research: Reference links from AwesomeMalDevLinks for driver vuln hunting

[jeffaf]

Curated reference links from dobin/AwesomeMalDevLinks

Relevant research for improving Cthaeh's detection capabilities. Links organized by what they teach us.

Driver Reversing Methodology

• https://voidsec.com/windows-drivers-reverse-engineering-methodology/
• https://eversinc33.com/posts/driver-reversing.html
• https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html

Exploit Techniques (patterns to detect)

• https://exploitreversing.com/wp-content/uploads/2026/02/exploit_reversing_06.pdf (Feb 2026, fresh)
• https://www.exploitpack.com/blogs/news/windows-kernel-exploits-using-zwmapviewofsection-and-zwunmapviewofsection
• https://csacyber.com/blog/exploiting-microsoft-kernel-applocker-driver-cve-2024-38041
• https://seg-fault.gitbook.io/researchs/windows-security-research/exploit-development/mskssrv.sys-cve-2023-29360
• https://m2rc.net/posts/hevd-useafterfree/
• https://knifecoat.com/Posts/Arbitrary+Kernel+RW+using+IORING's
• https://www.crowdfense.com/windows-wi-fi-driver-rce-vulnerability-cve-2024-30078/

Automated Analysis Tools

• https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/
• https://blog.talosintelligence.com/ghidra-data-type-archive-for-windows-drivers/

BYOVD & DSE Bypass

• https://blog.cryptoplague.net/main/research/windows-research/offset-free-dse-bypass-across-windows-11-and-10-utilising-ntkrnlmp.pdb
• https://blacksnufkin.github.io/posts/BYOVD-CVE-2025-52915/
• https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/
• https://sabotagesec.com/tale-of-code-integrity-driver-loads/

Real-World Exploits (for test cases)

• https://github.com/sensepost/bloatware-pwn/tree/main/razerpwn
• https://mrbruh.com/asusdriverhub/
• https://security.humanativaspa.it/exploiting-amd-atdcm64a-sys-arbitrary-pointer-dereference-part-2/

PatchGuard & Kernel Internals

• https://r0keb.github.io/posts/PatchGuard-Internals/
• https://eversinc33.com/posts/anti-anti-rootkit-part-ii.html
• https://www.nsideattacklogic.de/en/kernel-access-please-byovd-and-vulnerable-drivers/

Key Takeaway for Cthaeh

The Humanativa article on Ghidra + Semgrep is particularly interesting - they use Semgrep rules on decompiled output. Could be a Stage 2 enhancement: export Ghidra decompilation, run Semgrep vuln patterns against it.

Not an implementation issue

This is a reference collection. Link to specific issues (#7-#12) for implementations.