Windows Exploit Engineering Foundation

4200€ | 30th of September to the 3rd of October 2024 | Espace Vinci, Rue des Jeuneurs, Paris, France

This class is meant to show the approach an exploit developer or bug hunter should take in attacking a previously unknown component in the Windows kernel. The training is primarily focused around labs to teach the students what it takes to exploit a real-world vulnerability. This class focuses on exploiting CVE-2018-8611 on Windows 10 x64 1809 (RS5), a complex race condition that leads to a use-after-free on the non-paged kernel pool. The vulnerability is in the Kernel Transaction Manager (KTM) driver (tm.sys), a component that has not received much public scrutiny. Even though students will learn a lot about the KTM component, we focus on our approach for analyzing this component as a new kernel component that we had no prior knowledge about. The methodology can be reused for any other unknown kernel components a student may encounter in the future. We do not specifically focus on tricks or techniques for bypassing specific Windows versions mitigations, but rather on the thought process behind exploring functionality to find useful unmitigated code paths and also abusing the bug in ways that allow to build powerful primitives that would facilitate mitigation bypasses. The tools/VM we provide during this training are generic and can be reused after the class to assist exploiting other Windows kernel vulnerabilities.

Objectives of the training

Setup an efficient Windows kernel debugging environment

Modern reverse engineering and binary patch diffing

How to approach exploiting a vulnerability on a previously unknown target

Step-by-step real-world Windows kernel exploit on Windows 10 1809 (RS5) x64

The trainer

Who will run this training?


NCC Group

Cedric Halbronn is a security researcher in NCC Group’s Exploit Development Group. He has been exploiting lots of different targets over the past 15+ years. At NCC Group, he has published some work related to Windows kernel, Linux kernel, Cisco ASA, printers, NAS, etc.


What will we do?


Part 1: Debug environment

  • VMWare
  • WinDbg
  • Ghidra
  • ret-sync
  • Visual Studio
  • Lab: Debug environment setup

Part 2: Binary diffing Microsoft updates

  • Tools of the trade
  • Efficient use of the IDA/Ghidra decompiler to analyze the root cause
  • Lab: Basic binary diffing

Part 3: Kernel Transaction Manager (KTM) basics

  • KTM objects and APIs
  • KTM internals
  • Use of public tools for finding data
  • Lab: KTM experimentation

Part 4: Understanding CVE-2018-8611

  • Root cause vs effect
  • Planning exploitation strategy
  • Tools of the trade
  • Lab: Better binary diffing
  • Lab: Reaching vulnerable code
  • Lab: Triggering CVE-2018-8611 in a debugger

Part 5: Exploitation techniques

  • Bypassing mitigations
  • Windows non-paged pool manipulation
  • Lab: Bad vs good feng shui
  • Lab: Getting controlled UAF in a debugger

Part 6: More exploitation techniques

  • Winning the race without a debugger
  • Exploitation strategies
  • Lab: Debugging tricks and race win detection
  • Lab: Discovering a kernel leak
  • Lab: Restoring cleaned execution

Part 7: How to escalate privileges

  • Write primitive and privilege escalation strategy
  • Lab: Arbitrary read and write primitives with write 0 and PreviousMode primitive
  • Lab: Privilege escalation
  • Arbitrary increment primitive and PreviousMode limitations
  • Lab: Arbitrary read and write primitives with increment primitive


  • Comfortable with x86/x64 assembly and reversing it
  • C knowledge (reading/writing)
  • Comfortable with disassemblers/decompilers (IDA, Ghidra, etc) and debuggers (WinDbg, x64dbg, gdb, etc)
  • Familiarity with memory corruption exploitation on any OS
  • Windows kernel internals basic knowledge

Hardware/Software Requirements

  • Base OS: Windows (recommended) or Linux
  • VMware virtualisation software
  • At least 80GB of free disk space
  • At least 8GB of RAM
  • 2 VMs will be provided: debugger/development VM and target/vulnerable VM (the host can be used instead of the debugger VM if Windows-based)

Other trainings

What else might interest you?

Android Kernel Security

Vitaly Nikolenko

Hypervisor development for security analysis

Satoshi Tanda

Advanced Active Directory and Azure exploitation

Hugo Vincent & Wilfried Bécard

Attacking Instant Messaging Applications

Iddo Eldor & Jacob Bech

Introduction to Browser Exploitation

Javier Jimenez

iOS for Security Engineers

Quentin Meffre & Etienne Helluy-Lafont

Practical Baseband Exploitation

Pedro Ribeiro & Seamus Burke

Software Deobfuscation Techniques

Tim Blazytko