George Wu | VADER-RCE Field Manual — Windows Exploit Research

// MISSION BRIEF

This is the complete training curriculum for the VADER-RCE program. Every chapter is written in field manual format — direct, annotated, no filler. The doctrine comes from the 0x1security research framework:

Search for knowledge, not for 0-days. The understanding produces the bugs.

CRASH → LEAK MEMORY → EXECUTE CODE → CVE → BOUNTY

Target: mpengine.dll (Microsoft Malware Protection Engine). Runs as SYSTEM. Parses every file format. Network-reachable via email attachment. RCE = $100k–$150k bounty.

22 TOTAL CHAPTERS

22 COMPLETE

5 VOLUMES

15389 LINES WRITTEN

VOL I BOOT CAMP — Memory Corruption Foundations 4/4 COMPLETE

01 Heap Internals — The Ammunition Depot heap vs stack, Windows heap arch, LFH, segment heap COMPLETE
02 Overflow Patterns — The Corruption Playbook stack/heap/integer overflow, off-by-one, heap grooming COMPLETE
03 UAF & Type Confusion — The Ghost and the Impostor object lifecycles, dangling pointers, vtable hijack, double-free COMPLETE
04 Mitigations — The Walls They Built DEP, ASLR, CFG, CET, ACG, stack cookies, heap hardening COMPLETE

VOL II WEAPONS SCHOOL — Offensive Operations 4/4 COMPLETE

05 Fuzzing Theory — The Automated Assault coverage-guided fuzzing, WinAFL, harness design, seed corpus COMPLETE
06 Crash Triage — Separating Gold From Gravel WinDbg, !exploitable, dedup, exploitability assessment COMPLETE
07 Exploit Primitives — Building The Kill Chain info leak, arb read/write, ROP, JOP, stack pivot COMPLETE
08 Target Reversing — Know Thy Enemy IDA/Ghidra, PE analysis, attack surface mapping, mpengine deep dive COMPLETE

VOL III CAMPAIGN OPS — Live Fire Against mpengine.dll 4/4 COMPLETE

09 Harness Engineering — Forging The Weapon WinAFL harness for mpengine, persistent mode, DynamoRIO setup COMPLETE
10 Corpus & Dictionary Design — Feeding The Machine minimal seeds per format, magic bytes, mutation strategy COMPLETE
11 Campaign Management — The Long War RunPod 24/7 ops, coverage tracking, pivot decisions, weekly triage COMPLETE
12 Exploit Development — From Crash to Shell heap spray, grooming, reliability, mitigation bypass chains COMPLETE

VOL IV WAR COLLEGE — Strategic Doctrine 4/4 COMPLETE

13 The 0x1security Doctrine — Search For Knowledge, Not For Bugs trust boundaries, the mentor's framework, research methodology COMPLETE
14 Case Studies — CVEs That Changed The War CVE-2021-1647, CVE-2021-31985, CVE-2026-45584, Tavis Ormandy's work COMPLETE
15 Post-Exploitation — Holding Ground After Breach persistence, lateral movement, C2, privilege escalation chains COMPLETE
16 Responsible Disclosure — The Warrior's Code MSRC submission, bounty process, CVE lifecycle, ethics of 0-day COMPLETE

VOL V SPECIAL FORCES — Domain Warfare 6/6 COMPLETE

17 Network Warfare — TCP/IP From The Attacker's Perspective packet anatomy, ARP/DNS attacks, MITM, port scanning, firewall evasion COMPLETE
18 Cryptography & Evasion — The Art of Hiding XOR, AES, obfuscation, packing, AMSI bypass, ETW blinding COMPLETE
19 Living Off The Land — The Enemy's Tools Are Your Tools LOLBins, rundll32, mshta, odbcconf, PowerShell tradecraft COMPLETE
20 Active Directory Warfare — Conquering The Domain BloodHound, Kerberoasting, DCSync, Golden Ticket, lateral movement COMPLETE
21 Web Application Warfare — OWASP and Beyond SQLi, XSS, SSRF, deserialization, auth bypass, RCE through web COMPLETE
22 OSINT & Social Engineering — The Human Factor recon, HUMINT, phishing, pretexting, physical security COMPLETE

VADER-RCE // FIELD MANUAL

// MISSION BRIEF