logo

Overview

conference

What's Happening

Archive

Awards

Contact Us

Book Now
Book Now Menu

About Windows Kernel Exploitation

trainer-image
Rajshekhar Vijay

Description

Workshop Breakdown

Learning Outcomes

Technical Requirements

Speaker Profile

Training Title:

Windows Kernel Exploitation

Training Schedule:

Duration: 2 Days (16 Hours)

Start Date: 24 September 2026

End Date: 25 September 2026

Description

This training takes participants from Windows internals fundamentals to full exploitation of CVE-2026-20817 (WER ALPC Privilege Escalation), followed by detection engineering.

Workshop Breakdown

Day 1 - Windows Fundamentals

Objective: Build the exact conceptual foundation needed for CVE-2026-20817. Every module on Day 1 maps directly to a component of the Day 2 exploit chain: ALPC ports, shared memory (File Mapping / Section objects), service token context, and privilege constants.

  • M1 - Windows Architecture (09:00–10:30)
    Kernel vs user mode; executive components; object manager; system call flow; service host model (svchost.exe); how WerSvc.dll is loaded as a Windows service
  • M2 - Memory & Handles (10:45–12:15)
    Virtual address space; handle tables; Section objects (File Mapping) as shared memory; DuplicateHandle and cross-process handle cloning - the exact primitive abused in CVE-2026-20817
  • M3 - Windows Security Model (13:15–14:45)
    Access tokens; privilege constants (SeDebugPrivilege, SeImpersonatePrivilege, SeTcbPrivilege); integrity levels; SYSTEM token context; how services run with elevated privileges
  • M4 - IPC & ALPC Internals (15:00–16:30)
    Windows IPC mechanisms overview; ALPC port model; NtAlpcCreatePort / NtAlpcConnectPort; _PORT_MESSAGE structure layout; message flags; named ports in the Object Namespace (\WindowsErrorReportingServicePort)
  • M5 - Lab Environment Setup (16:45–17:45)
    WinDbg local debugging; Process Monitor, Process Hacker, Sysinternals Suite; compiling C++ PoC with VS 2022 Build Tools; verifying vulnerable WerSvc.dll version; snapshotting the pre-patch VM

Key Topics - Day 1

  • Windows service architecture and the WerSvc.dll service host model
    • • WerSvc.dll loaded by svchost.exe; SYSTEM token context at service start
    • • WER service ALPC server initialisation: NtAlpcCreatePort creating \WindowsErrorReportingServicePort
  • Handle tables and cross-process handle duplication
    • • DuplicateHandle - how a privileged process clones a client-owned handle into its own context
    • • Section objects (File Mapping) as the shared memory channel for ALPC payloads
    • • MapViewOfFile - how the service reads attacker-controlled content from shared memory
  • Token model and privilege constants
    • • SeDebugPrivilege - attach debugger to any process; gained via CVE-2026-20817
    • • SeImpersonatePrivilege - impersonate any logged-on user; gained via CVE-2026-20817
    • • SeTcbPrivilege (Act as OS) - NOT granted; important constraint for the post-exploitation discussion
  • ALPC internals - Windows’ primary high-performance IPC mechanism
    • • _PORT_MESSAGE header structure; MessageFlags field (0x50000000 in the exploit)
    • • Client connecting to a named ALPC port via NtAlpcConnectPort
    • • Method dispatch in ALPC servers: SvcElevatedLaunch = method ID 0x0D

Day 2 - CVE-2026-20817: Root Cause → Exploit → Detect

Objective: Take CVE-2026-20817 from the MSRC advisory all the way to a working SYSTEM shell, then pivot immediately to detection engineering - building Sysmon rules, ETW telemetry mapping, and MDE KQL coverage across the full exploit chain.

