RVAsec Deep Dive - Attacking File System Mini Filters

This session takes us deep into the internals of Windows file system mini-filters, focusing on cldflt.sys—the driver behind Windows cloud synchronization. You’ll get a practical look at how cloud sync operations like hydration and placeholder management expose potential attack surfaces in the kernel.

Through a mix of theory and real-world case studies, we’ll examine how vulnerabilities are discovered in mini-filters, review notable CVEs from 2020–2025, and walk through techniques used in fuzzing, reverse engineering, and debugging. Attendees will gain an understanding of how researchers uncover bugs in Windows kernel components and how to approach driver-level analysis safely in a lab setting.

If you’ve ever wanted to understand how kernel-mode file operations can lead to privilege escalation, or how researchers weaponize fuzzing frameworks against Windows internals; this one’s for you.

Location:
Ours - Coworking space
2309 W Main St, Richmond, VA 23220
https://ours.today/

Agenda:
• 5pm–6pm – Arrival and social
• 6pm–6:45pm – Intro to Driver Bug Hunting
• 6:45pm–7pm – Break
• 7pm–8pm – Attacking File System Mini-Filters
• 8pm – Questions and social

Capacity:
We expect roughly 30 seats. If you sign up, please show up; if something comes up, no problem, but cancel or update ASAP so someone else can take the spot.