Trainer Name: Ashfaq Ansari, Krishnakant Patil

Title: Windows Kernel Exploitation Foundation & Advanced

Duration: 3 Days

Dates: Sept. 20, 2023 To Sept. 22, 2023

Training Objectives

This is the combined version of the Windows Kernel Exploitation Foundation & Advanced course. In this course, we will use Windows 10 x64 for all the labs and has a CTF that runs throughout the training.

This course starts with the Foundation course and builds the mindset required for the Advanced course. During this course, students will learn the basics of Windows & driver internals, different memory corruption classes, and fuzzing of kernel mode drivers. We will understand pool manager internals in order to groom kernel pool memory for reliable exploitation of pool-based vulnerabilities.

We will also look into how we can bypass kASLR, kLFH, and KPTI, and do hands-on exploitation using data-only attack, which effectively bypasses SMEP and other exploit mitigation.

Upon completion of this training, participants will be able to learn:

  • Basics of Windows and driver internals
  • Different memory corruption classes
  • Fuzz kernel mode drivers to find vulnerabilities
  • Exploit the development process in kernel mode
  • Mitigation bypasses
  • Pool Internals & Feng-Shui
  • Kernel debugging

Training level: Intermediate; Advanced

Training Outlines

Day 1 (Foundation)

  • Windows Internals
  • Architecture
  • Executive & Kernel
  • Hardware Abstraction Layer (HAL)
  • Privilege Rings

  • Memory Management
  • Virtual Address Space
  • Memory Pool

  • Driver Internals
  • I/O Request Packet (IRP)
  • I/O Control Code (IOCTL)
  • Data Buffering

  • Fuzzing Windows Drivers (multiple drivers)
  • Locating IOCTLs in Windows drivers
  • Memory Sanitizers
  • Special Pool
  • Fuzzing the discovered IOCTLs
  • Analyze the crashes

  • Exploitation
  • Stack Buffer Overflow (SMEP & KPTI disabled)
  • Understand the vulnerability
  • Achieving code execution

  • Escalation of Privilege Payload
  • Kernel State Recovery

Day 2 (Advanced)

  • Quick Revision
  • Internals
  • Fuzzing
  • Stack Buffer Overflow
  • EoP Payload

  • Exploit Mitigations
  • Kernel Address Space Layout Randomization (kASLR)
  • Understanding kASLR
  • Breaking kASLR using kernel pointer leaks
  • Supervisor Mode Execution Prevention (SMEP)
  • SMEP concepts
  • Breaking/bypassing SMEP
  • Kernel Page Table Isolation (KPTI/KVA Shadow)
  • KPTI concept
  • Breaking/bypassing KPTI

  • Exploitation
  • Stack Buffer Overflow (SMEP & KPTI enabled)
  • Understand the vulnerability
  • Achieving code execution

  • Arbitrary Memory Overwrite
  • Understand the vulnerability
  • Achieving privilege escalation

  • Pool Manager
  • Internals (kLFH)
  • Feng-Shui

  • Exploitation
  • Memory Disclosure
  • Understand the vulnerability
  • Leak function pointer
  • Calculate driver base address

Day 3 (Advanced)

  • Quick Revision
  • kASLR
  • SMEP
  • Feng-Shui
  • Memory Disclosure

  • Exploitation
  • Pool Overflow
  • Understand the vulnerability
  • Finding corruption target
  • Grooming target pool
  • Achieving arbitrary read/write primitive (data-only attack)

Gaining local privilege escalation

  • Different places to corrupt

  • Capture The Flag
  • Time to finish the CTF
  • Discuss any other vulnerability class if the students want and time permits

  • Miscellaneous
  • Assignment to write a blog post about the vulnerability exploited during CTF
  • Q/A and Feedback

What to Bring?

Hardware & Software Requirement

  • A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM) - Intel processors only
  • 40 GB free hard drive space
  • VMware Workstation/Player installed
  • Everyone should have Administrator privileges on their laptop

Training Prerequisite


  • Basic operating system concepts
  • Familiarity with vulnerability classes
  • Basics of x86/x64 assembly and C/python
  • Basics of ROP
  • Patience

Who Should Attend?

  • Information security professional
  • Bug Hunters & Red Teamers
  • User-mode exploit developers
  • Windows driver developers & testers
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical hackers and penetration testers looking to upgrade their skill set to the kernel level

What to Expect?

  • Hands-on
  • WinDbg-Fu
  • Fast & quick overview of Windows internals
  • Techniques to exploit Windows kernel/driver vulnerabilities

What attendees will get

  • Training slides
  • Scripts and code samples
  • Discord access
  • BSOD T-Shirt (only if in-person class happens

What not to expect?

Kernel master in 3 days of training

About the Trainer

Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "The Windows Kernel Exploitation" course. His core interest lies in Low- Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Hybrid Fuzzing, and Program Analysis.
Twitter Handle: @HackSysTeam