To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This fast paced course provides a comprehensive coverage of the modus-operandi of kernel mode rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by rootkits. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Attendees will learn by “understanding, seeing and doing” wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming and debugging labs which reinforce the techniques. Attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits.
This course is targeted at kernel mode software developers, anti-malware developers, malware analysts, security researchers and forensic investigators who are responsible for detecting, analyzing and defending against rootkits and other forms of kernel post exploitation.
This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug drivers.
Attendees must bring their own laptop powerful enough to run at least one virtual machine, having a minimum 8GB of RAM, 30 GB free disk space, working USB Port and Wireless LAN. Laptop must be running 64-bit version of Windows 7 SP1 or higher. Virtualization software must be installed i.e. (VMWare, Hyper-V or Virtual Box). Guest OS must be 64-bit version of Windows 8.1 Update. Attendees must be administrative access to both host and guest OSs. In order to be able to develop and build kernel drivers Visual Studio 2013 (Express Edition or higher) and the Windows 8.1 Driver Kit must be installed on the host system. Windows SysInternals tools must be installed on the host and guest OSs. All other tools and software will be provided by the instructor.
Kernel Security Mitigations
Kernel mode code signing (KMCS)
Kernel patch protection (PatchGuard)
Supervisor Mode Execution Prevention (SMEP)
No-Execute (NX) Pools
Pool Integrity Checks
Kernel Address Space Layout Randomization (KASLR)
Kernel Security Bypasses
Write-What-Where Vulnerabilities
Address Leaks
SMEP Bypass
Execution Vectors
Driver Exploitation
Pool Exploitation
Covert Communications
Windows Sockets Kernel (WSK)
Windows Filtering Platform (WFP)
NDIS Filter Drivers
NDIS Internal Data Structures & Hooking
Host Firewall Bypass
Rootkit Techniques
Kernel Mode Shellcode
Kernel Structure Manipulation
Rootkit Self-Defense
Persistence Methods
Anti-Debugging & Anti-VM
Detection Bypass