Home
KernelSight
A structured knowledge base for Windows kernel driver exploitation — organized as an exploitation pipeline from driver identification through privilege escalation, grounded in 52 real CVEs across Microsoft inbox and third-party BYOVD drivers.
FIG_001 — The Exploitation Pipeline
Each stage links to a section of this knowledge base. Click any box to begin.
The Analysis Pipeline
-
Driver Types
Identify the kernel component — file system, network stack, Win32k, core kernel, vendor utility, GPU — and understand its role, IRP patterns, and historical vulnerability profile. 12 categories covering 41 unique drivers.
-
Attack Surfaces
Map how user-mode code reaches the driver — IOCTL handlers, filesystem IRPs, ALPC, shared memory. Determines what an attacker can control.
-
Vulnerability Classes
Classify the bug — buffer overflow, type confusion, TOCTOU, use-after-free — and understand the corruption it enables. 10 classes with typical primitives gained.
-
Primitives
Convert the bug into a capability — arbitrary read/write, pool spray, token swap. 19 techniques split between arb R/W primitives and exploitation building blocks.
-
Case Studies
Walk through the full chain for 54 real CVEs — root cause, exploitation path, patch analysis, and detection rules. 29 exploited in the wild, including 21 third-party BYOVD drivers.
-
Mitigations
Understand the defenses — SMEP/SMAP, kCFG/kCET, VBS/HVCI, pool hardening — and which primitives they block. Cross-cuts every pipeline stage.
-
Tooling
Static analysis, fuzzing, kernel debugging, and AutoPiff integration for automated vulnerability detection across driver patches.
Corpus
54 CVE case studies ·
41 unique drivers ·
30 exploited in the wild ·
2 remotely exploitable
12 driver type categories ·
56 technique pages ·
80+ AutoPiff detection rules