Discover / Exploit development / Reading path

Learn Exploit Development: The Best Books, in Order

6
Books
90
Hours
5
Stages
Not yet rated

This curriculum is designed for expert-level practitioners who already understand systems programming and want to master binary exploitation, shellcode engineering, and professional vulnerability research. The path moves from low-level internals and classic exploitation theory, through modern bypass techniques and shellcode craft, to cutting-edge vulnerability research and real-world offensive tooling — each stage demanding and building directly on the last.

1

Exploitation Internals & Classical Foundations

Expert

Solidify a deep, expert-level mental model of memory layout, classic vulnerability classes (stack/heap overflows, format strings), and the attacker's methodology before modern mitigations complicate the picture.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (mix of reading and hands-on labs). Allocate 4–5 weeks to "Hacking" (Chapters 0–3 core material), then 4–5 weeks to "The Shellcoder's Handbook" (Chapters 1–6, focusing on vulnerability analysis and exploitation mechanics).

Key concepts
  • Memory layout fundamentals: stack, heap, BSS, data, text segments and their role in classical exploits
  • Stack overflow mechanics: buffer overflow, return address overwrite, stack canaries, and how attackers chain gadgets before ROP
  • Heap exploitation: heap metadata, chunk structures, free list manipulation, and heap spraying techniques
  • Format string vulnerabilities: format specifiers, reading/writing arbitrary memory, and exploitation chains
  • Shellcode construction: assembly fundamentals, null-byte avoidance, position-independent code, and payload encoding
  • Attacker methodology: reconnaissance, vulnerability identification, proof-of-concept development, and reliable exploitation without modern mitigations
  • Classical mitigation bypass: understanding DEP/NX, ASLR, stack canaries at a conceptual level before learning modern defenses
  • Binary analysis workflow: static disassembly, dynamic debugging (GDB), and reverse-engineering vulnerable binaries to identify exploitation vectors
You should be able to answer
  • Explain the complete memory layout of a running process (stack, heap, BSS, data, text) and how each region is exploited in classical attacks.
  • Walk through a stack overflow exploit from vulnerability discovery to shellcode execution: what conditions must exist, how is the return address overwritten, and what happens when control flow is hijacked?
  • Describe the heap metadata structures and free list mechanics; how can an attacker corrupt heap metadata to achieve arbitrary code execution?
  • What is a format string vulnerability, and how can an attacker use format specifiers to read from or write to arbitrary memory addresses?
  • Write position-independent shellcode that avoids null bytes and explain the techniques used to make it portable across different environments.
  • Given a vulnerable binary, outline the complete exploitation workflow: how would you identify the vulnerability, develop a reliable exploit, and verify code execution?
Practice
  • Compile and debug a simple stack overflow in GDB; identify the exact offset where the return address is overwritten and manually craft a payload to redirect execution.
  • Write a basic null-byte-free shellcode stub in x86 assembly that executes /bin/sh; test it in a controlled buffer overflow scenario.
  • Analyze a format string vulnerable program using GDB; craft a format string payload to leak stack values and write to a target address.
  • Implement a heap overflow exploit: corrupt heap metadata, trigger a free list unlink, and achieve arbitrary code execution on a vulnerable allocator.
  • Reverse-engineer a stripped binary using objdump and GDB to locate the vulnerability; document the exploitation path and build a working proof-of-concept.
  • Create a shellcode encoder/decoder pair to bypass simple character filters; test the encoded payload in a real buffer overflow scenario.
  • Build a fuzzer or mutation tool to discover stack/heap overflow conditions in a target binary; document crash conditions and develop reliable exploits.
  • Study and document at least two real CVEs from the era covered by these books (pre-2010); reproduce the vulnerability and exploit in a lab environment.

Next up: Mastering classical exploitation without modern mitigations establishes the foundational attacker mindset and technical toolkit; the next stage will layer on real-world defenses (DEP/NX, ASLR, stack canaries, CFI) and teach advanced bypass techniques that depend on this deep understanding of memory corruption and control flow hijacking.

