology. Bridges the gap between RE and exploit development.
Peter Van Eeckhoutte's legendary exploit writing tutorial series. Covers stack overflows through advanced heap exploitation. A rite of passage for exploit developers.
corelan.be ↗ GitHub RepoStructured study guide aligned with the EXP-401 syllabus. Covers each module with curated resources, explanations, and practical exercises. Actively maintained.
github.com/0x1BE ↗ GitHub RepoCollection of resources compiled during OSEE certification preparation. Includes links to papers, exploit writeups, and technique references organized by topic.
github.com/dhn ↗ GitHub RepoResources and proof-of-concept exploits for OSEE prep. Covers mitigation bypass techniques, heap manipulation, and kernel exploitation references.
github.com/PwnAwan ↗ GitHub RepoComprehensive guide covering the full OSCE3 path — OSWE, OSEP, OSED, and OSEE. Aggregates review writeups, lab resources, and community preparation notes.
github.com/CyberSecurityUP ↗ Exam ReviewDetailed first-hand account of AWE course attendance through OSEE certification. Covers preparation timeline, study methodology, and exam insights.
medium.com ↗ CourseFocused advanced-level drill designed to bridge intermediate exploitation knowledge with OSEE-level proficiency. Covers Win32 internals, SEH, PE format, and exploit technique refinement.
udemy.com ↗OffSec's Windows User Mode Exploit Development course. Covers stack overflows, SEH, DEP/ASLR bypass, and WinDbg/IDA fundamentals. Strongly recommended before attempting EXP-401.
Focus on Windows machines with kernel exploits, binary exploitation challenges, and the Fortress labs. Great for building exploit development muscle memory.
hackthebox.com ↗ PlatformPhoenix and Protostar VMs for learning memory corruption exploitation fundamentals. Start here if you need to solidify your stack/heap overflow basics before advancing.
exploit.education ↗Set up vulnerable versions of real software and reproduce published CVEs. Focus on Windows heap overflows, UaF in browsers and virtualization software, and kernel driver bugs. Build your own PoCs from advisories.
Build a fuzzing environment with WinAFL or libFuzzer targeting Windows applications. Finding your own crashes and triaging them into exploitable bugs is the highest-value prep activity for OSEE.
Set a hard exam deadline to create urgency. OSEE holders consistently report that having a fixed date forced focused, productive preparation instead of endless study cycles.
WinDbg commands should be muscle memory. Practice navigating heap structures, setting conditional breakpoints, and analyzing crash dumps until it's second nature.
The exam requires a comprehensive penetration test report. Build your reporting template and practice writing detailed technical narratives during your prep labs — not during the 72-hour exam.
The exam tests lateral thinking as much as technical knowledge. The vulnerabilities are unknown — you need to discover them. Practice root cause analysis on unfamiliar targets, not just replaying known exploits.
Prepare backup internet, power, and a secondary machine/VM setup. 72 hours is long — avoidable technical disruptions can cost you the certification.
Plan your sleep schedule for the exam in advance. Most successful candidates report sleeping in 3-4 hour blocks rather than trying to power through the full 72 hours without rest.
Solid systems programming skills are non-negotiable. You need to read, write, and debug C code and assembly fluently. Understand calling conventions, stack frames, and memory layout.
General penetration testing methodology and tooling. Builds the operational mindset needed for approaching unknown targets methodically.
Windows user-mode exploit development. Stack overflows, SEH exploitation, DEP/ASLR bypass, and IDA/WinDbg proficiency. The direct on-ramp to EXP-401.
Advanced evasion, Active Directory exploitation, and post-exploitation. Builds lateral thinking skills valuable for the OSEE exam's open-ended challenges.
Advanced Windows Exploitation. In-person training at Black Hat or OffSec events, followed by the 72-hour practical exam. The summit of OffSec's certification hierarchy.