100+ Free OSEE Practice Questions

Pass your OffSec Exploitation Expert (OSEE) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

very low (OffSec does not publish; community estimates <25%) Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

In modern 64-bit Windows exploitation, what does HVCI (Hypervisor-protected Code Integrity) primarily prevent an attacker from doing in kernel mode?

Overwriting the IDT to hijack interrupts

Executing unsigned code pages in kernel memory

Reading KUSER_SHARED_DATA from user mode

Using DeviceIoControl to reach a driver

to track

2026 Statistics

Key Facts: OSEE Exam

72 hrs

Exam Duration

OffSec (71h45m practical)

75/100

Passing Score

OffSec

Targets in Exam

OffSec

$2,499

Learn One Price

OffSec annual

3 yrs

Validity

OffSec (since 2023)

Expert

Difficulty

Hardest OffSec cert

The OSEE exam is NOT a multiple-choice test — it is a 71h45m hands-on exploit-development lab with 2 unknown-vulnerability targets worth 50 points each (75 of 100 to pass), plus 24 hours for the report. Our 100 practice questions prep the underlying knowledge (kernel internals, mitigation bypasses, ROP, pool exploitation, driver fuzzing, WinDbg) — they do NOT replicate the exam format. Certification is valid 3 years. Prerequisite: attendance of Live EXP-401 (in-person or virtual live).

Sample OSEE Practice Questions

Try these sample questions to test your OSEE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In modern 64-bit Windows exploitation, what does HVCI (Hypervisor-protected Code Integrity) primarily prevent an attacker from doing in kernel mode?

A.Overwriting the IDT to hijack interrupts

B.Executing unsigned code pages in kernel memory

C.Reading KUSER_SHARED_DATA from user mode

D.Using DeviceIoControl to reach a driver

Explanation: HVCI, part of Virtualization-Based Security, enforces that all code executed in kernel mode must be signed and its pages cannot be simultaneously writable and executable. This kills classic 'write shellcode into a non-paged pool then jump to it' techniques, forcing attackers toward pure ROP/JOP chains that call legitimate signed code. The IDT is protected by other mechanisms; KUSER_SHARED_DATA is read-mapped into user mode by design; DeviceIoControl is the normal IOCTL path and not blocked by HVCI.

2Which WinDbg command lists all loaded kernel driver objects and is commonly used during OSEE-style IOCTL analysis?

A.!process 0 0

B.!drvobj <driver> 2

C.!peb

D.lm vm nt

Explanation: `!drvobj <driver> 2` displays the DRIVER_OBJECT for the named driver including the MajorFunction dispatch table, which is exactly where IRP_MJ_DEVICE_CONTROL handlers live. That handler is the starting point for reverse engineering IOCTLs. `!process 0 0` lists processes, `!peb` shows the process environment block (user mode), and `lm vm nt` shows modules of the kernel.

3On Windows 10/11 x64, what is the offset commonly traversed from KPROCESS/EPROCESS to locate the Token pointer used in SYSTEM token-stealing shellcode?

A.A fixed offset of 0x48 across all builds

B.A build-specific offset that must be resolved per Windows version

C.Always at offset 0x2E0 since Windows 7

D.Stored in the PEB at fs:[0x30]

Explanation: The Token field inside EPROCESS has moved across Windows builds. Modern exploits resolve it dynamically (per build/patch level) rather than hard-coding an offset. Relying on a single fixed value will crash the kernel on any non-matching build. PEB at fs:[0x30] is a user-mode concept and unrelated to the kernel Token field.

4Which IOCTL macro layout field in Windows DDK describes whether buffered I/O, direct I/O, or neither is used for the request?

A.DeviceType

B.FunctionCode

C.TransferType (Method)

D.Access

Explanation: CTL_CODE macros encode DeviceType, Access, FunctionCode, and TransferType (a.k.a. Method): METHOD_BUFFERED, METHOD_IN_DIRECT, METHOD_OUT_DIRECT, and METHOD_NEITHER. The Method directly affects how user input buffers are mapped into kernel context, which is critical for exploit primitives — METHOD_NEITHER in particular historically led to probe-and-lock bugs.

