Microsoft has made great progress in securing the windows kernel with things like Kernel Patch Protection and soon to come Control Enforcement Technology (with help from hardware). However, you’ll still find vulnerabilities in SMB and RDP that allow forkernel mode execution. Most researchers like to stop there and then grab your normal double APC scheduling mechanism with a reverse shell payload. In this talk we go beyond that and survey current payloads, and develop new foundations and methods for backdoorsthat allow for arbitrary code execution in user mode with system privileges. We plan to cover simple payloads such as double APC and move towards more advanced in-memory backdoors. Finally, build off of a existing project that allows a metasploit-like framework in the kernel.