Reversing & Attacking Drivers and Other Techniques To Attack Windows Kernel

Oct 4th and 5th, 2023
Grand Hyatt, Kochi, India


Reversing & Attacking Drivers and Other Techniques To Attack Windows Kernel

One of the best ways to defend a system is to know how to attack it. This is the spirit of this workshop based on Windows operating system, mainly its kernel, and exploitable drivers. Indeed, this focusses on attacking and exploiting Windows with (kernel-mode) driver components and privilege elevations techniques. In this context, we focus on both finding and exploiting vulnerabilities.

By providing a detailed explanation about Windows internals, especially on the way the drivers operate, we can focus on reverse engineering of drivers to look for vulnerabilities inside. This includes design flaws, misconfigurations, and implementation issues. Typically, we cover all different methodologies used to check drivers’ security. From the vulnerabilities we present, we provide techniques to exploit them to achieve different goals (privilege escalation, denial of service, information disclosure …). In the end, we cover different mitigations to reduce impact of vulnerable drivers in the system.

When it will be possible, we take time to see how it is possible to exploit a vulnerability. By practicing the full attack chain, we can see how to become administrator from a regular user mode application through kernel exploitation.

By understanding the “functioning” the kernel and drivers’ technology within the system and vulnerability in kernel-mode with potential impacts become much easier after the workshop. It is also a good way to learn how to improve system security by providing specific mitigating controls.

What to expect:

In the end of the workshop, each participant will have four key takeaways:

  • A strong understanding of Windows kernel internals
  • The ability to reverse any device driver on Windows and to look for vulnerabilities inside a driver with different techniques
  • A rough overview about mitigating controls on Windows

Course Content (ToC):

  • Day-1 - Part-1 & Part-2
  • Day 2 - Part-3, Part-4 & Part-5
  • Day - 1  - Windows key concepts & components
    • Windows Internals
      • Windows’ General architecture
      • Registry of Windows
      • CPU Protection levels
      • Virtual memory and address space layout
      • Objects and handles
      • ACL/ACE, privileges, and securable objects
      • Drivers in Windows
      • Boot loading procedure
    • Primer on vulnerabilities categories in Windows (with some examples how to exploit them)
      • Design vulnerabilities
      • Implementation vulnerabilities
      • Configuration /operation vulnerabilities
    • Lab: Exploiting (some of the mentioned) vulnerabilities
      • Different ways for elevation of privileges
    • Lab: Exploitation environment
      • Setting Windows Virtual Machine in debug mode
      • Windbg debugger attached in kernel mode by network
      • Windbg practice with most useful debugging commands
      • Observing principal objects (EPROCESS, ETHREAD, KPCR, KINTERUPT, CONTEXT, XSAVE_STATE, …) and interacting with in Windows’ kernel
      • Registering, loading, and unloading drivers
  • Day 2   - - Windows Drivers vulnerabilities
    • General WDM device driver
      • General architecture of drivers
      • Signing policy & Code integrity
      • Reversing main drivers' routines (DriverEntry, DriverUnload, AddDevice, IRP dispatch routines, …)
    • Drivers' common vulnerabilities
      • STRIDE
      • The fabulous three: WinIO, WinRing0, WDDK Win NT 3.51
      • Driver’s interface access check
      • IRP buffering methods & fuzzing
      • IRP handling issues
      • TOCTOU, design issues, MSR, callbacks, file/registry inputs, …
    • Labs:
      • Driver verifier technology
      • Practice vulnerability research
        • Recon on drivers (tooling/debugger)
        • Reverse engineering a driver
        • Driver’s interface with the debugger
        • Driver’s vulnerability exploring
        • Fuzzing on IOCTLs
      • Vulnerable device drivers’ samples, many examples & practice
        • Compilation time securities: (GS, SafeSEH, ASLR, DEP, CFG, retpoline, KASAN)
        • Runtime securities: Patchguard, HVCI, Exploit protection (former EMET), ASR, WDAC
        • Intel Securities: SMEP, SMAP, NX…

Pre-requisite & Participant Requirements:

  • C (or C++) programming knowledge.
  • Basics about Intel x86-64 CPU is a plus but not a requirement.
  • Basics about Reverse Engineering, especially IDA but Ghidra could work also if the student is autonomous with it.
  • Basics about Windbg debugging (or any other debugger) is a solid plus without being a definitive requirement.

