Instructor: Juan Sacco
Juan Sacco is a security researcher and exploit developer specializing in reverse engineering, exploit development, Windows kernel exploitation, and vulnerable driver analysis. He is the founder of Exploit Pack.
[LinkedIn] · [GitHub]
Windows Kernel Exploitation: Fundamentals is a practical, self-paced training focused on Windows kernel driver research, reverse engineering, and exploit development methodology.
The training guides students through the complete workflow used to analyze Windows kernel drivers: building a lab, configuring full kernel debugging, developing and debugging a minimal driver, reverse engineering real driver samples, identifying IOCTL interfaces, and analyzing vulnerable primitives exposed by drivers.
The course focuses on modern Windows 11 environments and introduces the internals, debugging techniques, and exploitation concepts required to understand how vulnerable drivers expose powerful kernel primitives such as physical memory access and MSR read/write capabilities.
Students will work with WinDbg, Ghidra, Ret-Sync, custom analysis tools, vulnerable Exploit Pack drivers, and real-world vendor driver samples.
Throughout the course, you will learn how to:
- Set up a robust Windows kernel research and debugging environment.
- Configure full kernel debugging with WinDbg.
- Understand the difference between user-mode and kernel-mode debugging.
- Build, load, and debug a minimal Windows kernel driver.
- Analyze Windows driver internals, including driver objects, device objects, symbolic links, IRPs, dispatch routines, and IOCTL handlers.
- Reverse engineer 64-bit Windows kernel drivers using Ghidra.
- Use WinDbg to inspect live kernel state, loaded modules, symbols, IRPs, driver objects, and device objects.
- Synchronize Ghidra and WinDbg using Ret-Sync to connect static analysis with live debugging.
- Recover IOCTLs from both static and dynamic analysis.
- Analyze vulnerable drivers that expose physical memory primitives.
- Analyze vulnerable drivers that expose WRMSR and RDMSR primitives.
- Understand physical memory, virtual memory, address translation, and why these concepts matter for kernel exploitation.
- Study modern Windows 11 kernel protections and mitigations.
- Understand how mitigations such as kASLR, NX, SMEP, SMAP, kCFG, kCET, PatchGuard, VBS, and HVCI affect exploitability.
- Identify protection, filtering, and obfuscation techniques used by vendors to hide or restrict driver interfaces.
Core Focus Areas
The Fundamentals training focuses on practical Windows kernel exploitation workflows built around two main primitive classes:
Physical Memory Primitives
Students will learn how vulnerable drivers expose access to physical memory, how to identify these interfaces, and how to reason about their impact.
This includes understanding physical-to-virtual memory relationships, address translation, memory mapping, privileged memory access, and the security consequences of exposing these capabilities to user mode.
WRMSR / RDMSR Primitives
The course covers vulnerable driver interfaces that expose model-specific register access.
Students will learn how to identify MSR-related functionality, understand why unrestricted MSR access is dangerous, and evaluate the exploitation relevance of read/write MSR primitives in modern Windows environments.
IOCTL Discovery and Driver Attack Surface Analysis
A major part of the training focuses on discovering and understanding driver interfaces.
Students will learn how to identify device objects, symbolic links, IOCTL handlers, dispatch routines, access checks, hidden interfaces, and filtering logic used by real drivers.
Topics Included
The training covers:
- Windows driver architecture and internals
- Kernel-mode debugging with WinDbg
- Full kernel debugging versus local kernel debugging
- Building a Windows kernel research lab
- Windows target VM and debugger host setup
- Network-based kernel debugging
- Symbol configuration and troubleshooting
- Building and debugging a minimal Windows driver
- User-mode to kernel-mode communication
- CreateFile and DeviceIoControl workflows
- IRPs and IOCTLs
- Driver objects and device objects
- Symbolic links and device namespaces
- Major function dispatch tables
- IRP_MJ_CREATE, IRP_MJ_CLOSE, and IRP_MJ_DEVICE_CONTROL
- Reverse engineering 64-bit Windows kernel drivers
- Static analysis with Ghidra
- Dynamic analysis with WinDbg
- Synchronizing Ghidra and WinDbg with Ret-Sync
- Recovering IOCTLs dynamically from live IRPs
- Recovering IOCTLs statically from driver code
- Using custom tooling to automate driver reconnaissance
- Analysis of vulnerable vendor drivers
- Physical memory primitives
- WRMSR and RDMSR primitives
- Windows kernel structures and undocumented internals
- EPROCESS, ETHREAD, KTHREAD, DRIVER_OBJECT, DEVICE_OBJECT, IRP, LIST_ENTRY, and UNICODE_STRING
- IRQL, execution context, APCs, and DPCs
- Kernel-mode callbacks
- Physical memory, virtual memory, and address translation
- Virtualization-Based Security and its security implications
- Kernel protections and mitigations, including kASLR, NX, SMEP, SMAP, kCFG, kCET, PatchGuard, and HVCI
- Vendor protection, filtering, and obfuscation techniques used to restrict or hide IOCTLs
Example Training Content
One of the included lessons walks through a complete Windows kernel debugging workflow using Beep.sys as the target driver.
Students configure kernel debugging, load symbols, identify loaded modules, inspect driver and device objects, locate dispatch routines, set breakpoints on Beep!BeepDeviceControl, trigger the driver from user mode, inspect the live IRP, recover the IOCTL value at runtime, and then confirm the same findings statically in Ghidra. The lesson also demonstrates Ret-Sync integration so students can correlate live WinDbg execution with Ghidra’s decompiled view.
