Skip to main content

Exploitation 4011: Windows Kernel Exploitation: Race Condition + UAF in KTM


About This Course

This is it! This is the class that *actually* teaches you how to exploit a race condition vulnerability leading to a use-after-free in the Kernel Transaction Manager (KTM) component of the Windows kernel. This class is meant to show the approach an exploit developer should take in attacking a previously unknown component in the Windows kernel.

The class is primarily focused around labs to teach the students what it takes to exploit a real-world vulnerability.

This class focuses on exploiting CVE-2018-8611 on Windows 10 x64 1809 (RS5), a complex race condition that leads to a use-after-free on the non-paged kernel pool. The vulnerability is in the Kernel Transaction Manager (KTM) driver (`tm.sys`), a component that has not yet received much public scrutiny.

Even though students will learn a lot about the KTM component, we focus on our approach for analyzing this component as a new kernel component that we had no prior knowledge about. The methodology can be reused for any other unknown kernel components a student may encounter in the future. We do not specifically focus on tricks or techniques for bypassing specific Windows versions mitigations, but rather on the thought process behind exploring functionality to find useful unmitigated code paths and also abusing the bug in ways that allow to build powerful primitives that would facilitate mitigation bypasses.

After this class, you'll know what it takes to develop an exploit targeting the Windows kernel.

Key learning objectives:

• Modern reverse engineering and binary patch diffing

• How to approach exploiting a vulnerability on a previously unknown target

• Step-by-step real-world Windows kernel exploit on Windows 10 1809 (RS5) x64

At the end of the class, you'll have a working exploit to elevate your own process to SYSTEM privileges.


• Comfortable with x86/x64 assembly and reversing it

• C knowledge (reading/writing)

• Exploitation experience on some OS like Windows or Linux

• Familiarity with common memory corruption techniques

• Comfortable with disassemblers/decompilers (IDA, Ghidra, etc) and debuggers (WinDbg, x64dbg, gdb, etc)

You must have taken OST2 Debuggers 3011 since we use the environment as a base for debugging/exploitation.

You must have taken OST2 Architecture 2821, or have equivalent knowledge of Windows internals.

Frequently Asked Questions

What learning paths is this class used in?

Debugging, Reverse Engineering, Exploits

To be or not to be?

That is the question...

Course Staff

Cedric's Twitter Pic!

Cedric Halbronn

Cedric (@saidelike and @saidelike) specialises in vulnerability research and exploit development, and while at NCC Group working in the Exploit Development Group (EDG) has published some public research related to Cisco ASA, Windows kernel, NAS devices, printers, etc.