Windows Kernel Rootkit Techniques

In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming and debugging labs which reinforce the techniques. The course content is structured as follows:

Day 1

*Kernel Architecture*
X86 & X64 KVAS
Object and Pool Layout
Privilege Escalation
Memory Protection
Application Sandboxes

*Kernel Security Mitigations*
Kernel mode code signing (KMCS)
Kernel patch protection (PatchGuard)
Secure/Measured/Trusted Boot
Supervisor Mode Execution Prevention (SMEP)
No-Execute (NX) Pools
Pool Integrity Checks

Day 2

*Kernel Security Bypasses*
Stack Pivots
ROP Gadgets
KASLR & Address Leaks
SMEP Bypass
Kernel Execution Vectors

*Hooking Techniques*
Types of Hooking
Code Flow Subversion
Function Hooking
Common Pitfalls
Hook Detection

Day 3

*Filtering Mechanisms*
Registry Callbacks
File System Mini-Filters
Image Load Notifications
Process & Thread Callbacks
Object Callbacks
Early Load Anti-Malware Drivers (ELAM)

*Covert Communications*
Net Buffer Lists (NBL) & Net Buffers (NB)
Windows Filtering Platform (WFP)
NDIS Intermediate Drivers
NDIS Lightweight Filters (LWF)
NDIS Internal Data Structures & Hooking
Host Firewall Bypass

Day 4

*Stealth Behavior*
Kernel Structure Manipulation
Rootkit Self-Defense
Persistence Methods
Anti-Debugging & Anti-VM
Detection Bypass

*Detection Tools & Case Studies*
Volatility Framework
GMER/Kernel Detective
Endpoint Security Products
TDSS/TDL4
ZeroAccess

Anti-Malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.

This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug drivers.

Laptop Requirements:

• Virtualization capable CPU(s)
  
• Minimum 8GB of RAM (for running one guest VM)
  
• Minimum 20 GB free disk space
  
• Working USB Port
  
• Working Wireless LAN
  

Software Requirements:

• Host OS Windows 8.1 Update (X64 version)
  
• Windows Driver Kit (Windows 7 SP1)
  
• Debugging Tools for Windows
  
• Favorite text editor
  
• Virtualization Software (VMWare, Hyper-V, VirtualBox)
• System Administrator access required on both host and guest OSs
  
• WinDBG must be setup and configured on the host to debug the guest OS
• All other software will be provided by the instructor.
  

Printed copy of course and lab material, source code and binaries used in all the hands-on labs and some goodies.