What to bring:
Each student should bring a laptop as this is a hands-on-class. If not working in a virtual machine, there is the potential that the student’s machine could become unbootable so students should be aware of this and backup whatever they need on the machine before coming to class. Laptops should be 32-bit (no 64 bit machines!) and installed with the following:
- Windows XP SP 2 (Windows 2000 SP 4 is acceptable)
- Windows Driver Development Kit (DDK)
- Windbg installed with working symbols for the student’s particular OS (both of which can be downloaded for free from Microsoft)
- Microsoft PowerPoint reader to follow along with the slides
- Adobe PDF Reader for select papers
- Visual Studio .NET 2003 or later (optional)
- VMWare Workstation or VMWare Player (highly recommended)
- Installed and working network card
- Compuware SoftIce (optional)
|
Overview:
Rootkits are the primary tool used by malware to hide on a computer system. Rootkits can also be used to tamper-proof your own software against attackers. Take the next step in rootkit technology. This new 2nd generation class teaches advanced techniques such as memory subversion, kernel mode process infection even of “hardened” processes, simple “shellcode” techniques, creating processes from Ring 0, subverting the Windows Object Manager, and kernel mode covert network channels.
Covered in detail will be
- Memory cloaking via page table manipulation and the 'Shadow Walker' technique of Translation Lookaside Buffer (TLB) desynchronization
- How and where desktop firewalls hook to monitor communication.
- A kernel mode hook to monitor all packets
- Kernel mode networking hooks for a TCP/IP 2-way command and control channel
- DLL injection into “hardened” processes
- Spawning a user land process from a driver with the token/credentials of any existing process
- Subverting logging
- Call gates, interrupts, and shadow branching
For those students less familiar with the tricks rootkits employ, we will cover the following topics with a few hands-on, coding exercises:
- Call-hooking
- How to hide files and directories
- Attaching to the network
- Hardware level access
- Modifying kernel objects directly
Who should take the course?
This class is not intended for people who wish to learn about device drivers or Windows programming - we will not be covering any device driver technology or the kernel mode API's under Windows. The techniques offered in this course are directed at a Windows platform, but are generic enough to be applied in the UNIX environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for UNIX, this class will give you the basics for converting your skills to a Windows platform.
Students are encouraged to
- Review the basic_* examples in Hoglund’s vault on rootkit.com
- Get the examples working on their laptop
- Watch the messages in DebugView (http://www.sysinternals.com/Utilities/DebugView.html)
- Use the FU rootkit from rootkit.com to hide a process
- Read chapters 4, 5, 7, and 9 from "Rootkits: Subverting the Windows Kernel" for a good foundation on rootkit techniques
- Read "Shadow Walker: Raising The Bar For Windows Rootkit Detection" from phrack.org. The class will cover the more technical details of the paper, so a high-level understanding of the basic concepts presented in the paper is sufficient
Prerequisites:
Students need knowledge and experience with C programming. This class builds upon the original class Offensive Aspects of Rootkit Technology; although a brief overview will be given, experience with rootkit development/disassembly is extremely helpful. A basic understanding of Intel x86 Assembly is useful.
What to bring:
Each student should bring a laptop as this is a hands-on-class. If not working in a virtual machine, there is the potential that the student’s machine could become unbootable so students should be aware of this and backup whatever they need on the machine before coming to class. Laptops should be 32-bit (no 64 bit machines!) and installed with the following:
- Windows XP SP 2 (Windows 2000 SP 4 is acceptable)
- Windows Driver Development Kit (DDK)
- Windbg installed with working symbols for the student’s particular OS (both of which can be downloaded for free from Microsoft)
- Microsoft PowerPoint reader to follow along with the slides
- Adobe PDF Reader for select papers
- Visual Studio .NET 2003 or later (optional)
- VMWare Workstation or VMWare Player (highly recommended)
- Installed and working network card
- Compuware SoftIce (optional)
|
|
Trainer:
|
Greg Hoglund is the CEO and founder of HBGary, Inc., The company offers the Inspector reverse engineering tool suite and services for kernel development and vulnerability research.
Jamie Butler is a Principal Software Engineer at MANDIANT. He has nearly a decade of experience researching offensive security technologies and developing detection algorithms. He began his career as an analyst with the National Security Agency and subsequently worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. He was most recently the CTO of Komoku, Inc. and Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies.
Jamie received a M.S. of Computer Science from the University of Maryland and holds a Top Secret security clearance. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the bestseller,
"Rootkits: Subverting the Windows Kernel."(Addison-Wesley, 2005). In addition, Jamie has authored numerous papers, is a frequent speaker at computer security conferences such as the Black Hat Security Briefings, and has appeared on Tech TV and CNN.
|
