• Goa-2021
  • Training
  • Windows Kernel Exploitation Advanced

Windows Kernel Exploitation Advanced

Ashfaq Ansari

Registration Closed
Ashfaq Ansari

Trainer Name: Ashfaq Ansari
Title: Windows Kernel Exploitation Advanced
Duration: 4 Days
Dates: 22nd - 25th March 2021
Time: 2.00 PM to 6.00 PM IST
Delivery Mode: via Zoom.us and Discord Platform


This is the advanced version of the Windows Kernel Exploitation Foundation course. In this course, we will use Windows 10 RS6 x64 for all the labs and has a CTF that runs throughout the training.

This course starts with the changes in Windows 10, basics of Windows & driver internals, different memory corruption classes and fuzzing of kernel mode drivers. We will understand pool manager internals in order to groom kernel pool memory for reliable exploitation of pool-based vulnerabilities.

We will also look into how we can bypass kASLR, kLFH, and do hands-on exploitation using Data-Only attack, which effectively bypasses SMEP and other exploit mitigation.

Upon completion of this training, participants will be able to learn:

  • Basics of Windows and driver internals
  • Different memory corruption classes
  • Fuzz kernel mode drivers to find vulnerabilities
  • Exploit development process in kernel mode
  • Mitigation bypasses
  • Pool internals & Feng-Shui
  • Kernel debugging

Day 1

  • Windows 10
    • Architecture
  • Fuzzing Windows Drivers
    • Locating IOCTLs in Windows drivers
    • Sanitizers
      • Special Pool
    • Fuzzing the discovered IOCTLs
  • Exploit Mitigations
    • Kernel Address Space Layout Randomization (kASLR)
      • Understand kASLR
      • Breaking kASLR using kernel pointer leaks

Day 2

  • Supervisor Mode Execution Prevention (SMEP)
    • SMEP concepts
    • Breaking/bypassing SMEP
  • Exploitation
    • Arbitrary Memory Overwrite
      • Understand the vulnerability
      • Achieving privilege escalation

Day 3

  • Quick Revision
    • Fuzzing
    • kASLR
    • SMEP
    • Arbitrary Memory Overwrite
  • Pool Manager
    • Internals (kLFH)
    • Feng-Shui
  • Exploitation
    • Memory Disclosure
      • Understand the vulnerability
      • Leak function pointer
      • Calculate driver base address

Day 3

  • Pool Overflow
    • Understand the vulnerability
    • Finding corruption target
    • Grooming target pool
    • Achieving arbitrary read/write primitive (data-only attack)
    • Gaining local privilege escalation
      • Different places to corrupt
      • Capture The Flag
        • Time to finish the CTF
        • Discuss any other vulnerability class if the students want and time permits
      • Miscellaneous
        • Assignment to write a blog post about the vulnerability exploited during CTF
        • Q/A and Feedback

      Who should attend?

      • Windows Kernel Exploitation Foundation attendees
      • Bug Hunters & Red Teamers
      • User-mode Exploit Developers
      • Windows driver developers & testers
      • Anyone with an interest in understanding Windows Kernel exploitation
      • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

      Why attend?

      Upon completion of this training, participants will be able to:

      • Understand exploitation techniques to defeat mitigation like SMEP and kASLR
      • Understand how Windows Pool allocator works in order to write a reliable exploit for complex bugs like pool buffer overflow and use after free
      • Learn to write exploits for the found vulnerabilities in the kernel or kernel mode components


      • Basic operating system concepts
      • Good understanding of user mode exploitation
      • Basics of x86/x64 Assembly and C/Python
      • Patience

      Hardware & Software Requirement

        • 8 GB Flash drive
        • A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)
        • 40 GB free hard drive space
        • Vmware Workstation/Player and VirtualBox installed
        • Everyone should have Administrator privilege on their laptop

        What to Expect?

        • Hands-on
        • WinDbg-Fu
        • Fast & Quick Overview of Windows Internals
        • Techniques to exploit Windows Kernel/Driver vulnerabilities

        What students will be provided with?

        • Training slides
        • Scripts and code samples
        • BSOD T-Shirt

        About the Trainer

        Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in Low- Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Hybrid Fuzzing, and Program Analysis.
        Twitter Handle: @HackSysTeam

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved