Driver Types
Driver Type → Attack Surface → Vuln Class → Primitive → Case Study
Every kernel exploitation chain begins with a target component. Windows kernel drivers are categorized by their role and the subsystem they interact with — each type has distinct IRP handling patterns, accessible attack surfaces, and historical vulnerability profiles.
FIG_002 — Windows Kernel Architecture
Driver types positioned within their kernel subsystem. CVE counts from the KernelSight corpus.
Categories
| Driver Type | Examples | CVEs in Corpus | Key Attack Surface |
|---|---|---|---|
| File System Drivers | ntfs.sys, fastfat.sys | 2 | On-disk structure parsing, IRP dispatch |
| File System Minifilters | cldflt.sys | 2 | Pre/post-operation callbacks, reparse data |
| Log / Transaction Drivers | clfs.sys | 4 | Metadata parsing, base log manipulation |
| Network Stack | tcpip.sys, afd.sys, http.sys | 5 | Packet parsing, socket operations, protocol handling |
| Kernel Streaming | ks.sys, mskssrv.sys, ksthunk.sys | 5 | IOCTL dispatch, WOW64 thunking, MDL operations |
| Win32k Subsystem | win32k.sys, win32kbase.sys, win32kfull.sys | 3 | Syscall handlers, GDI objects, window management |
| Core Kernel | ntoskrnl.exe | 4 | Syscall handlers, security subsystem, VBS |
| Security / Policy Drivers | appid.sys | 1 | IOCTL access control, policy enforcement |
| Storage / Caching Drivers | csc.sys | 1 | IOCTL handlers, file caching |
| Vendor Utility | DBUtil, RTCore64, gdrv, iqvw64e, HW.sys, ATSZIO64, AsIO3, WinRing0, etc. | 14 | Physical memory R/W, MSR access, I/O port |
| Performance & GPU | AMDRyzenMasterDriver.sys, ThrottleStop.sys, nvlddmkm.sys | 4 | MSR write, GPU memory mapping, MMIO |
| Third-Party Security | Capcom.sys, echo_driver.sys, viragt64.sys, Truesight.sys, amsdk.sys | 5 | Ring-0 exec, callback manipulation, process termination |
Browse by Driver Type
File System Drivers
ntfs.sys · fastfat.sys
On-disk structure parsing, MFT records, FAT bitmaps. VHD mount gives unprivileged local access.
2 CVEs
Buffer Overflow · Integer Overflow
File System Minifilters
cldflt.sys
Pre/post-operation callbacks, reparse data parsing, context reference management.
2 CVEs
Heap Overflow
Log / Transaction
clfs.sys
CLFS base log metadata parsing — the most exploited single driver. User-reachable via CreateLogFile.
4 CVEs
3 ITW
Network Stack
tcpip.sys · afd.sys · http.sys
TCP/IP packet processing, Winsock kernel helper, HTTP protocol stack. Includes remote attack surface.
5 CVEs
2 Remote
Kernel Streaming
ks.sys · mskssrv.sys · ksthunk.sys
KS IOCTL dispatch, WOW64 thunking, MDL operations, rendezvous server context management.
6 CVEs
2 ITW
Win32k Subsystem
win32k.sys · win32kbase.sys · win32kfull.sys
~1200 NtUser/NtGdi syscall handlers, GDI objects, window and menu management.
3 CVEs
2 ITW
Core Kernel
ntoskrnl.exe
Security reference monitor, VBS transitions, process/thread management. Highest impact bugs.
4 CVEs
2 ITW
Security / Policy
appid.sys · ci.sys
AppLocker, Code Integrity, WDAC enforcement. Lazarus Group ITW exploitation.
1 CVE
ITW
Storage / Caching
csc.sys
Client-Side Caching, Offline Files. Logic bugs in access control enforcement.
1 CVE
Logic Bug
Vendor Utility
DBUtil · RTCore64 · gdrv · iqvw64e · HW.sys · WinRing0 · +8 more
OEM hardware utility and diagnostic drivers. Expose physical memory R/W, MSR, I/O port access. Canonical BYOVD targets.
14 CVEs
9 ITW
Performance & GPU
AMDRyzenMaster · ThrottleStop · nvlddmkm · AMD chipset
CPU tuning, GPU, and chipset drivers. Expose MSR writes, GPU memory mapping, MMIO register access.
4 CVEs
1 ITW
Third-Party Security
Capcom.sys · echo_driver.sys · viragt64.sys · Truesight.sys · amsdk.sys
AV/EDR/anti-cheat kernel modules. Abused for process termination, callback manipulation, ring-0 code execution.
5 CVEs
4 ITW
Driver Type vs. Vulnerability Class Heatmap
| Driver Type | Buffer Overflow | Integer Overflow | Type Confusion | Race Condition | UAF | Info Disclosure | Logic Bug |
|---|---|---|---|---|---|---|---|
| File System | ■■ | ■ | |||||
| Minifilter | ■■ | ||||||
| Log / Transaction | ■■■■ | ||||||
| Network Stack | ■ | ■■ | ■ | ||||
| Kernel Streaming | ■ | ■ | ■ | ||||
| Win32k | ■ | ■ | ■ | ||||
| Core Kernel | ■■ | ■ | ■ | ||||
| Security / Policy | ■ | ||||||
| Storage / Caching | ■ | ||||||
| Vendor Utility | ■■■■■■■■■■■■■■ | ||||||
| Performance & GPU | ■ | ■■■ | |||||
| Third-Party Security | ■■■■■ |