TECH TRAINING 1 – Windows Kernel Rootkit Techniques

Due to changes in the trainer’s schedule, this course has been cancelled

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This fast paced course provides a comprehensive coverage of the modus-operandi of kernel mode rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by rootkits. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Attendees will learn by “understanding, seeing and doing” wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming and debugging labs which reinforce the techniques. Attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits.


Who should attend

This course is targeted at kernel mode software developers, anti-malware developers, malware analysts, security researchers and forensic investigators who are responsible for detecting, analyzing and defending against rootkits and other forms of kernel post exploitation.



This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug drivers.


Hardware / Software Requirements

Attendees must bring their own laptop powerful enough to run at least one virtual machine, having a minimum 8GB of RAM, 30 GB free disk space, working USB Port and Wireless LAN. Laptop must be running 64-bit version of Windows 7 SP1 or higher. Virtualization software must be installed i.e. (VMWare, Hyper-V or Virtual Box). Guest OS must be 64-bit version of Windows 8.1 Update. Attendees must be administrative access to both host and guest OSs. In order to be able to develop and build kernel drivers Visual Studio 2013 (Express Edition or higher) and the Windows 8.1 Driver Kit must be installed on the host system. Windows SysInternals tools must be installed on the host and guest OSs. All other tools and software will be provided by the instructor.


Key Learning Objectives

  • Understanding the system mechanisms exploited Windows kernel rootkits.
  • Understanding the end-to-end modus-operandi of rootkits.
  • Understand the security enhancement that have been added to the latest version of Windows and how some of them can be bypassed.
  • Understanding the techniques used by popular real world rootkits and how to detect and defend against them.


Course Agenda – Day 1

Kernel Security Mitigations
Kernel mode code signing (KMCS)
Kernel patch protection (PatchGuard)
Supervisor Mode Execution Prevention (SMEP)
No-Execute (NX) Pools
Pool Integrity Checks
Kernel Address Space Layout Randomization (KASLR)
Kernel Security Bypasses
Write-What-Where Vulnerabilities
Address Leaks
SMEP Bypass
Execution Vectors
Driver Exploitation
Pool Exploitation


Course Agenda – Day 2

Covert Communications
Windows Sockets Kernel (WSK)
Windows Filtering Platform (WFP)
NDIS Filter Drivers
NDIS Internal Data Structures & Hooking
Host Firewall Bypass
Rootkit Techniques
Kernel Mode Shellcode
Kernel Structure Manipulation
Rootkit Self-Defense
Persistence Methods
Anti-Debugging & Anti-VM
Detection Bypass


Location: Hotel Fort Canning Date: October 12, 2015 Time: 9:00 am - 6:00 pm T. Roy