Reverse Engineering Kernel Drivers with MCP Ghidra and Claude Code Feb 28, 2026 • 10 min read This issue: I pointed Claude Code and Ghidra at the kernel drivers on my gaming laptop, and the prompt I used to get started. Windows ships with hundreds of third-party kernel drivers. Most were written years ago, signed with valid certificates, and forgotten. They run at the highest privilege level on your machine. Many of them are terrible. This all started with me looking into BYOVDattacksand wanting to come up with some of my own. I thought the drivers in c:\windows\system32\drivers on my gaming laptop would be a good place to start looking. I discoveredGhidraMCP,and combining it with Claude Code, was able to find 8 findings in one Sunday and 1 while writing this. To be clear, Claude did most of this and I just supervised. I'm not a career reverse engineer. I've taken one class and done some crackmes on a website years ago. But I've found 9 issues and submitted them to 3 different vendors. 3 have been rejected as "by design" so far. 2 have been accepted. I’m still waiting to hear back about the other 4. This is static analysis with Claude Code and GhidraMCP. Adding MCP server for WinDBG is a next step for dynamic analysis but for now we are just going to use C to test things. I developed a process and a janky tool,cthaeh, to help narrow down which drivers to target on my laptop. It runs Ghidra in headless mode, analyzes each driver's functionality, and scores it. It’s not great yet. It checks PE imports for dangerous primitives, maps IOCTL handlers, flags missing security descriptors, and scores based on driver class and vendor CNA status. Let's dive into the process and walk through how to do this with an actual driver. You'll need the following setup to play along: WSL2 running Claude Code setup with MCP Ghidra We want to run on Windows so we can run POCs MinGW Setup for POC Development A remote VM (I didn’t use one but POCs will crash the OS) Claude Opus 4.6 Thinking The first thing I do is run cthaeh to figure out which driver I want to target. You can also just look at c:\windows\system32\drivers and pick one. Make sure it’s loaded, not inloldrivers.io, and that you have the latest version. cthaeh scoring still needs adjustment. We are going to start with amd_dpfc.sys v1.4.0.0, AMD’s Dynamic and Frequency Control Service driver. My laptop runs an AMD CPU with an Nvidia GPU, and Nvidia's driver package bundles this AMD driver alongside the GPU drivers. So I already have the latest version. I fire up Claude Code and prompt it a bit with my old markdown from previous runs. I always send it thisBYOVD repoand sometimes other kernel exploit dev blogs to try to prime it with prompts before starting. I’ve included a prompt at the end of the article. This may not be needed with today's models though. They are a lot better than they used to be and may not require as much guidance. Another thing I like to do is tell Claude to create a markdown report as it goes so that if we crash then I can copy paste from that markdown report and resume where I left off.