Windows Kernel Exploitation : Foundation


Windows Kernel Exploitation : Foundation


Duration: 2 Days


  • This is a fast paced course designed to introduce attendees to Windows Kernel Exploitation.
  • We will cover basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will dive deep into exploit development of Pool based buffer overflow vulnerability in kernel driver.

Upon completion of this training, participants will be able to:

  • Learn basics of Windows Internals
  • Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
  • Learn the exploit development process in Kernel mode

Course Content:

  • Windows Internals
    • Windows NT Architecture
    • Executive and Kernel
    • Hardware Abstraction Layer (HAL)
    • Privilege Rings
  •  Memory Management
    • Virtual Address Space
    • Memory Pool
    • Pool Allocator
  • Why to Attack Kernel?
    • User Mode vs Privileged Mode
    • User Mode Exploit Mitigation
  • Windows Driver Basics
    • I/O Request Packet (IRP)
    • I/O Control Code (IOCTL)
    • Data Buffering
  • Fuzzing Windows Kernel
    • IOCTL Fuzzing
  •  Exploitation
    • Pool Overflow
  •  Kernel Payload
    • Escalation of Privilege Payload
    • Kernel Recovery
  •  Miscellaneous
    • Q/A and Feedback

Who should attend?

  • Information Security Professionals
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

Why attend?

Upon completion of this training, participants will be able to:

  • Understand how kernel and kernel mode driver works
  • Understand exploitation techniques in kernel mode
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use After Free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers


  • Basics of User Mode Exploitation
  • Basics of x86 Assembly and C/Python
  • Familiarity with Vmware/VirtualBox
  • Familiarity with WinDbg
  • Patience

Hardware & Software Requirement:

  • A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
  • 40 GB free hard drive space
  • Everyone should have Administrator privilege on their laptop

What to Expect?

  • Fast & Quick Overview of Windows Internals
  • WinDbg-Fu
  • Windows Kernel Drivers Basics/IOCTL/IRP
  • Techniques to Exploit Windows Kernel/Driver vulnerabilities

What Not to Expect?

  • Elite Kernel Hacker in two/three day(s)
  • Basics of ASM/C/Python


Ashfaq Ansari