A general collection of notes, tools, and code snippets focused on exploiting Windows kernel drivers for both research and offensive security purposes.
Some of the code snippets here are based on older vulnerable drivers like the HackSysExtremeVulnerableDriver for learning memory corruption and LPE bugs, while others touch on more modern techniques like BYOVD (Bring Your Own Vulnerable Driver) and malicious drivers for red teaming.
Program Database (PDB) is a Microsoft-developed format used to store debugging symbols for binaries (e.g., DLLs and EXEs). These .pdb files are generated during compilation and are essential for debugging, reverse engineering, and understanding driver internals.
- pdbex – Extract C-like definitions from .pdb files
pdbex.exe _SID ntdll.pdb
- symChk
symchk /r c:\windows\system32\[filename] /s SRV*c:\symbols\*http://msdl.microsoft.com/download/symbols
- PDBRipper – Has a GUI and is very easy to use
Setting up Kernel Debugging via Network
WinDBG Kernel Debugging Cheatsheet
Understanding the components and techniques below is essential before diving into real-world exploitation. These are core primitives and ideas behind most Windows kernel exploits:
- IOCTLs (Input/Output Control Codes) – The user-mode gateway to driver internals; a common attack surface.
- IRP Handling – Learn how drivers process I/O requests, often leading to logic bugs.
- Arbitrary Memory Read/Write – A universal primitive used in most exploits once control is achieved.
- Token Stealing – Classic technique to elevate privileges by replacing access tokens.
- Function Pointer Overwrites – Overwriting critical function pointers (e.g. in dispatch tables) for code execution.
- Pool Overflows & Spraying – Heap manipulation to exploit buffer overflows or UAF conditions.
- NULL Pointer Dereference – Less common now due to modern mitigations, but still valuable in certain setups.
These are built-in protections you’ll encounter (and potentially bypass) when developing or studying kernel exploits:
- PatchGuard (KPP) – Prevents modifications to critical kernel structures.
- Driver Signature Enforcement – Blocks unsigned drivers from loading unless bypassed (e.g., via BYOVD).
- SMEP (Supervisor Mode Execution Prevention) – Stops kernel-mode code from executing user-mode pages.
- KASLR (Kernel ASLR) – Randomizes kernel memory layout to make exploitation harder.
- NX (No-eXecute) – Prevents code execution in marked non-executable memory regions.
- Control Flow Guard (CFG) – Ensures indirect calls are made to valid targets.
- HVCI / Device Guard – Blocks unsigned code at runtime and enforces code integrity.
BYOVD is a powerful red teaming and post-exploitation technique where an attacker loads a legitimately signed but vulnerable driver into the kernel. This gives access to privileged operations such as arbitrary memory read/write, disabling security features, or executing code in kernel mode.
- kdmapper – Uses a signed, vulnerable driver to map other unsigned drivers into kernel space.
- DSE Bypass Techniques – Driver Signature Enforcement bypass.
- Disabling EDR and AV – Killer drivers
- IDA Free – Free version of IDA Pro, useful for static analysis of drivers.
- CFF Explorer – PE editor to inspect and modify driver binaries.
- Process Hacker – Advanced process viewer with support for viewing handles and token info.
- Process Explorer – Sysinternals tool to inspect active processes in real time.
- WinObjEx64 – Explore Windows kernel object manager namespace in detail.