Training 2017 - Windows Kernel Exploitation

Training 2017 - Windows Kernel Exploitation

From BruCON 2017

Jump to: navigation, search

Windows Kernel Exploitation

This is the most requested training according to our previous students, so we had to bring him back ! The devil is in details, and for Windows, it's Kernel remains the most devilish part and the most important target from the point of view of exploitation these days. This course of Windows Kernel Exploitation, is unique course by Ashfaq which is fast winning over the world. Ashfaq has delivered this course on all the 3 major continents in short span of a year along with disclosing many CVEs on regular basis.

Course Description

We will starts the course with Windows Kernel Internals and gives hands on practice to the techniques and procedures for Windows Kernel debugging, grooming Kernel Pool and Stack. We will deep dive into fuzzing drivers and exploit development/exploitation of various Windows Kernel Mode vulnerabilities. We will also look into different vulnerabilities in terms of code and the mitigation applied to fix the respective vulnerability.

If you have Windows Operating System at hand and Exploitation in your mind, or even if you want to write more robust & secure kernel modules, drivers for Windows this world popular course is just for you.

This training is focused on exploitation of different Windows Kernel Mode vulnerabilities. We will cover basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will dive deep into exploit development of various kernel mode vulnerabilities. We will also look into different vulnerabilities in terms of code and the mitigations applied to fix the respective vulnerabilities. This training assumes that the attendees have less or no prior experience with Windows Kernel Internals and Kernel land as well as User land exploitation techniques.

Upon completion of this training, participants will be able to:

  • Learn basics of Windows Internals
  • Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
  • Learn the exploit development process in Kernel mode
  • Understand how a vulnerability looks like in driver code
  • Understand how a vulnerability can be mitigated in the code
  • Understand how to massage Kernel Pool and Stack
  • Get comfortable with Windows Kernel Debugging

Course Contents

Day 1

Windows Kernel Debugging

  • Setup Kernel Debugging
  • Setup Debugging Symbols
  • WinDbg-Fu

Windows Internals

  • Windows NT Architecture
  • Executive & Kernel
  • Hardware Abstraction Layer (HAL)
  • Privilege Rings
  • Key Data Structures

Memory Management

  • Virtual Address Space
  • Memory Pool & Allocator

Why to Attack Kernel?

  • User Mode vs Privileged Mode
  • User Mode Exploit Mitigations

Windows Driver Basics

  • I/O Request Packet (IRP)
  • I/O Control Code (IOCTL)
  • Data Buffering (Buffered I/O, Direct I/O, Neither Buffered Nor Direct I/O)

Fuzzing Windows Drivers (Hands-On)

  • Locating IOCTLs in Windows Drivers
  • Locating input entry points
  • Writing scripts to fuzz the discovered IOCTLs

Day 2

Quick Revision

  • Windows Internals
  • Memory Management
  • Windows Drivers Basics
  • Fuzzing Windows Drivers

Fuzzing Windows Drivers (Hands-On)

  • Playing with public fuzzers

Exploitation (Hands-On)

  • Pool Feng Shui/Pool Spraying (Lookaside List & ListHeads List)
  • Pool Overflow Exploitation
  • Time-of-check Time-of-use (TOCTOU)/Race Condition

Day 3

Quick Revision

  • Pool Feng Shui
  • Pool Overflow
  • Race Condition

Exploitation (Hands-On)

  • Insecure Kernel Resource Access (Logical Bug)

Kernel Payload (Hands-On)

  • Escalate Privilege of a Process from Kernel Debugger
  • Considerations while writing Escalation of Privilege Payload
  • Kernel Recovery (Fixating Kernel State after exploitation)

Exploit Mitigations

  • Kernel Address Space Layout Randomization (KASLR)
  • Supervisor Mode Execution Prevention (SMEP)


  • Assignment to write a full blown Windows Kernel exploit
  • Q/A and Feedback

Why attend?

Upon completion of this training, participants will be able to:

  • Get comfortable with Windows Kernel Debugging
  • Understand how Kernel and Kernel Mode driver works
  • Understand exploitation techniques for different software vulnerabilities
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use after Free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers
  • Understand vulnerabilities in terms of code and mitigations applied to fix the vulnerabilities

What will you get ?

  • Printed Lab Manual
  • Training slides
  • Scripts and code samples
  • BSOD T-Shirt

Target audience

  • Bug Hunters & Red-Teamers
  • User Mode Exploit Developers
  • Windows Driver Developers & Testers
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level


Students should have :

  • Basics of User Mode Exploitation is good to have but not required
  • Basics of x86 Assembly and C/Python is good to have but not required
  • Familiarity with VMware/VirtualBox (only to run virtual machines)
  • Patience

Hardware/software Requirements

  • 8 GB Flash drive
  • A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
  • 40 GB free hard drive space
  • Everyone should have Administrator privilege on their laptop


I attended Ashfaq's 'Windows Kernel Exploitation' at NullCon 2016. I must admit that the trainer explained the core concepts well enough and then quickly transited to a lab driven training. The labs were well documented and using an open source vulnerable kernel driver for demonstration and practice. I can definitely recommend this course.

P.S. This one is an intense course and certainly not for faint hearted.;-)

Vaibhav Gupta - Security Researcher at Adobe

This session has helped me get started on the kernel exploit. You know what you need to study in areas you already know, but the most difficult part of learning a new field is that you do not know how to get started. This lecture is well suited for that purpose. It also has a variety of hands-on codes, detailed explanations, and reference materials so you can study more easily after class.

Kim Youngsung - Security Engineer at LINE

The topic of kernel exploitation is vast, and may be overhelming for a beginner. Sometimes I was reading related articles on the internet, but gaps in my knowledge didn't allowed me to fully understand it. With the help of the material prepared by Ashfaq and the way he introduced it, everything became clear and logicaly connected. He is not only an expert in his field, but also a very modest and kind person, easy to interact with. Thanks to his course I got a ground for my own experiments and inspiration to research more.

Hasherezade - Low and high level programmer, malware analyst

Trainer Biography


Ashfaq Ansari is the founder of HackSys Team code named "Panthera". He is a Security Researcher with experience in various aspects of Information Security. He has authored "HackSys Extreme Vulnerable Driver" and "Shellcode of Death". He has also written and published various white-papers on low level software exploitation. His core interest lies in "Low Level Exploitation", "Reverse Engineering", "Program Analysis" and "Hybrid Fuzzing". He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).

300px-twitter-icon.jpg @HackSysTeam

Links :

Mon. 2 - 4 October 2017 (09:00 - 17:00) (3-day) - Novotel Ghent Centrum


Back to Training Overview