Windows Kernel Exploitation [Training]

This is a training by Juan Sacco on Windows Kernel Exploitation.

Throughout the course, you will:

• Set up a robust development and debugging environment.
• Develop a minimal Windows software driver and debug it.
• Configure reverse-engineering tools Ghidra and WinDbg, and synchronise them with RetSync.
• Reverse-engineer drivers to identify and triage vulnerabilities.

The training focuses on three primary exploit classes:

• Physical memory primitives
• WRMSR / RDMSR primitives
• Overflows (stack)

You will also learn kernel protections and mitigation, how they affect exploitability, and current bypasses or evasions for Windows 11.

Topics include:

• Kernel Patch Protection
• Stack canaries
• Code signing
• KASLR
• Shadow stack
• SMEP/SMAP
• Hypervisor-based protections
• Other kernel hardening mechanisms

Additionally, we’ll cover protection, filtering, and obfuscation techniques commonly used by software vendors within drivers to restrict or hide IOCTLs.

Hands-on Exercises & Materials

You will practice against real, vulnerable drivers and curated examples, including:

• The Exploit Pack drivers built by the instructors
• HEVD (HackSys Extreme Vulnerable Driver)
• Real-world vendor proof-of-concepts and examples

As takeaways, participants will receive access to the tools we use for vulnerability discovery and exploit development, including:

• IOCTL++
• Exploit templates
• Shellcode examples
• Additional tooling and supporting materials

Schedule & Delivery

• Format: Pre-recorded videos, learn at your own pace.
• Content: A total of 4 videos, downloadable tools and materials delivered progressively throughout the course.
• Exercises: Included in the training. 
• Availability: You will receive a new module biweekly (every two weeks).

Support & Community

During the training, you can use our Discord channel #training to share progress, ask questions, and collaborate with instructors and other participants.