Windows Kernel Exploitation Research & PoCs by @0xDbgMan
A collection of Windows kernel vulnerability analysis, proof-of-concept exploits, and detailed writeups covering real-world CVEs. This repository focuses on privilege escalation techniques from user-mode to kernel-mode on modern Windows systems (Windows 10/11).
This repository is for **security research **. The code and techniques documented here are intended for:
- Learning Windows kernel internals and security mechanisms
- Authorized penetration testing engagements
- Security research and vulnerability analysis
- Kernel address leaking via
NtQuerySystemInformation(ETHREAD, FileObject, Module base) - kCFG (kernel Control Flow Guard) bypass using valid call targets
- ETHREAD->PreviousMode manipulation (User-to-Kernel mode transition)
- Kernel pattern scanning for gadget discovery
- IOCTL-based driver communication and exploitation
- TOCTOU (Time-of-Check Time-of-Use) race conditions
- Kernel heap grooming and pool manipulation
- Token stealing and privilege escalation
- Reflective DLL injection into SYSTEM processes
- Handle stealing from privileged processes (winlogon.exe)
- Visual Studio 2019/2022 with C++ Desktop Development workload
- Windows Driver Kit (WDK) - for kernel headers
- Windows SDK
- WinDbg / WinDbg Preview - for kernel debugging
- A test VM (VMware/VirtualBox) with kernel debugging enabled
- Ruby + Metasploit Framework (for the .rb module)
# Enable kernel debugging on the test VM
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200
# Disable Driver Signature Enforcement (for testing)
bcdedit /set testsigning on
# Connect WinDbg
windbg -k com:port=\\.\pipe\com_1,baud=115200,pipe
Kernel-Exploitation/
|-- CVE-2024-21338/ # AppLocker driver exploit (C++)
| |-- POC.cpp # Main exploit code
| |-- pch.hpp # Precompiled headers
| +-- poc.hpp # Exploit class definitions
|
|-- CVE-2024-30088/ # TOCTOU race condition (Metasploit Ruby)
| +-- cve-2024-30088.rb # Metasploit module
|
|-- CVE-2025-62215/ # Kernel heap double-free (C++)
| +-- Exploit.cpp # Race condition exploit engine
|
+-- README.md
- Windows Internals 7th Edition - Russinovich, Ionescu, Solomon
- Windows Kernel Programming - Pavel Yosifovich
- Connor McGarr's Kernel Exploitation Blog
- FuzzySecurity Tutorials
- HackSys Extreme Vulnerable Driver (HEVD)
- Token stealing payload implementation
- Pool overflow exploitation (NonPaged/Paged pool)
- SMEP/SMAP bypass techniques
- PTE (Page Table Entry) overwrite exploitation
- DSE (Driver Signature Enforcement) bypass methods
- BYOVD (Bring Your Own Vulnerable Driver) toolkit
- Detailed writeups for each CVE
0xDbgMan - Red Teamer & Kernel Security Researcher
- GitHub: @0xDbgMan
This project is licensed under the MIT License - see the LICENSE file for details.