Skip to content

Driver Types

Driver Type → Attack Surface → Vuln Class → Primitive → Case Study

Every kernel exploitation chain begins with a target component. Windows kernel drivers are categorized by their role and the subsystem they interact with — each type has distinct IRP handling patterns, accessible attack surfaces, and historical vulnerability profiles.

FIG_002 — Windows Kernel Architecture USER MODE Win32 API Winsock CreateFile DeviceIoControl KERNEL BOUNDARY Win32k win32k*.sys 3 CVEs | 2 ITW Network Stack tcpip / afd / http.sys 5 CVEs | 2 Remote Kernel Streaming ks / mskssrv / ksthunk 6 CVEs | 2 ITW Security / Policy appid.sys / ci.sys 1 CVE | ITW File System + Minifilter ntfs / fastfat / cldflt.sys 4 CVEs Log / Transaction clfs.sys 4 CVEs | 3 ITW Storage / Cache csc.sys 1 CVE CORE KERNEL — ntoskrnl.exe 4 CVEs | 2 ITW Security Reference Monitor / VBS / Process Mgmt HARDWARE ABSTRACTION LAYER

Driver types positioned within their kernel subsystem. CVE counts from the KernelSight corpus.

Categories

Driver Type Examples CVEs in Corpus Key Attack Surface
File System Drivers ntfs.sys, fastfat.sys 2 On-disk structure parsing, IRP dispatch
File System Minifilters cldflt.sys 2 Pre/post-operation callbacks, reparse data
Log / Transaction Drivers clfs.sys 4 Metadata parsing, base log manipulation
Network Stack tcpip.sys, afd.sys, http.sys 5 Packet parsing, socket operations, protocol handling
Kernel Streaming ks.sys, mskssrv.sys, ksthunk.sys 5 IOCTL dispatch, WOW64 thunking, MDL operations
Win32k Subsystem win32k.sys, win32kbase.sys, win32kfull.sys 3 Syscall handlers, GDI objects, window management
Core Kernel ntoskrnl.exe 4 Syscall handlers, security subsystem, VBS
Security / Policy Drivers appid.sys 1 IOCTL access control, policy enforcement
Storage / Caching Drivers csc.sys 1 IOCTL handlers, file caching
Vendor Utility DBUtil, RTCore64, gdrv, iqvw64e, HW.sys, ATSZIO64, AsIO3, WinRing0, etc. 14 Physical memory R/W, MSR access, I/O port
Performance & GPU AMDRyzenMasterDriver.sys, ThrottleStop.sys, nvlddmkm.sys 4 MSR write, GPU memory mapping, MMIO
Third-Party Security Capcom.sys, echo_driver.sys, viragt64.sys, Truesight.sys, amsdk.sys 5 Ring-0 exec, callback manipulation, process termination

Browse by Driver Type

📁 File System Drivers ntfs.sys · fastfat.sys On-disk structure parsing, MFT records, FAT bitmaps. VHD mount gives unprivileged local access. 2 CVEs Buffer Overflow · Integer Overflow 🔍 File System Minifilters cldflt.sys Pre/post-operation callbacks, reparse data parsing, context reference management. 2 CVEs Heap Overflow 📓 Log / Transaction clfs.sys CLFS base log metadata parsing — the most exploited single driver. User-reachable via CreateLogFile. 4 CVEs 3 ITW 🌐 Network Stack tcpip.sys · afd.sys · http.sys TCP/IP packet processing, Winsock kernel helper, HTTP protocol stack. Includes remote attack surface. 5 CVEs 2 Remote 🎬 Kernel Streaming ks.sys · mskssrv.sys · ksthunk.sys KS IOCTL dispatch, WOW64 thunking, MDL operations, rendezvous server context management. 6 CVEs 2 ITW 🖥 Win32k Subsystem win32k.sys · win32kbase.sys · win32kfull.sys ~1200 NtUser/NtGdi syscall handlers, GDI objects, window and menu management. 3 CVEs 2 ITW Core Kernel ntoskrnl.exe Security reference monitor, VBS transitions, process/thread management. Highest impact bugs. 4 CVEs 2 ITW 🛡 Security / Policy appid.sys · ci.sys AppLocker, Code Integrity, WDAC enforcement. Lazarus Group ITW exploitation. 1 CVE ITW 💾 Storage / Caching csc.sys Client-Side Caching, Offline Files. Logic bugs in access control enforcement. 1 CVE Logic Bug 🔧 Vendor Utility DBUtil · RTCore64 · gdrv · iqvw64e · HW.sys · WinRing0 · +8 more OEM hardware utility and diagnostic drivers. Expose physical memory R/W, MSR, I/O port access. Canonical BYOVD targets. 14 CVEs 9 ITW 🎮 Performance & GPU AMDRyzenMaster · ThrottleStop · nvlddmkm · AMD chipset CPU tuning, GPU, and chipset drivers. Expose MSR writes, GPU memory mapping, MMIO register access. 4 CVEs 1 ITW 🚨 Third-Party Security Capcom.sys · echo_driver.sys · viragt64.sys · Truesight.sys · amsdk.sys AV/EDR/anti-cheat kernel modules. Abused for process termination, callback manipulation, ring-0 code execution. 5 CVEs 4 ITW

Driver Type vs. Vulnerability Class Heatmap

Driver Type Buffer Overflow Integer Overflow Type Confusion Race Condition UAF Info Disclosure Logic Bug
File System ■■
Minifilter ■■
Log / Transaction ■■■■
Network Stack ■■
Kernel Streaming
Win32k
Core Kernel ■■
Security / Policy
Storage / Caching
Vendor Utility ■■■■■■■■■■■■■■
Performance & GPU ■■■
Third-Party Security ■■■■■
Next in the pipeline: Attack Surfaces → How does user-mode code reach these drivers?