Builds on windows-internals. Targets kernel and driver attack surface, modern mitigations, and bug classes you actually see in real CVEs.

Prereqs

• windows-internals stages 1–2 completed.
• WinDbg kernel debugging set up against a target VM.
• Patience.

Stage 1 — kernel mental model

• windows-kernel-architecture — executive, kernel, HAL, drivers.
• kernel-objects-and-irps — IRP flow, IOCTLs.
• kernel-debugging-with-windbg.
• smep-smap-overview · kpti-meltdown-implications.
• hvci-vbs — virtualization-based security in plain terms.

Stage 2 — kernel bug classes

• kernel-stack-overflow.
• arbitrary-read-write-primitives — turning a small bug into R/W.
• token-stealing-payloads — the canonical privesc payload.
• type-confusion-kernel · use-after-free-kernel.
• double-fetch / TOCTOU in kernel.
• uninitialised-memory-disclosures.

Stage 3 — modern bypasses and primitives

• kaslr-bypass — info leaks under HVCI.
• cfg-cet-kernel bypass strategies.
• exploit-primitives-for-mitigated-targets — what a usable primitive looks like in 2025.
• Driver-targeted exploitation — vulnerable signed drivers, BYOVD.
• hyperv-attack-surface — overview only.

Process and method

• crash-triage — !analyze, going from BSOD to root-cause class.
• symbolic-execution-for-windows-bugs — angr / IDA decompiler-driven triage.
• fuzzing-windows-drivers — kAFL, WTF, jackalope.

References

• Connor McGarr — Windows kernel series.
• hasherezade’s blog — internals reverse engineering.
• A Guide to Kernel Exploitation (Perla, Oldani) — older but foundational.