Last updated: 2026-04-10
Related: Architecture, Mitigations, Mitigations, Researchers
Tags: kernel-mode, user-mode
Summary
Windows is the most complex and most heavily defended exploitation target in the world. The attack surface spans user-mode applications and services, the Win32 subsystem (win32k.sys), the NT kernel, device drivers, the hypervisor (Hyper-V), and firmware. Becoming the top Windows security researcher requires deep knowledge of every layer — not just how to exploit bugs, but how the entire OS is architected, why mitigations exist, how they fail, and how to discover novel bug classes.
Attack Surface Map
User-Mode Targets
| Layer | Components | Primary Bug Classes |
|---|
| Win32 applications | browsers, document readers, media | heap overflow, UAF, type confusion |
| Windows services | LSASS, spoolsv, RPC services | memory corruption, logic bugs |
| COM servers | OLE, DCOM, WMI, Shell extensions | type confusion, UAF, interface confusion |
| Scripting engines | JScript, Chakra, VBScript | type confusion, OOB, UAF |
| Network parsers | SMB, RDP, DNS, HTTP.sys | OOB, integer overflow, UAF |
Kernel-Mode Targets
| Layer | Components | Primary Bug Classes |
|---|
| Win32k subsystem | win32k.sys, win32kfull.sys, win32kbase.sys | UAF, type confusion, null-deref |
| NT kernel | ntoskrnl.exe | pool overflow, race conditions, integer overflow |
| I/O subsystem | IOCTL handlers in drivers | OOB, uninitialized memory, integer overflow |
| Filesystem drivers | NTFS, SMB (srv2.sys) | OOB read/write, race conditions |
| CLFS (clfs.sys) | Common Log File System | OOB write, UAF, integer overflow — reachable from low-priv user, dominant LPE surface 2021–present |
| Network stack | tcpip.sys, http.sys | OOB, integer overflow |
| Graphics subsystem | dxgkrnl.sys, DirectX | UAF, type confusion |
Hypervisor / Virtualization
- Hyper-V: vmswitch.sys, vmbus, VPCI emulation — type confusion, OOB
- VBS (Virtualization-Based Security): UEFI firmware, secure kernel
- WSL2 / HyperV VMs: cross-VM boundary escapes
Mitigation Timeline (Windows)
Understanding the arms race is essential for knowing what techniques are viable on which OS versions.
| Release | Codename | Key Mitigation Additions |
|---|
| Win 7 | | ASLR, DEP/NX, SEHOP, heap cookies |
| Win 8 | | Kernel ASLR (KASLR), Safe Unlinking, SMEP (hardware) |
| Win 8.1 | | Low Fragmentation Heap hardening |
| Win 10 1507 | TH1 | Isolated Heap, MemGC, CFG (Control Flow Guard) |
| Win 10 1511 | TH2 | CFG extended to more binaries |
| Win 10 1607 | RS1 | ACG (Arbitrary Code Guard), Code Integrity Guard |
| Win 10 1703 | RS2 | KVA Shadow prep, Segment Heap in kernel (pool) |
| Win 10 1803 | RS4 | Retpoline (Spectre), Win32k syscall filter extended |
| Win 10 1809 | RS5 | Segment Heap enabled in more contexts |
| Win 10 1903 | 19H1 | Kernel CET shadow stack (opt-in for some) |
| Win 10 2004 | 20H1 | Hardware-enforced Stack Protection (CET) preview |
| Win 10 20H2 | | CET-SS available for user-mode |
| Win 11 21H2 | | CET-SS mandatory on supported hardware, HVCI default |
| Win 11 22H2 | | Smart App Control, expanded KCFG |
| Win 11 23H2 | | Extended HVCI coverage, expanded kernel CET |
| Win 11 24H2 | | VBS-by-default on capable hardware |
Privilege Escalation Paths
Guest/Low IL ──► Medium IL (user) ──► High IL (admin) ──► SYSTEM ──► Kernel ──► Hypervisor
│ │ │ │
sandbox escape UAC bypass token steal kernel EoP VBS/HVCI bypass
Common EoP Routes (Kernel)
- Pool corruption → fake object → controlled kernel dispatch → token steal
- UAF in win32k → controlled vtable → arbitrary kernel R/W → token steal
- Race condition (TOCTOU) → arbitrary write primitive → SYSTEM token
- Null pointer dereference (legacy, pre-SMEP era) → mapped NULL page shellcode
- Named pipe impersonation → SYSTEM token (user-mode, no kernel vuln needed)
- Write-what-where → EPROCESS token → replace token with SYSTEM token
Key Windows Internal Structures for Exploiters
| Structure | Location | Exploit Use |
|---|
_EPROCESS | ntoskrnl | token stealing, process context |
_TOKEN | ntoskrnl | privilege manipulation |
_KTHREAD / _ETHREAD | ntoskrnl | APC injection, privilege |
_OBJECT_HEADER | ntoskrnl | pool feng shui, type confusion |
_POOL_HEADER | ntoskrnl | pool exploitation |
_SEGMENT_HEAP | ntoskrnl/user | heap exploitation |
tagWND / tagTHREADINFO | win32k | UAF, type confusion |
_HAL_DISPATCH_TABLE | ntoskrnl | overwrite target (legacy) |
_SEP_TOKEN_PRIVILEGES | ntoskrnl | privilege escalation |
PreviousMode | _KTHREAD | user→kernel boundary tricks |
Research Methodology
- Variant analysis — find one bug in a class → search all similar patterns
- Patch diffing — compare binaries before/after Patch Tuesday → find 1-days
- Fuzzing — coverage-guided (WTF, kAFL) for attack surface you control
- Code auditing — manual review of driver IOCTL handlers, kernel API handlers
- Root cause analysis — study public CVEs deeply to internalize bug patterns
- Exploitation development — turn PoC crashes into reliable weaponized exploits
References
- Windows Internals 7th Ed., Russinovich, Solomon, Ionescu
- “A Year in Review: Windows Kernel Exploitation” — various Project Zero posts
- Microsoft Security Response Center (MSRC) CVE database
- NtQuerySystemInformation / WinObj / WinDbg — primary research tools