Course Structure
Module 1: Windows Kernel Research Lab and Debugging Fundamentals
This module introduces the Windows kernel research environment and the debugging workflow required for driver analysis.
Students will build a controlled lab using a debugger host and a Windows target machine. The module explains full kernel debugging, local kernel debugging, debugging transports, symbol configuration, and the practical differences between debugging a user-mode process and debugging the entire operating system.
Module 2: Windows Driver Internals and User-to-Kernel Communication
This module introduces the Windows I/O model and the internal structures used by drivers to expose functionality to user-mode applications.
Students will learn how drivers register device objects, expose symbolic links, receive IRPs, and handle IOCTL requests through dispatch routines.
Module 3: Reverse Engineering Windows Kernel Drivers
This module focuses on static and dynamic reverse engineering of Windows kernel drivers.
Students will use Ghidra and WinDbg together to analyze driver entry points, dispatch tables, IOCTL handlers, and internal driver logic. The module also introduces Ret-Sync to synchronize static analysis with live debugging.
Module 4: Vulnerable Driver Primitives and Exploitability Analysis
This module introduces vulnerability analysis and exploitability reasoning for Windows kernel drivers.
The focus is on vulnerable interfaces that expose privileged primitives, especially physical memory access and MSR read/write functionality. Students will learn how these primitives are discovered, validated, and evaluated in the context of modern Windows 11 mitigations.
Hands-On Exercises and Materials
Students will practice against real and purpose-built vulnerable drivers, including:
- Exploit Pack drivers created specifically for this course
- Real-world vulnerable vendor driver samples
- Driver analysis exercises
- IOCTL discovery labs
- WinDbg debugging exercises
- Ghidra reverse engineering exercises
- Ret-Sync synchronization exercises
- Physical memory primitive analysis
- WRMSR / RDMSR primitive analysis
- Mitigation and exploitability analysis labs
Tools and Takeaways
Participants will receive access to tools and materials used throughout the course, including:
- IOCTL++
- Exploit templates
- Driver analysis scripts
- Ghidra plugins
- WinDbg helpers
- Driver Buddy Revolutions
- Ret-Sync workflow material
- Vulnerable driver samples
- Lab notes and supporting documentation
- Additional tooling for vulnerability discovery and exploit development
Schedule and Delivery
Format: Pre-recorded, self-paced training
Structure: 4 modules with video lessons, hands-on exercises, downloadable tools, and supporting materials
Exercises: Practical labs included throughout the course
Access: Learn at your own pace and revisit the material as needed
Support and Community
Students receive access to the dedicated Discord training channel, where they can share progress, ask questions, troubleshoot labs, and collaborate with instructors and other participants.
Who This Training Is For
This training is intended for:
- Security researchers
- Reverse engineers
- Exploit developers
- Malware analysts
- Red-team operators
- Vulnerability researchers
- Advanced students interested in Windows internals
- Engineers who want to understand vulnerable driver analysis
Recommended Background
Students should be comfortable with basic systems programming concepts and have some familiarity with debugging or reverse engineering.
Recommended knowledge:
- Basic C or C++ understanding
- Basic x64 assembly familiarity
- General Windows internals awareness
- Basic debugging experience
- Some reverse engineering experience
Prior kernel exploitation experience is helpful, but not required. The course introduces the required kernel concepts progressively through practical examples and labs.
Learning Outcomes
By the end of the training, students will be able to:
- Build and operate a Windows kernel debugging lab.
- Debug Windows kernel drivers with WinDbg.
- Understand how user-mode applications communicate with kernel drivers.
- Identify driver objects, device objects, symbolic links, dispatch routines, IRPs, and IOCTL handlers.
- Reverse engineer Windows kernel drivers with Ghidra.
- Recover IOCTLs statically and dynamically.
- Use Ret-Sync to connect Ghidra and WinDbg workflows.
- Analyze vulnerable driver interfaces.
- Understand physical memory and MSR primitives.
- Evaluate vulnerable driver exploitability on modern Windows 11 systems.
- Understand how kernel protections and mitigations affect exploitation.
- Use practical tooling to accelerate driver vulnerability research.
![Windows Kernel Exploitation [Fundamentals]](http://www.exploitpack.com/cdn/shop/files/TrainingFundamentals.jpg?v=1777829306&width=1445)
![Windows Kernel Exploitation [Fundamentals]](http://www.exploitpack.com/cdn/shop/files/TrainingFundAdv.jpg?v=1777829347&width=1445)
![Windows Kernel Exploitation [Fundamentals]](http://www.exploitpack.com/cdn/shop/files/TrainingFundVuln.jpg?v=1777829317&width=1445)
![Windows Kernel Exploitation [Fundamentals]](http://www.exploitpack.com/cdn/shop/files/Trainingbundle3.jpg?v=1777927107&width=1445)
![Windows Kernel Exploitation [Fundamentals]](http://www.exploitpack.com/cdn/shop/files/TrainingFundamentals.jpg?v=1777829306&width=533)
![Windows Kernel Exploitation [Advanced]](http://www.exploitpack.com/cdn/shop/files/TrainingAdvanced.jpg?v=1777829406&width=533)