No prior knowledge about Windows internals is required.

Hardware/Software requirements

  • A laptop with Intel/AMD CPU (x86 or x64)
  • At least 100 GB of free disk space
  • At least 16 GB of RAM
  • Windbg Preview
  • Hyper-V or Virtual Box with a Windows 10 or 11 image
  • IDA With pseudo code available (best case) or Ghidra

What will be given to each participant

  • Slides of the workshop
  • Cheat sheet to debug with Windbg
  • Samples of vulnerable drivers to practice
  • A lab environment where to analyze drivers

Who should attend:

  • Cyber security engineer
  • Pen-tester / auditors
  • Reverse engineers
  • Developers
  • Malware analyst
  • Anyone enthusiast in this area fulfilling the participant requirements

What not to expect:

  • Any disclosure of 0-day
  • A focus specific technology of drivers (network, devices, antivirus …)
  • Coming with a specific driver to “analyze”


David Baptiste

IT-Security Analyst & Researcher , ERNW - Ennor Rey Netzwerke GmbH , Germany

Dr. BapƟste David is an IT security specialist at ERNW, specialized in Windows operaƟng system. His research is mainly focused on malware analysis, reverse engineering, security of the Windows operaƟng system plaƞorm, kernel development and vulnerabiliƟes research. He also worked for couple of anƟvirus compagnies. He has given special courses and trainings in different universiƟes in Europe. Also, he gives regularly talks on different conferences including Black Hat USA, Defcon, Troopers, Zero Night, Cocon, EICAR, ECCWS…


Information Security Research Association Kerala Police


UNICEF UNICRI Centre for Artificial Intelligence and Robotics International Centre for Missing & Exploited Children WeProtect Global Alliance CESP | Conseil Européen des Syndicats de Police Kerala IT Mission


Federal Bank Synthite RP GRPUP


Keyzotrick Intelligence Pvt. Ltd National Critical Information Infrastructure Protection Centre Bharat Petroleum Palo Alto Networks Cyble - Cybersecurity Threat Intelligence Platform & Solutions Seqrite


Cochin Shipyard ICICI Bank State Bank of India SBI Life Geojit SFS Homes Cochin International Airport Manage Engine Resecurity: Cybersecurity Solutions and Services Fortinet Technologies India Pvt Ltd &


GAIL (india) LIMITED Canara Bank Elite Foods CSB Bank Petronet LNG Luker India Trend Micro AVT Natural CYFIRMA Indian Oil Corporation Cochin Port Trust Kerala State Industrial Development Corporation ESAF Bank The Kerala Minerals and Metals Limited


PureID Cyble - Cybersecurity Threat Intelligence Platform & Solutions Resecurity: Cybersecurity Solutions and Services Prophaze Manage Engine Darwis Fortinet Technologies India Pvt Ltd & Alibi Global Private Limited eSec Forte Technologies Palo Alto Networks Seqrite Innspark Enterprise Security C-DAC: Centre for Development of Advanced Computing, India ECS Biztech State Bank of India Kratikal Tech Pvt. Ltd. CYFIRMA TerraEagle Netskope Geojit


EliteCISOs GTech - Group of Technology Companies - Technopark, Infopark, Cyberpark BSides Odisha


WTC Kochi


Information Security Media Group The 420



Jet Suit demo partner


c0c0n @16

c0c0n is a 15 years old platform that is aimed at providing opportunities to showcase, educate, understand and spread awareness on Information Security, data protection, and privacy...

Where & When?

Oct 04th to 07th 2023
Grand Hyatt, Kochi, India

Reach us @

(+91) 974-690-6654