CVE Details

  • CVE ID: CVE-2026-20817
  • Component: Windows Error Reporting Service - WerSvc.dll
  • Bug Class: CWE-273 - Improper privilege validation in ALPC message handling (SvcElevatedLaunch)
  • CVSS / Risk: 7.8 High - Microsoft: Exploitation More Likely
  • Patched: January 2026 Patch Tuesday - WerSvc.dll 10.0.26100.7623 (feature removed entirely)
  • Affected: Windows 10 / 11 pre-Jan 2026; Windows Server 2019 / 2022
  • M6 - Intel & Advisory (09:00–09:30)
    Reading the Jan 2026 PT advisory: CVE-2026-20817, WER service, CVSS 7.8, ‘Exploitation More Likely’; downloading pre/post-patch WerSvc.dll from Winbindex (10.0.26100.7309 vs 10.0.26100.7623)
  • M7 - Root Cause Analysis (09:30–10:45)
    Binary diff in BinDiff/Ghidra: isolate SvcElevatedLaunch; reconstruct _WERSVC_MSG from PDB symbols; trace ElevatedProcessStart → CreateElevatedProcessAsUser; identify the attacker-controlled lpCommandLine passed to WerFault.exe
  • M8 - Primitive & Constraints (10:45–12:15)
    Primitive: coerce SYSTEM-context WerFault.exe launch with attacker-controlled command line; constraint: lpApplicationName hardcoded via GetSystemDirectoryW; token analysis (SeDebug + SeImpersonate, no SeTcb); post-exploitation paths
  • M9 - Live Lab: SYSTEM Shell (13:15–15:15)
    Build PoC from source (cl.exe); connect to \WindowsErrorReportingServicePort via NtAlpcConnectPort; allocate Section object; write payload to mapped view; send ALPC message (flags 0x50000000); capture SYSTEM shell; verify with whoami /priv
  • M10 - Detection Engineering (15:30–16:30)
    Sysmon EID 1: WerFault.exe with anomalous parent; ETW Microsoft-Windows-RPC: ALPC client connection to WER port; MDE KQL hunt query (DeviceProcessEvents); Splunk SPL; tuning false positives from legitimate WER activity
  • M11 - Patch & Hardening (16:30–17:30)
    How Microsoft fixed it: feature flag kill in SvcElevatedLaunch (returns E_FAIL 0x80004005); compensating controls (sc config WerSvc start=disabled); WER policy GPO; auditing ALPC exposure with WinObj; lessons for secure IPC design

Learning Outcomes

  • • Explain Windows ALPC port communication: how a low-privilege client connects to a named ALPC server and sends structured messages
  • • Perform binary diffing of WerSvc.dll and precisely identify the vulnerable SvcElevatedLaunch code path
  • • Reconstruct an undocumented Windows structure (_WERSVC_MSG) using Ghidra and Microsoft’s public PDB symbols
  • • Execute a full exploitation of CVE-2026-20817 - from PoC compile to a verified SYSTEM shell in a guided live lab
  • • Articulate the token privilege constraints granted by this CVE (SeDebug + SeImpersonate, no SeTcb) and their post-exploitation implications
  • • Write Sysmon detection rules, an MDE KQL hunt query, and Splunk SPL covering WerFault.exe abuse in the exploit chain
  • • Explain why Microsoft chose complete feature removal over a logic fix, and evaluate the detection gap that creates

Technical Requirements

  • CVE Target: CVE-2026-20817 - WerSvc.dll 10.0.26100.7309 (pre-Jan 2026 Patch Tuesday)
  • Prerequisites: Comfort with Windows CLI; C/C++ basics helpful but not required; no prior Windows internals experience assumed
  • Audience: SOC analysts, security engineers, pentesters, malware analysts - anyone working Windows defence
  • Lab Image: Windows 11 (pre-Jan 2026 snapshot), VS 2022 Build Tools, WinDbg, Sysinternals, Ghidra, BinDiff
  • Hardware: Laptop capable of running a 64-bit Windows 11 VM (8 GB RAM minimum recommended)
  • Duration: 2 days × ~8 hours = 16 hours

Speaker Profile

Rajshekar Vijay

  • icon

Co-Founder & CTO at BlackPerl DFIR