A structured knowledge base for Windows kernel driver exploitation -- covering vulnerability classes, exploitation primitives, BYOVD campaigns, exploit chain patterns, and kernel mitigations. Every entry is grounded in real CVEs with driver names, vulnerable/fixed builds, and patch analysis.
| Metric | Count |
|---|---|
| CVE case studies | 134 |
| Unique drivers analysed | 62 |
| Exploited in the wild | 52 |
| Remotely exploitable | 2 |
| BYOVD drivers | 41 |
| Driver type categories | 12 |
| Exploitation technique pages | 57 |
| AutoPiff detection rules | 80+ |
KernelSight is organized as a pipeline from driver identification through privilege escalation:
Driver Types → Attack Surfaces → Vulnerability Classes → Exploitation Primitives → Case Studies
With Mitigations cross-cutting every stage.
| Driver Type | Example Drivers | CVEs | Key Pattern |
|---|---|---|---|
| File System | ntfs.sys, fastfat.sys, refs.sys | 7 | VHD mount gives unprivileged access to on-disk parsing |
| Minifilters | cldflt.sys | 8 | Reparse data and cloud file callbacks |
| Log / Transaction | clfs.sys | 12 | Most exploited single driver -- on-disk metadata corruption |
| Network Stack | tcpip.sys, afd.sys, http.sys | 13 | Includes 2 remotely exploitable bugs (IPv6 RCE, HTTP RCE) |
| Kernel Streaming | ks.sys, mskssrv.sys, ksthunk.sys | 12 | IOCTL handlers, MDL mapping, type confusion |
| Win32k | win32k.sys, win32kbase.sys, win32kfull.sys | 12 | Callback reentrancy, window object races |
| Core Kernel | ntoskrnl.exe | 9 | Token races, secure-mode bypasses, highest impact |
| Security / Policy | appid.sys, ci.dll | 2 | Missing IOCTL access checks |
| Storage / Caching | csc.sys, storvsp.sys | 2 | Logic bugs, PreviousMode manipulation |
| Vendor Utility | RTCore64.sys, DBUtil_2_3.sys | 15+ | Physical memory mapping, MSR access -- BYOVD weapons |
| Performance & GPU | dxgkrnl.sys, dwmcore.dll | 8+ | DMA, shared memory, kernel streaming |
| Third-Party Security | Truesight.sys, amsdk.sys | 5+ | EDR bypass, process termination primitives |
- Why Kernel Drivers? -- what hardware enforces, what only Ring 0 can do, user-mode alternatives
- Anatomy of a Secure Driver -- the 6 anti-patterns behind most kernel driver CVEs
- Corpus Analytics -- visual breakdown of 134 CVEs by driver, year, vulnerability class
- Exploit Chain Patterns -- the 5 recurring exploit chain shapes
- Patch Patterns -- what Microsoft's fixes look like for each bug class
- Mitigation Timeline -- when each kernel defence landed
- CLFS Deep-Dive -- 12 CVEs, 3 exploited in the wild
- AFD Deep-Dive -- 13 CVEs, socket teardown races
- Win32k Deep-Dive -- 12 CVEs, callback reentrancy
- NTFS Deep-Dive -- 7 CVEs, crafted VHD exploitation
- Attack Surfaces (9) -- IOCTL handlers, filesystem IRPs, NDIS/network, ALPC, shared memory, WMI/ETW
- Vulnerability Classes (10) -- buffer overflow, UAF, type confusion, TOCTOU, race conditions, integer overflow
- Exploitation Primitives (19) -- arbitrary R/W families + exploitation building blocks (pool spray, I/O Ring, WNF, token swap, PreviousMode)
- Mitigations (9) -- SMEP/SMAP, kCFG/kCET, VBS/HVCI, KDP, pool hardening, KASLR
- BYOVD -- Bring Your Own Vulnerable Driver attack pattern
- Tooling -- static analysis, fuzzing, debugging, patch diffing, AutoPiff integration
Visit splintersfury.github.io/KernelSight -- no setup required.
git clone https://github.com/splintersfury/KernelSight.git
cd KernelSight
pip install mkdocs-material
mkdocs serve
# Open http://localhost:8000- AutoPiff -- Automated Windows kernel driver patch diffing pipeline that feeds into KernelSight's case studies and detection rules
- LOLDrivers -- Community-maintained catalogue of vulnerable and malicious drivers
Contributions welcome -- whether adding a case study, documenting a new technique, or improving existing entries.
- Use the templates in
templates/as a starting point - Follow the schema in
index/techniques.yaml - Cross-reference CVEs to techniques, techniques to mitigations
- Open a PR
MIT