Complete Curriculum

A comprehensive path from setting up your lab to mastering advanced kernel exploitation techniques.

Module 1: Building a Secure Kernel Research Lab

Foundation

Lab Architecture & Threat Model
Hypervisor Setup & Configuration
Kernel Debugging Environment
Windows Target Configuration
WinDbg Fundamentals & Advanced Usage
Static Analysis Toolchain (IDA Pro / Ghidra)
Driver Build Environment (VS / WDK)
Vulnerable Driver Deployment (HEVD & Custom)
Kernel Monitoring & Instrumentation
Snapshot Management & Lab Automation

Module 2: Introduction to Windows Internals

Core Concepts

Windows NT Architecture Overview
win32k.sys & GUI Subsystem
Processor Modes & Privilege Rings
ntoskrnl.exe & HAL Internals
Process & Thread Internals (EPROCESS / ETHREAD)
Thread Scheduling & Context Switching
Virtual Memory & Paging Mechanisms
Physical Memory & PFN Database
Kernel Pool Architecture
System Call Mechanism (SSDT / KiSystemCall64)
Interrupt Handling, IRQLs & DPCs
Object Manager & Handle Tables
I/O Manager & IRP Processing
Driver Model: WDM, KMDF & Driver Stacks
IOCTL Dispatch & Attack Surface
Token Architecture & Security Reference Monitor
Callbacks & Kernel Notification Mechanisms
WoW64 Internals & Cross-Architecture Thunking

Module 3: Kernel Mitigations & Bypass (Part 1)

Exploitation

History of Windows Kernel Exploitation
KASLR: Implementation & Internals
KASLR Bypass: Info Leaks & Side-Channels
Stack Cookies (GS) & Bypass Techniques
SEH in Kernel Context & Safe Unlinking
Kernel DEP / NX Policy & Code Reuse Bypass
SMEP: Internals & Enforcement
SMEP Bypass: ROP, CR4 Overwrite & PTE Manipulation
NULL Dereference Mitigations & Historical Exploits
Kernel Pool Hardening & Corruption Fundamentals
Pool Grooming & Spraying Techniques
Pool Exploitation Primitives
Exploit Primitives: Read / Write / Increment

Module 4: Kernel Mitigations & Bypass (Part 2)

Advanced Exploitation

SMAP: Internals & Bypass Strategies
kCFG: Kernel Control Flow Guard & Bypass
kCET: Shadow Stack Architecture & Bypass Research
VBS & Secure Kernel Architecture
HVCI: Hypervisor-Protected Code Integrity
HVCI Bypass: Data-Only Attacks
Kernel Data Protection (KDP) & Secure Pool
XFG: eXtended Flow Guard & Bypass Research
Arbitrary Read / Write Primitive Construction
Token Manipulation & PreviousMode Abuse
Data-Only Exploitation Methodology
Primitive Chaining: Full Exploit Chain Design
MSR Primitives for Privilege Escalation

Module 5: Kernel Fuzzing & Reverse Engineering

Research

Fuzzing Theory & Approaches
Kernel Attack Surface Mapping
Static Driver Reverse Engineering
Reversing IOCTL Handlers & Trust Boundaries
Vulnerability Pattern Identification
Advanced IDA Pro & Ghidra Techniques
Binary Diffing & Patch Analysis
kAFL / Nyx: Setup & Driver Harnessing
Syzkaller for Windows
Building Custom Kernel Fuzzers
Corpus Management & Mutation Strategy
Crash Triage & Root Cause Analysis
Race Condition & TOCTOU Fuzzing
Fuzzing win32k.sys
Fuzzing Network & File System Drivers
Driver Verifier & Kernel Sanitizers
Exploitability Assessment & Variant Analysis
Responsible Disclosure & CVE Process

Module 6: Kernel Shellcode & Post-Exploitation

Weaponization

Kernel Shellcode Fundamentals
Runtime Symbol Resolution
Token Stealing Shellcode
Bypass PPL to Dump Lsass
Kernel State Restoration & Cleanup
Shellcode Under SMEP / SMAP
Data-Only Post-Exploitation
PreviousMode God-Mode Primitives
DKOM: Process & Object Hiding
Kernel APC Injection
EDR Callback Removal
ETW & Threat Intelligence Tampering
DSE Bypass & Rootkit Loading
Modern Rootkit Strategies
Anti-Forensics at Kernel Level
Full Exploit Chain Construction
Real-World Case Study: Pwn2Own LPE Teardown
Ethics, Legal Boundaries & Responsible Research

Enroll in the Academy