Windows Kernel Exploitation // Erik Egsgard, Field Effect

In-Person | November 2-4 | 3 Days

BOOK NOW

ABSTRACT

The Windows operating system security relies heavily on the isolation of the kernel and the enforcement of robust security boundaries. For security engineers, vulnerability researchers, and advanced defenders, understanding how these boundaries are analyzed, and where they can break down, is critical to building resilient systems.

This 3 day course provides an intensive, lab-driven exploration of Windows kernel internals, memory management architectures, and the mechanics of privilege elevation vulnerabilities. Grounded in real-world case studies, attendees will dissect several types of software flaws, including arbitrary pointer writes (CVE-2024-26229) and more complex pool corruptions. Moving beyond simple crash reproduction, the curriculum focuses on the principles behind exploitability analysis, data-only attack vectors, and the realities of modern operating system mitigations.

By analyzing operating system internals and several real world vulnerabilities, participants will gain a deep, engineering-level understanding of both offensive mechanics and the corresponding defensive countermeasures required to protect the platform.

INTENDED AUDIENCE

• Security Engineers & Blue Teamers seeking to understand exploit development principles to improve detection engineering and behavioral monitoring.
• Vulnerability Researchers transitionary from user-mode analysis to kernel-mode internals.
• Reverse Engineers interested in driver communication architectures, undocumented kernel interfaces, and pool-grooming mechanics.

KEY LEARNING OBJECTIVES

By the end of this course, participants will be able to:

• Audit driver entry points and IOCTL handlers to identify logical and memory management flaws.
• Navigate and analyze kernel memory structures using WinDbg, Ghidra, and virtualization environments.
• Understand the mechanics of arbitrary write primitives and pool overflows within the kernel memory pools.
• Evaluate the feasibility and structural reliability of exploiting specific vulnerability classes.
• Analyze the interaction between modern Windows kernel mitigations and exploitation techniques.

This course is heavily lab focused and students will spend the majority of their time working through exercises to achieve these learning objectives. The labs will culminate with the completion of two different privilege elevation exploit chains using two different real world vulnerabilities.

COURSE OUTLINE

Module 1: Tooling and Kernel Architecture

• Environment & Tooling Overview
  • Kernel debugging environments, WinDbg and virtual machines
  • Windows kernel reverse engineering
  • AI-assisted workflows for rapid binary analysis and structure discovery
• Windows Kernel Subsystems & Drivers
  • Windows kernel internals, including object and memory management
  • Driver dispatch routines, I/O Request Packets, and buffering methods

Module 2: Driver Attack Surface and Vulnerabilities

• Auditing IOCTL Handlers
  • Tracing data from user mode to kernel mode
  • Common IOCTL anti-patterns
• Vulnerability Classes
  • Memory corruption, race conditions, UAF etc.

Module 3: Kernel Structures and Info Leaks

• Windows Internal Structures
  • Files, Named Pipes, IO Rings
  • Structure corruption
• Memory Leaks and Information Disclosures
  • Known ASLR defeat techniques
  • Info leak mitigations
• Case Study: Arbitrary Write Primitive (CVE-2024-26229)
  • Vulnerability overview
  • Exploitability assessment

Module 4: Exploit Reliability and Impact

• Exploitation Engineering & Reliability Mechanics
  • Deterministic versus probabilistic
  • Estimating effort/difficulty
  • Increasing odds or reliability
• Achieving Kernel Read/Write
  • Kernel object modification vs code execution
  • Target structures for corruption
  • Elevation techniques

Module 5: Mitigations

• Modern Exploit Mitigations
  • SMEP, SMAP, HVCI, kCFG, etc.
  • Affect on exploitability

Module 6: Kernel Heap Internals and Advanced Corruption

• Kernel Heap Internals & Grooming
  • Memory management, Segment heap, Lookaside lists
  • Shaping memory layout to enable exploitation
• Case Study: Advanced Pool Corruptions (CVE-2026-XXXX)
  • Vulnerability overview
  • Semi controlled overwrite to full privilege elevation

Prerequisites

Participants should have:

• Experience using C/C++
• Experience with reverse engineering tools (Ghidra, IDAPro, etc) and debuggers.
• Basic knowledge of Windows internals
• Familiarity with exploitation techniques and types of vulnerabilities

Hardware and Software Requirements

Participants should bring a Windows 11 laptop with the following minimum specs and software:

• 80GB hard drive space
• 8GB ram
• Virtualization software, ideally HyperV enabled, alternatively VMWare
• Ghidra for reverse engineering (or similar alternative)
• Windbg (ideally “classic” installed with Debugging Tools for Windows)

YOUR INSTRUCTOR: Erik Egsgard

Erik Egsgard is a Principal Security Developer and vulnerability researcher specializing in Windows security and operating system architecture. At Field Effect, he focuses on low-level reverse engineering and EDR detection capabilities. Erik is a regular contributor to the vulnerability research community, frequently presenting his original work at major international security conferences like OffensiveCON and RECON, and regularly disclosing high-severity vulnerabilities.

OTHER IN-PERSON TRAINING COURSES