Hacking
Jon Erickson · 2003 · 384 pp

Even for experts, this book is the canonical reference for thinking like an exploit developer — covering x86 memory, shellcode, and heap/stack exploitation from first principles with working C and assembly examples. It establishes the precise vocabulary and mental model the rest of the curriculum builds on.

The shellcoder's handbook
Chris Anley · 2007 · 731 pp

The definitive multi-platform reference for vulnerability discovery and shellcode development across Linux, Windows, Solaris, and more. Read second to immediately extend the exploitation primitives from Erickson into real-world, multi-OS contexts and introduce format-string and heap exploitation in depth.

2

Windows Internals & Platform-Specific Exploitation

Expert

Gain authoritative knowledge of Windows memory management, kernel structures, and the Win32 exploitation surface — the dominant target platform in professional vulnerability research.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day with deep technical review

Key concepts
  • Windows kernel architecture and privilege levels (ring 0 vs ring 3, transitions via syscalls)
  • Virtual memory management: paging, page tables, and kernel-mode address space layout (KVAS)
  • Kernel data structures: EPROCESS, ETHREAD, PEB, TEB, and their exploitation surface
  • Interrupt handling, exception dispatching, and IRQL levels as exploitation vectors
  • Kernel pool memory (paged and non-paged) exploitation techniques and heap spraying
  • Device driver vulnerabilities and I/O control (IOCTL) code exploitation
  • Privilege escalation chains: from user-mode vulnerability to kernel code execution
  • Kernel-mode code execution and post-exploitation persistence mechanisms
You should be able to answer
  • Explain the difference between paged and non-paged kernel pools and why each is an exploitation target
  • How does a user-mode application transition to kernel mode, and where are the security boundaries that exploits must cross?
  • Describe the structure and purpose of the EPROCESS block and how it can be manipulated for privilege escalation
  • What is an IOCTL and how can vulnerable device drivers expose kernel exploitation surfaces?
  • Walk through a complete privilege escalation chain from a user-mode buffer overflow to kernel code execution
  • How does IRQL (Interrupt Request Level) affect kernel exploitation, and why must exploits account for it?
  • What are the differences between exploiting kernel pools versus user-mode heaps, and what techniques are specific to each?
  • How can an attacker achieve persistence after gaining kernel-mode code execution?
Practice
  • Set up a Windows kernel debugging environment (WinDbg + virtual machine) and inspect live kernel structures (EPROCESS, page tables) using debugger commands
  • Analyze a vulnerable device driver source code and identify IOCTL-based exploitation vectors; document the attack surface
  • Write a proof-of-concept exploit for a kernel pool overflow vulnerability (use a real CVE from the book's era or a training exercise)
  • Use kernel pool spraying techniques to achieve deterministic heap layout and demonstrate control over kernel memory allocation
  • Perform a privilege escalation exercise: start with a low-privilege process and escalate to SYSTEM via a kernel vulnerability using the techniques from the book
  • Reverse-engineer a Windows kernel structure (e.g., ETHREAD) using WinDbg and map its memory layout; correlate with the book's diagrams
  • Build a simple kernel-mode rootkit that hooks a system call or modifies kernel data structures (in a lab environment)
  • Analyze a real Windows kernel vulnerability (e.g., from Microsoft security bulletins) and trace the exploitation path through memory management and privilege levels

Next up: This stage equips you with deep kernel-level exploitation knowledge and hands-on experience with Windows internals, preparing you to tackle advanced topics like kernel mitigations (SMEP, SMAP, CFG), modern exploit techniques against hardened systems, and zero-day development in professional vulnerability research.

A Guide to Kernel Exploitation
Enrico Perla · 2010

Directly applies kernel internals knowledge to real exploitation scenarios across Linux and Windows kernels, covering kernel heap overflows, NULL pointer dereferences, and privilege escalation. Read after Russinovich to immediately operationalize that knowledge.