5Which mitigation makes a classic 'smash the stack and jump to shellcode on the kernel stack' unreliable even without HVCI?

A.SMEP (Supervisor Mode Execution Prevention)

B.ASLR of ntdll

C.CFG user-mode

D.Control Flow Enforcement (CET) on user processes only

Explanation: SMEP prevents kernel-mode code from executing user-mode pages. Even if you corrupt a kernel return address, jumping to a user-mode mapping containing shellcode will #GP. This is why attackers pivot to kernel ROP/JOP. ASLR of ntdll is user-mode. CFG user-mode and user-only CET do not protect ring 0.

6In pool grooming for a kernel UAF, what is the primary purpose of spraying objects of a controlled size before freeing the vulnerable allocation?

A.To exhaust virtual address space

B.To place a controlled object in the freed chunk so a dangling pointer dereferences attacker data

C.To bypass KASLR

D.To trigger a bug check for analysis

Explanation: Pool grooming arranges the pool allocator so that after the vulnerable object is freed, the next allocation of the same size lands in the same chunk — now populated with attacker-controlled contents. When the driver later dereferences the dangling pointer it operates on attacker data, yielding read/write or RIP control. The other options are unrelated.

7What is the fundamental reason a kernel ROP chain typically calls nt!NtAllocateVirtualMemory or similar to create an executable user-mode page?

A.To bypass KASLR

B.To bypass HVCI so shellcode can run in user mode while still privileged

C.To avoid triggering PatchGuard

D.To prevent SMAP violations

Explanation: Under HVCI, kernel pages cannot be marked WX. A common strategy is to use a kernel ROP chain that, while running with high integrity, allocates and switches execution into a user-mode executable page (or simply returns to user mode with a modified token). PatchGuard and KASLR are different concerns; SMAP is about kernel reading user memory.

8Which Sysinternals or DDK tool is most useful for enumerating all loaded drivers and their symbolic device names during IOCTL hunting?

A.Procmon

B.WinObj

C.Process Explorer

D.Autoruns

Explanation: WinObj displays the Windows Object Manager namespace, including \Device and \GLOBAL?? symbolic links used to open drivers via CreateFile. This is the fastest way to identify attackable device objects. Procmon traces runtime activity, Process Explorer lists processes, Autoruns focuses on persistence entries.

9Which primitive is the most valuable intermediate goal when exploiting a modern kernel heap bug under HVCI/CET?

A.Stack-only buffer overflow

B.Arbitrary kernel read/write

C.Local privilege escalation via UAC

D.Stealing NTLM hashes

Explanation: Arbitrary read/write in kernel lets you locate EPROCESS, steal a SYSTEM token, or patch PTEs — all without needing executable kernel pages. Modern kernel exploits almost universally aim for arb R/W. Stack overflows alone are less flexible under mitigations; UAC bypass is a separate unrelated class; NTLM theft is a credential-access goal, not an exploit primitive.

10Which of the following is TRUE about Windows x64 calling conventions that an exploit developer must account for in ROP chains?

A.First four integer arguments are in RCX, RDX, R8, R9

B.All arguments are pushed on the stack as in cdecl

C.Arguments are in RAX, RBX, RCX, RDX in order

D.Only RCX is used; remaining args are on the stack

Explanation: The Microsoft x64 calling convention passes the first four integer/pointer arguments in RCX, RDX, R8, R9, with remaining arguments on the stack and a 32-byte shadow space reserved by the caller. Correctly staging these registers via ROP gadgets is essential for invoking Win32/NT APIs from a corrupted call flow.

About the OSEE Exam

The OffSec Exploitation Expert (OSEE) is the hardest certification OffSec offers. The underlying EXP-401 course (Advanced Windows Exploitation) covers 64-bit Windows kernel exploitation, driver IOCTL reversing, pool grooming, mitigation bypasses (HVCI, KASLR, SMEP/SMAP, CET, CFG), complex heap manipulation, and browser sandbox escapes. The exam is 100% practical.

