Breaking Into the Windows Kernel: A Deep Dive into Exploitation Techniques

How do attackers gain access to the kernel? Where are the vulnerabilities that can be exploited? We outline possible approaches here.

Introduction: Why Kernel Space Matters

While most security professionals focus on userland exploitation, the real power lies deeper within the system architecture. Modern AV/EDR solutions have become increasingly sophisticated, making traditional userland attacks more challenging and detectable. But what if a simple Windows misconfiguration could grant us access to the system’s most privileged layer – the kernel itself?

Operating from kernel space provides significant advantages over traditional userland attacks. It allows partial circumvention of security tools’ detection mechanisms and opens doors to more powerful exploitation techniques. In this comprehensive guide, we’ll explore how to identify kernel backdoors, establish debugging environments, and leverage custom tools for kernel manipulation.

Prerequisites: Finding Your Way In

Before diving into kernel exploitation, we need to verify if the target system allows test signing mode. This critical setting determines whether we can load unsigned kernel drivers – our gateway to kernel space.

Verifying secure boot status using PowerShell

The ability to enable test signing mode depends on local security settings. If this door is open, we can proceed with loading custom kernel drivers without valid Microsoft signatures.

Setting Up Your Kernel Debugging Environment

Understanding Architecture Options

Kernel debugging requires careful setup and can be approached in two ways:

Local Virtual Machine Debugging
Build a specific Windows version using UUP dump, deploy it in your virtual environment, and debug from another Windows instance.

Direct kernel debugging setup using native UDP connection

Remote Kernel Debugging
Debug the target kernel directly, though this requires additional setup with Linux VM.

Remote kernel debugging setup with Linux VM as bridge

For remote scenarios, SSH port forwarding with SOCAT for UDP over TCP proves unreliable. Instead, a Linux VM bridge provides the necessary stability.

Configuring the Debugging Environment

On the Debuggee Machine

Install Windows 10 SDK with ‘Debugging Tools for Windows’. Enable test signing mode.

PowerShell commands to enable test signing mode

Configure kernel debugging with kdnet.exe:

Setting up network kernel debugging with kdnet.exe

On the Debugger-Machine

Configure WinDbg with the appropriate key and port:

WinDbg configuration for kernel debugging connection

Discovering Kernel Callbacks and Offsets

The Challenge of Windows Versions

Kernel callback offsets change between Windows releases, making exploitation version-specific. Our research has identified offsets for these Windows builds:

• 10.0.26100

• 10.0.22621

• 10.0.22631

For unsupported versions, manual offset discovery through kernel debugging becomes necessary.

Identifying Critical Callback

Windows kernel callbacks provide notifications for system events and are heavily utilized by security solutions. The three most important callback types for attackers are:

ProcessNotify Callbacks

Triggered on process creation/termination

ThreadNotify Callbacks

Activated during thread creation/deletion

ImageNotify Callbacks

Invoked when DLLs are mapped into process memory

Enumerating ProcessNotify callbacks in WinDbg

Determining ProcessNotify callback offsets

Similar techniques apply to ThreadNotify and ImageNotify callbacks:

Enumerating ThreadNotify callbacks

Determining ThreadNotify callback offsets

Enumerating ImageNotify callbacks

Process Protection Mechanisms

Understanding process protection offsets is crucial for manipulating protected processes like LSASS:

Identifying process protection structure offsets

Introducing tKMD: Your Kernel Exploitation Toolkit

Overview

The Trovent Kernel-Mode Driver (tKMD) is a powerful C-based toolkit that facilitates common kernel exploitation techniques. Available on GitHub, it consists of:

• A rogue kernel driver (tKMD.sys)

• A userspace communicator (tKMDc.exe)

Installation und Einrichtung

Install the driver using the Service Control Manager:

Successful driver installation output

Capabilities and Features

The tKMDc.exe communicator provides extensive functionality:

tKMDc.exe help menu showing available commands

Kernel Module Enumeration

Identify suspicious or non-standard drivers in the system:

Searching for specific drivers among kernel modules

Callback Enumeration

List all registered callbacks for each type:

Enumerating ProcessNotify callbacks with tKMDc.exe

Enumerating ThreadNotify callbacks with tKMDc.exe

Enumerating ImageNotify callbacks with tKMDc.exe

Callback manipulation

Disable specific callbacks to evade detection:

Disabling a specific ProcessNotify callback

Process Protection Removal

Remove protection from critical processes like LSASS:

Stripping protection from LSASS to enable credential dumping

Setting all _PS_PROTECTION structure parameters to zero effectively disables process protection, allowing credential extraction even when running as SYSTEM.

Security Implications and Defense Considerations

Attack Vectors

Kernel callback manipulation represents a powerful attack vector because:

• Process Notifications can be disabled to hide malicious process creation

• Thread Notifications manipulation prevents detection of injected threads

• LoadImage Notifications removal hides DLL loading activities

Detection Challenges

Operating from kernel space provides significant advantages:

• Bypasses many userland-based security controls

• Operates below most EDR/AV detection layers

• Manipulates the very mechanisms security tools rely on

Conclusion: The Power and Responsibility of Kernel Access

This exploration of Windows kernel exploitation demonstrates that gaining kernel access often stems from simple misconfigurations rather than complex vulnerabilities. While test signing mode provides a convenient backdoor for research and testing, it represents a significant security risk in production environments.

Understanding these techniques is crucial for:

• Security professionals assessing system hardening

• Incident responders recognizing kernel-level compromises

• System administrators implementing proper security configurations

Remember that with great power comes great responsibility. These techniques should only be used in authorized security assessments and research environments. The ability to manipulate kernel callbacks and process protections demonstrates why proper system configuration and security hygiene remain fundamental to maintaining secure Windows environments.

As security tools continue to evolve, so too do the techniques to bypass them. By understanding kernel-level exploitation, defenders can better prepare for and prevent these advanced attacks.