3

Modern Mitigations, Bypass Techniques & Shellcode Mastery

Expert

Master the full stack of modern exploit mitigations (ASLR, DEP/NX, stack canaries, CFG, SafeSEH) and the offensive techniques — ROP chains, JIT spraying, heap feng shui — used to defeat them.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day, with 2–3 days per week dedicated to hands-on labs and exploit development

Key concepts
  • Defense-in-depth architecture: how ASLR, DEP/NX, stack canaries, and CFG work together as layered mitigations and their individual weaknesses
  • Information disclosure vulnerabilities as the foundation for defeating ASLR: leaking addresses from memory to break randomization
  • Return-Oriented Programming (ROP): gadget identification, chain construction, and exploitation across different architectures and mitigation scenarios
  • Heap exploitation techniques (heap feng shui, heap spraying) to achieve predictable memory layouts and bypass protections
  • JIT spraying and code generation attacks: exploiting just-in-time compilers to create executable code in non-executable regions
  • Stack canary bypass techniques: off-by-one writes, information leaks, and partial overwrites to circumvent stack protection
  • Control Flow Guard (CFG) and SafeSEH: understanding indirect call validation and techniques to forge or bypass these checks
  • Practical mitigation assessment: identifying which protections are enabled, measuring their effectiveness, and finding the weakest link in the chain
You should be able to answer
  • How does ASLR work, what information disclosures defeat it, and what role does it play in a defense-in-depth strategy?
  • What is a ROP chain, how do you identify gadgets in a binary, and how do you construct a working chain to bypass DEP/NX?
  • Explain the difference between stack canaries, their detection mechanisms, and at least two techniques to bypass them without knowing the canary value
  • What is heap feng shui, how does it enable exploitation, and how does it differ from heap spraying in terms of attacker control?
  • How does JIT spraying work, why is it effective against DEP/NX, and what conditions must be present for it to succeed?
  • Describe the purpose of CFG and SafeSEH, how they validate control flow, and what techniques can be used to forge or bypass these checks
Practice
  • Analyze a modern binary with ASLR, DEP/NX, and stack canaries enabled; identify information disclosure vulnerabilities and extract leaked addresses to defeat ASLR
  • Build a complete ROP chain from scratch using a tool like ROPgadget or Ropper: identify gadgets, chain them together, and execute a payload that bypasses DEP/NX on a 32-bit or 64-bit target
  • Exploit a stack canary-protected binary using an off-by-one write or information leak; demonstrate how to overwrite the return address without triggering the canary check
  • Perform heap feng shui on a vulnerable application: allocate and free objects in a specific pattern to achieve a predictable heap layout, then exploit a heap vulnerability to achieve code execution
  • Research and document the gadgets available in a real-world library (libc, kernel, or JIT runtime); explain which gadgets are most valuable for ROP chains and why
  • Write or adapt a proof-of-concept exploit that chains multiple mitigation bypasses together (e.g., information leak → ASLR defeat → ROP chain → code execution) on a modern target

Next up: This stage equips you with the offensive toolkit and deep understanding of modern defenses needed to transition into advanced topics like kernel exploitation, browser security, and zero-day development, where these same mitigations appear in hardened contexts and require sophisticated chaining of multiple bypass techniques.

The art of software security assessment
Mark Dowd · 2006 · 1187 pp

The most rigorous treatment of source- and binary-level vulnerability auditing available. It teaches the auditor's mindset needed to find exploitable bugs in complex codebases, covering integer flaws, format strings, and design vulnerabilities with exceptional depth.

