SandboxEscaper had a really useful and nice blog post on finding vulnerabilites, but it appears to have been deleted unfortunately. I’ve tried using archive.org/archive.is to find an archived copy of it, but it was fruitless. I thought posting what I recall from it might be useful for others.
- Manually searching might lead to some vulns that aren’t found with fuzzers or scanners that most other researchers use.
- Testing if n-days were actually patched, and looking for bypasses might be fruitful.
- Looking around where 0/n-days where found in the past might be fruitful.
- Reading writeups from respectable researchers such as Project Zero members to learn and try to build an exploit from past n-days.
My tips: Read Windows Internals (the book), WinAPI (Microsoft Docs), Intel’s assembly manauls, and Practical Reverse Engineering (book).