Questions

2 scored questions

Time Limit

71 hours 45 minutes + 24 hours reporting

Passing Score

75/100 points

Exam Fee

$2,499 (Learn One annual subscription) (OffSec (Offensive Security))

OSEE Exam Content Outline

Core

Windows Kernel Exploitation (64-bit)

EPROCESS traversal, token stealing, PTE manipulation, pool grooming (Segment/LFH), arbitrary R/W primitives, KASLR/SMEP/SMAP/HVCI bypass, kernel ROP chains

Core

Driver Reverse Engineering & Fuzzing

WDM drivers, IRP/DeviceIoControl, IOCTL fuzzing, IDA/Ghidra/WinDbg workflows, parsing driver dispatch tables, identifying insecure IOCTL handlers

Core

Heap Exploitation & Mitigation Bypass

Low Fragmentation Heap (LFH), Segment Heap, use-after-free, type confusion, CFG/CET/shadow-stack bypass, ROP gadget discovery, VirtualProtect/NtWriteVirtualMemory chains

Core

Browser & Sandbox Escape

v8 JIT basics, Chrome/Edge renderer bugs, Windows integrity levels, AppContainer escape techniques, token manipulation to escape sandboxes

How to Pass the OSEE Exam

What You Need to Know

Passing score: 75/100 points
Exam length: 2 questions
Time limit: 71 hours 45 minutes + 24 hours reporting
Exam fee: $2,499 (Learn One annual subscription)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

OSEE Study Tips from Top Performers

1Master WinDbg: !process, !thread, !pool, !drvobj, !analyze -v, .trap, kernel-mode debugging with a second VM

2Read real kernel CVE writeups (CVE-2023/2024 win32k, CLFS, AFD.sys) — understand why the primitive works

3Practice IOCTL reversing on HEVD (HackSys Extreme Vulnerable Driver) before attempting EXP-401 labs

4Write your own ROP chains by hand before relying on tools — understand gadget side effects

5Understand HVCI/VBS: why shellcode execution is effectively dead and you must ROP in kernel

6Review EPROCESS offsets per Windows build — they change; use !process 0 0 in a live debugger

7This is a practical exam — treat our questions as knowledge checks, not exam simulators

Frequently Asked Questions

Is the OSEE exam multiple choice?

No. The OSEE exam is 100% practical and hands-on — there are no multiple-choice questions. You get 71 hours 45 minutes in a controlled virtual lab to discover and exploit unknown vulnerabilities in 2 target systems, then 24 hours to submit a professional pentest report. Our 100 practice questions on this site build the underlying knowledge (kernel internals, mitigation bypasses, ROP, driver reversing). They do not replicate the real exam.

What is the OSEE passing score?

You need 75 out of 100 points to pass. The exam contains 2 assignments; each awards 25 points for partial completion and 50 points for full completion. This means you cannot pass on partial completion of both — you must fully complete at least one assignment and get meaningful progress on the other.

What are the prerequisites for OSEE?

Unlike most OffSec certifications, EXP-401 (the OSEE course) historically required attendance of a live in-person training session at Black Hat or a dedicated OffSec event, though OffSec has increasingly offered live-virtual delivery. Technical prerequisites: solid x86/x64 assembly, C programming, Windows internals, familiarity with WinDbg, and typically OSED as a stepping stone.

How long does the OSEE exam take?

71 hours 45 minutes for the practical (you run the clock — sleep and eat on your own schedule), followed by a 24-hour documentation/reporting window to submit the professional pentest report. Total time commitment: ~96 hours over 4 days.

How hard is the OSEE compared to OSCP?

OSEE is dramatically harder than OSCP. OSCP tests broad penetration-testing workflow against known vulnerability classes; OSEE requires you to find and exploit unknown zero-day-style vulnerabilities in highly-mitigated modern Windows targets using custom kernel ROP chains, heap grooming, and mitigation bypasses. Community estimates put OSEE pass rates well below 25% on first attempt.

How should I prepare for OSEE with free practice questions?

Use our 100 OSEE practice questions to stress-test your conceptual knowledge of Windows kernel internals (EPROCESS, tokens, PTEs), mitigations (HVCI, KASLR, SMEP/SMAP, CET, CFG), pool/heap exploitation, driver IOCTL analysis, and WinDbg debugging. Weak areas flagged by the practice questions point you back to the EXP-401 labs and published CVE writeups for hands-on drill.