4

Vulnerability Research, Fuzzing & Reverse Engineering

Expert

Develop a professional vulnerability research workflow: automated bug discovery via fuzzing, binary diffing, and triage — the skills that feed the exploit development pipeline with new targets.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day (with lab time)

Key concepts
  • Binary file formats (ELF, PE, Mach-O) and how to parse them programmatically for vulnerability surface mapping
  • Static analysis techniques: control flow graphs, data flow analysis, and symbolic execution to identify suspicious code patterns
  • Dynamic analysis and instrumentation: using debuggers, DBI frameworks, and system call tracing to observe runtime behavior and detect anomalies
  • Fuzzing fundamentals: input generation, coverage-guided mutation, crash detection, and triage to automate bug discovery
  • Binary diffing and patch analysis: comparing patched vs. unpatched binaries to reverse-engineer vulnerability fixes and infer root causes
  • Reverse engineering workflows: disassembly, decompilation, and annotation strategies for efficient vulnerability hunting
  • Vulnerability classification and severity assessment: distinguishing exploitable flaws from benign bugs based on control flow and memory safety implications
You should be able to answer
  • How do you parse and extract meaningful information from ELF/PE headers and sections to identify code and data regions relevant to vulnerability research?
  • What is the difference between static and dynamic analysis, and when would you use each approach in a vulnerability research workflow?
  • How can control flow graphs and data flow analysis help identify potential vulnerability patterns (e.g., unchecked buffer writes, use-after-free)?
  • Describe a fuzzing campaign: how would you set up input generation, measure code coverage, detect crashes, and triage results to prioritize real vulnerabilities?
  • How do you use binary diffing to identify the root cause of a security patch, and why is this critical for exploit development?
  • What instrumentation and debugging techniques would you use to confirm a suspected vulnerability and understand its exploitability constraints?
Practice
  • Parse an ELF binary manually using readelf and objdump; then write a Python script using pyelftools to extract and analyze sections, symbols, and relocation entries
  • Disassemble a small C program with IDA Free or Ghidra; annotate the assembly, reconstruct the control flow graph, and identify data dependencies
  • Set up a fuzzing campaign using AFL or libFuzzer on a deliberately vulnerable C program (e.g., a simple image parser or protocol handler); measure coverage and triage crashes
  • Use binary diffing tools (e.g., Diaphora, BinDiff, or radiff2) to compare a vulnerable and patched version of the same binary; document the differences and infer the vulnerability
  • Instrument a target binary with DBI (e.g., Pin, Frida, or strace) to trace system calls and memory access patterns during execution; correlate traces with suspected vulnerability conditions
  • Conduct a mini vulnerability research project: select a real open-source binary, perform static analysis to identify candidate vulnerabilities, fuzz it, and document findings in a report

Next up: Mastery of binary analysis, fuzzing, and reverse engineering establishes the vulnerability discovery pipeline; the next stage will focus on converting these findings into working exploits by leveraging memory corruption primitives, control flow hijacking, and payload delivery mechanisms.

Practical Binary Analysis
Dennis Andriesse · 2018 · 456 pp

Covers ELF internals, binary instrumentation, taint analysis, and symbolic execution with hands-on tooling (including a custom disassembler). Placed here to give the researcher the binary analysis toolkit needed to triage fuzzer crashes and identify exploitable conditions.

5

Advanced Offensive Research & Real-World Exploit Engineering

Expert

Synthesize everything into professional-grade offensive research: writing reliable, weaponized exploits for real CVEs, understanding browser and kernel attack surfaces, and operating at the level of a full-time exploit developer.

Study plan for this stage

Pace: 8–10 weeks, ~40–50 pages/day with intensive lab work. Allocate 3–4 days per week for hands-on kernel debugging, rootkit analysis, and proof-of-concept development alongside reading.

