Windows Kernel Exploitation: The Road to Ring 0

In Windows, applications run in User Mode (Ring 3). They cannot touch hardware or access other processes' memory. The Operating System core runs in Kernel Mode (Ring 0). It can see everything. If you find a vulnerability in a third-party driver (like your Anti-Virus or Graphics driver), you can use it to elevate from a standard user to NT AUTHORITY\SYSTEM. This is the Holy Grail of Local Privilege Escalation (LPE).

The Attack Surface: IOCTL

User Mode applications talk to the Kernel via IOCTLs (Input/Output Control codes).
It's like a web API but for drivers. You send a data buffer, the driver processes it, and sends back a result.
If the driver does not validate the size of the incoming buffer before copying it to a kernel stack or heap, you have a Kernel Buffer Overflow.

1. The Playground: HEVD

Learning kernel exploitation on a live system is painful because every mistake causes a BSOD (Blue Screen of Death).
Hackers practice on HEVD (HackSys Extreme Vulnerable Driver). It is a purposefully broken driver that implements every major class of vulnerability:

Stack/Heap Overflow
Use After Free (UAF)
Type Confusion
Null Pointer Dereference

2. Token Stealing (The Payload)

In User Mode, we pop a shell (`cmd.exe`). In Kernel Mode, we are already running code, but we need to transfer that power to our user process.
The standard technique is Token Stealing.
Every process is represented in the kernel by an _EPROCESS structure. This struct contains a Token pointer (which defines permissions).
The Strategy:
1. Get code execution in Ring 0.
2. Find the _EPROCESS of our current process (cmd.exe).
3. Walk the linked list of processes (`ActiveProcessLinks`) to find PID 4 (System).
4. Copy the Token pointer from System to our process.
5. Return execution cleanly to User Mode.

            ; Token Stealing Shellcode (x86 Assembly)
            pushad                       ; Save registers
            xor eax, eax
            mov eax, fs:[124h]           ; Get _KTHREAD
            mov eax, [eax + 050h]        ; Get _EPROCESS (Current)
            mov ecx, eax                 ; Save Current Process
            
            FindSystem:
            mov eax, [eax + 0b8h]        ; Next Process (ActiveProcessLinks)
            sub eax, 0b8h                ; Adjust pointer
            cmp [eax + 0b4h], 4          ; Is PID == 4 (SYSTEM)?
            jne FindSystem               ; If not, loop
            
            mov edx, [eax + 0f8h]        ; Steal Token from System
            mov [ecx + 0f8h], edx        ; Overwrite our Token
            
            popad                        ; Restore registers
            ret
        

3. Smashing the Stack (Practice)

We send a long string of 'A's to the driver. The driver crashes (BSOD). We attach a remote debugger (WinDbg) via a virtual serial port.
We see `EIP = 41414141`. We control the instruction pointer.
However, we can't just jump to our shellcode anymore because of mitigations.

4. Bypassing Mitigations (SMEP/KASLR)

SMEP (Supervisor Mode Execution Prevention): The CPU crashes if the Kernel tries to execute code stored in User Mode memory (where our shellcode usually sits).
Bypass: Use ROP (Return Oriented Programming) to disable the CR4 bit that controls SMEP before jumping to shellcode.

KASLR (Kernel Address Space Layout Randomization): The driver is loaded at a random address every boot.
Bypass: We need an Info Leak first. We need to find a way to make the driver read us a pointer from the kernel, calculating the base address.

Windows Kernel Exploitation (Ring 0)

The Attack Surface: IOCTL

1. The Playground: HEVD

2. Token Stealing (The Payload)

3. Smashing the Stack (Practice)

4. Bypassing Mitigations (SMEP/KASLR)

Related Topics