c0c0n @2025 | Hacking & Cyber Security Briefing

ABSTRACT

This is the combined version of the Windows Kernel Exploitation Foundation & Advanced course. In this course, we will use Windows 7 SP1 x86 & Windows 10 RS6 x64 for all the labs and has a CTF that runs throughout the training.

This course starts with the Foundation course and builds the mindset required for the Advanced course. During this course, students will learn the basics of Windows & driver internals, different memory corruption classes, and fuzzing of kernel mode drivers. We will understand pool manager internals in order to groom kernel pool memory for reliable exploitation of pool-based vulnerabilities.

We will also look into how we can bypass kASLR, kLFH, and do hands-on exploitation using data-only attack, which effectively bypasses SMEP and other exploit mitigation.

PRE-REQUISITE

Basic operating system concepts
Good understanding of user mode exploitation
Basics of x86/x64 Assembly and C/Python
Patience

PARTICIPANT'S REQUIREMENTS

Hardware Requirements
- A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)
- 40 GB free hard drive space
Software Requirements
- VMware Workstation/Player installed
- Everyone should have Administrator privilege on their laptop

WHO SHOULD ATTEND

Windows Kernel Exploitation Foundation attendees
Bug Hunters & Red Teamers
User Mode Exploit Developers
Windows Driver Developers & Testers
Anyone with an interest in understanding Windows Kernel exploitation
Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

WHY ATTEND?

Upon completion of this training, participants will be able to
- Understand exploitation techniques to defeat mitigation like SMEP and kASLR
- Understand how Windows Pool allocator works in order to write a reliable exploit for complex bugs like pool buffer overflow and use after free
- Learn to write exploits for the found vulnerabilities in the kernel or kernel mode components

WHAT TO EXPECT

Hands-on
WinDbg-Fu
Fast & Quick Overview of Windows Internals
Techniques to exploit Windows Kernel/Driver vulnerabilities

WHAT PARTICIPANTS WILL BE PROVIDED WITH ?

Training slides
Scripts and code samples
BSOD T-Shirt

UPON COMPLETION OF THIS TRAINING, PARTICIPANTS WILL BE ABLE TO LEARN

Basics of Windows and driver internals
Different memory corruption classes
Fuzz kernel mode drivers to find vulnerabilities
Exploit development process in kernel mode
Mitigation bypasses
Pool internals & Feng-Shui
Kernel debugging

DURATION

Duration: 3 days

Trainer

Ashfaq Ansari

Vulnerability Researcher

Day wise Training Plan

DAY 1 - (Foundation)
- Windows Internals
  - Architecture
  - Executive & Kernel
  - Hardware Abstraction Layer (HAL)
  - Privilege Rings
- Memory Management
  - Virtual Address Space
  - Memory Pool
- Driver Internals
  - I/O Request Packet (IRP)
  - I/O Control Code (IOCTL)
  - Data Buffering
- Fuzzing Windows Drivers (multiple drivers)
  - Locating IOCTLs in Windows drivers
  - Memory Sanitizers
    - Special Pool
  - Fuzzing the discovered IOCTLs
- Exploitation
  - Stack Buffer Overflow (SMEP & KPTI disabled)
    - Understand the vulnerability
    - Achieving code execution
  - Fuzzing the discovered IOCTLs
- Escalation of Privilege Payload
- Kernel Recovery
DAY 2 - (Advanced)
- Quick Revision
  - Internals
  - Fuzzing
  - Stack Buffer Overflow
  - EoP Payload
- Windows 10
  - Architecture
- Exploit Mitigations
  - Kernel Address Space Layout Randomization (kASLR)
    - Understanding kASLR
    - Breaking kASLR using kernel pointer leaks
  - Supervisor Mode Execution Prevention (SMEP)
    - SMEP concepts
    - Breaking/bypassing SMEP
- Exploitation
  - Arbitrary Memory Overwrite
  - Understand the vulnerability
  - Achieving privilege escalation
- Pool Manager
  - Internals (kLFH)
  - Feng-Shui
- Exploitation
  - Memory Disclosure
    - Understand the vulnerability
    - Leak function pointer
    - Calculate driver base address
DAY 3 - (Advanced)
- Quick Revision
  - kASLR
  - SMEP
  - Feng-Shui
  - Memory Disclosure
- Pool Overflow
  - Understand the vulnerability
  - Finding corruption target
  - Grooming target pool
  - Achieving arbitrary read/write primitive (data-only attack)
  - Gaining local privilege escalation
    - Different places to corrupt
- Capture The Flag
  - Time to finish the CTF
  - Discuss any other vulnerability class if the students want and time permits
- Miscellaneous
  - Assignment to write a blog post about the vulnerability exploited during CTF
  - Q/A and feedback

Course Learning Objective

With increase in Ransomware attacks, it is widely known that fortune companies as well as business critical companies have overlooked security controls their placement and configuration. This training helps in enhancing the visibility of Enterprise Based Security Controls in organization.
Training will brief on the tactics, techniques, procedures and tools of Threat Groups like how stealthily they operate? OR How they circumvent the security mechanisms employed in a patched & monitored environment.
Candidates will get enhanced threat visibility capabilities in both Host & Network-level on Windows, Linux Environment.
Candidates will get to know how NOT to configure enterprise security controls

Contact Info

Social Links

WS-01

Windows Kernel Exploitation Foundation & Advanced Training

07-09 October, 2025