The exploitation pipeline for Windows kernel drivers, from attack surface to privilege escalation. Every entry is grounded in real CVEs with driver names, vulnerable/fixed builds, patch analysis, and detection rules.
KernelSight is an interactive knowledge base that maps how Windows kernel drivers get exploited. It tracks 156 CVEs across 64 drivers, organized as a pipeline that mirrors how exploitation actually works: identify a driver, find its attack surface, classify the bug, convert it into a primitive, and escalate to SYSTEM.
The landing page is an interactive threat intelligence dashboard with a driver-by-vuln-class heat matrix, searchable CVE explorer, and export functionality. The knowledge base behind it contains 241 pages of narrative-driven technical content covering vulnerability classes, exploitation primitives, kernel mitigations, and real-world case studies.
| Metric | Count |
|---|---|
| CVE case studies | 156 |
| Unique drivers analysed | 64 |
| Exploited in the wild | 57 |
| Remotely exploitable | 2 |
| BYOVD drivers | 41 |
| Driver type categories | 12 |
| Exploitation technique pages | 57 |
| AutoPiff detection rules | 80+ |
| LOLDrivers analysed | 1,775 |
KernelSight is organized as a pipeline from driver identification through privilege escalation:
Driver Types → Attack Surfaces → Vulnerability Classes → Exploitation Primitives → Case Studies
With Mitigations cross-cutting every stage.
| Driver Type | Example Drivers | CVEs | Key Pattern |
|---|---|---|---|
| File System | ntfs.sys, fastfat.sys | 7 | VHD mount gives unprivileged access to on-disk parsing |
| Minifilters | cldflt.sys | 8 | Reparse data and cloud file callbacks |
| Log / Transaction | clfs.sys | 15 | Most exploited single driver, on-disk metadata corruption |
| Network Stack | tcpip.sys, afd.sys, http.sys | 13 | Includes 2 remotely exploitable bugs (IPv6 RCE, HTTP RCE) |
| Kernel Streaming | ks.sys, mskssrv.sys, ksthunk.sys | 14 | IOCTL handlers, MDL mapping, type confusion |
| Win32k | win32k.sys, win32kbase.sys, win32kfull.sys | 12 | Callback reentrancy, window object races |
| Core Kernel | ntoskrnl.exe | 13 | Token races, secure-mode bypasses, highest impact |
| Security / Policy | appid.sys, ci.dll | 2 | Missing IOCTL access checks |
| Storage / Caching | csc.sys, storvsp.sys | 2 | Logic bugs, PreviousMode manipulation |
| Vendor Utility | RTCore64.sys, DBUtil_2_3.sys | 15+ | Physical memory mapping, MSR access, BYOVD weapons |
| Performance & GPU | dxgkrnl.sys, dwmcore.dll | 8+ | DMA, shared memory, kernel streaming |
| Third-Party Security | Truesight.sys, amsdk.sys | 5+ | EDR bypass, process termination primitives |
- Why Kernel Drivers? -- what hardware enforces, what only Ring 0 can do, user-mode alternatives
- Anatomy of a Secure Driver -- the 6 anti-patterns behind most kernel driver CVEs
- Corpus Analytics -- visual breakdown of 156 CVEs by driver, year, vulnerability class
- Exploit Chain Patterns -- the 5 recurring exploit chain shapes
- Patch Patterns -- what Microsoft's fixes look like for each bug class
- Mitigation Timeline -- when each kernel defence landed
- CLFS Deep-Dive -- 15 CVEs, the most exploited Windows kernel attack surface
- AFD Deep-Dive -- 13 CVEs, socket teardown races and Lazarus Group campaigns
- Win32k Deep-Dive -- 12 CVEs, callback reentrancy and the evolution of exploitation
- NTFS Deep-Dive -- 7 CVEs, crafted VHD exploitation
- Dashboard -- interactive threat matrix, searchable CVE explorer, CSV/JSON export
- Attack Surfaces (9) -- IOCTL handlers, filesystem IRPs, NDIS/network, ALPC, shared memory, WMI/ETW
- Vulnerability Classes (10) -- buffer overflow, UAF, type confusion, TOCTOU, race conditions, integer overflow
- Exploitation Primitives (19) -- arbitrary R/W families + exploitation building blocks
- Mitigations (9) -- SMEP/SMAP, kCFG/kCET, VBS/HVCI, KDP, pool hardening, KASLR
- BYOVD -- Bring Your Own Vulnerable Driver attack pattern
- Tooling -- static analysis, fuzzing, debugging, patch diffing, AutoPiff integration
- LOLDrivers Analysis -- 1,775 drivers analysed with automated Ghidra decompilation
Visit splintersfury.github.io/KernelSight -- no setup required.
git clone https://github.com/splintersfury/KernelSight.git
cd KernelSight
pip install mkdocs-material pyyaml
python scripts/build_dashboard_data.py # generate dashboard data
mkdocs serve # open http://localhost:8000KernelSight/
├── docs/ # MkDocs source (241 markdown pages)
│ ├── index.md # Dashboard landing page (custom template)
│ ├── overview.md # Pipeline overview page
│ ├── driver-types/ # 12 driver categories
│ ├── attack-surfaces/ # 9 attack vectors
│ ├── vuln-classes/ # 10 vulnerability classes
│ ├── primitives/ # 19 exploitation techniques
│ ├── case-studies/ # 161 CVE case studies + 4 deep dives
│ ├── mitigations/ # 9 kernel defences
│ ├── guides/ # 6 synthesis essays
│ ├── tooling/ # 5 tool guides
│ ├── reference/ # BYOVD, LOLDrivers, KDU, resources
│ ├── overrides/ # Custom dashboard HTML template
│ └── assets/ # Dashboard JS, data JSON
├── index/ # YAML data indices
│ ├── cve_index.yaml # 156 CVE definitions
│ ├── driver_index.yaml # Driver metadata
│ ├── techniques.yaml # Technique registry
│ └── autopiff_rule_map.yaml
├── collector/ # Automated CVE data collector (Docker)
├── scripts/ # Build scripts
└── mkdocs.yml # Site configuration
- AutoPiff -- Automated Windows kernel driver patch diffing pipeline that feeds into KernelSight's case studies and detection rules
- LOLDrivers -- Community-maintained catalogue of vulnerable and malicious drivers
Contributions welcome, whether adding a case study, documenting a new technique, or improving existing entries.
- Use the templates in
templates/as a starting point - Follow the schema in
index/techniques.yaml - Cross-reference CVEs to techniques, techniques to mitigations
- Run
python scripts/build_dashboard_data.pyto regenerate dashboard data - Open a PR
MIT