Key concepts
  • Kernel architecture and privilege escalation mechanisms: understanding ring 0 vs. ring 3, system calls, and how rootkits subvert kernel control flow
  • Rootkit detection and evasion techniques: hooking strategies (SSDT, IAT, inline), anti-forensics, and hiding processes/files/network connections from userland tools
  • Memory manipulation and code injection: direct kernel object manipulation (DKOM), virtual memory exploitation, and persistence mechanisms
  • Windows internals exploitation: kernel data structures, interrupt handling, and leveraging undocumented APIs for low-level system access
  • Weaponization for real CVEs: applying rootkit techniques to actual vulnerability chains, building reliable exploits that survive modern mitigations (DEP, ASLR, CFG)
  • Forensic evasion and operational security: designing exploits that minimize detection signatures and maintain persistence across reboots
  • Cross-architecture thinking: understanding how rootkit principles apply to browser exploitation, hypervisor attacks, and firmware-level compromise
You should be able to answer
  • How do rootkits achieve and maintain kernel-level code execution, and what are the primary attack surfaces in Windows kernel architecture?
  • Explain the differences between SSDT hooking, IAT hooking, and inline hooking—when would you use each technique, and what are their detection/evasion trade-offs?
  • How can you hide a process, file, or network connection from userland forensic tools, and what kernel-level modifications are required?
  • Describe a complete kernel-level privilege escalation chain from a user-mode vulnerability to rootkit installation, including persistence mechanisms.
  • What are the modern mitigations (DEP, ASLR, CFG, KPP/HVCI) that defend against rootkit exploitation, and how can you engineer around them?
  • How would you weaponize a real CVE (e.g., a Windows kernel vulnerability) into a reliable, multi-stage exploit that achieves persistent kernel access?
Practice
  • Analyze a real rootkit sample (e.g., ZeroAccess, Stuxnet's rootkit component, or a public PoC) using WinDbg: trace kernel hooking, identify persistence mechanisms, and document the attack flow.
  • Implement a basic SSDT hook in a test kernel driver that intercepts a system call (e.g., NtCreateFile) and logs/modifies its behavior; test detection with rootkit scanners.
  • Build a kernel driver that hides a process from Task Manager and Process Explorer using DKOM (direct kernel object manipulation); document what data structures you modified.
  • Develop a proof-of-concept exploit for a real Windows kernel CVE (e.g., CVE-2021-1732, CVE-2020-0787) that achieves privilege escalation and kernel code execution.
  • Create a multi-stage exploit chain: user-mode vulnerability → kernel read/write primitive → rootkit installation → persistence across reboot; test on a VM with modern mitigations enabled.
  • Reverse-engineer a real kernel vulnerability patch (e.g., from Microsoft security bulletins) to understand the vulnerability, then write an exploit that bypasses the patch or targets an unpatched variant.

Next up: This stage establishes you as a kernel-level threat actor capable of weaponizing real vulnerabilities into persistent, evasive exploits—the foundation for understanding how to design defenses, conduct threat research, or move into specialized domains like hypervisor exploitation, firmware attacks, or supply-chain compromise.

The rootkit arsenal
Bill Blunden · 2009 · 850 pp

The deepest available treatment of post-exploitation persistence at the kernel and firmware level — covering rootkit design, hooking, and stealth techniques. The ideal capstone for an exploit developer who needs to understand the full offensive chain from initial exploitation to persistent access.

Discussion

Keep reading

Paths that share books, cover the same subject, or open a related topic.

Shares 4 books

The Best Books to Learn Reverse Engineering, In Order

Beginner12books158 hrs5 stages
Shares 3 books

The Best Books to Learn Assembly Language, In Order

Beginner9books133 hrs4 stages
Shares 2 books

Learn Web Application Security: The Best Books, in Order

Beginner7books101 hrs4 stages
Shares 1 book

The Best Books to Learn Malware Analysis, In Order

Beginner10books119 hrs5 stages
More on Perl programming

Learn Perl: The Best Programming Books, in Order

Beginner8books94 hrs4 stages
More on COBOL programming

Learn COBOL: The Best Books for Mainframe Programming

Beginner6books90 hrs4 stages

More on exploit development