OSED — Map of Content

The OSED is fundamentally a pattern catalog. This page is the catalog. Every technique gets its own atomic note linked here. Re-finding the pattern under exam pressure is the goal.

Stack-based techniques

• seh-overflow — when the saved return address is too far but the SEH record isn’t
• stack-pivot — moving ESP into controllable memory
• egghunter — small landing pad finds the larger payload elsewhere in memory

ROP / DEP bypass

• rop-chain-virtualprotect — mark shellcode region executable
• rop-decoder — decode shellcode bytes that contain bad chars
• writeprocessmemory-bypass — alternative to VirtualProtect when blocked

ASLR bypass

• format-string-leak — leak module base via %x/%s primitives
• partial-eip-overwrite — when only the low byte of EIP is corruptible

Custom shellcoding

• pic-shellcode-skeleton — PEB-walking to find kernel32
• shellcode-encoder — when bad chars block direct payload

Reference

• bad-chars — the canonical bad-char comparison method
• windbg-cheat — the commands you’ll re-type 100 times

Snippets I keep grabbing

• pattern-create
• badchars-py
• mona-commands

Open questions

• Best practice for stack-pivoting when ESP can only be moved to a fixed address?
• When does SafeSEH allow chains anyway (non-SafeSEH module mixed in)?