Windows Kernel Exploitation [Training]

This is an offline training by Juan Sacco on Windows Kernel Exploitation.

Throughout the course you will:

• Set up a robust development and debugging environment.
• Develop a minimal Windows software driver and debug it.
• Configure reverse-engineering tools Ghidra and WinDbg, and synchronise them with RetSync.
• Reverse-engineer drivers to identify and triage vulnerabilities.

Focus Areas

The training focuses on three primary exploit classes:

• Physical memory primitives
• WRMSR / RDMSR primitives
• Overflows (stack)

You will also learn kernel protections and mitigation, how they affect exploitability, and current bypasses or evasions for Windows 11.

Topics include:

• Kernel Patch Protection
• Stack canaries
• Code signing
• KASLR
• Shadow stack
• SMEP/SMAP
• Hypervisor-based protections
• Other kernel hardening mechanisms

Additionally, we’ll cover protection, filtering, and obfuscation techniques commonly used by software vendors within drivers to restrict or hide IOCTLs.

Hands-on Exercises & Materials

You will practice against real, vulnerable drivers and curated examples, including:

• The Exploit Pack drivers built by the instructors
• HEVD (HackSys Extreme Vulnerable Driver)
• Real-world vendor proof-of-concepts and examples

As takeaways, participants will receive access to the tools we use for vulnerability discovery and exploit development, including:

• IOCTL++
• Exploit templates
• Shellcode examples
• Additional tooling and supporting materials

Schedule & Delivery

• Start date: Friday, October 10, 2025
• Format: Offline, videos released biweekly (every two weeks)
• Total content: 4 videos (delivered across the course)

Support & Community

During the training, you may use our Discord channel #exploit-development to share progress, ask questions, and collaborate with instructors and other participants.