|What to bring:
Students should have experience with 'c' programming and should have the Windows 2000/XP Device Driver Development Kit (DDK) installed.
Student needs a laptop with Windows 2000/XP installed
Student needs the Windows 2000/XP DDK (device driver development kit)
Student should have working SoftIce installed (optional)
Students need a desire to get their hands dirty and should not be afraid of blue-screening their computer.
Software bugs are not going away. More people than ever before now have access to the tools and the techniques for finding exploitable bugs. Many software bugs can be exploited to install virii, worms, and backdoor programs. The kernel rootkit remains the single most powerful subversive program that can be installed on a vulnerable system. Rootkits can remain undetected for years and can offer limitless offensive capabilities such as logic bombs, self-replicating virii, and keystroke monitors. This class offers a hands-on experience coding a Windows-XP/2000 kernel rootkit from scratch. Nothing is better than hands-on experience. Students will build a basic kernel rootkit that can hide processes, files, and directories. Students will then learn advanced techniques such as modifying kernel objects and memory descriptors, low level hardware access, and how to use the NDIS library for packet I/O.
What you will learn:
The following topics will be treated as hands-on coding:
- Structure of a basic kernel-mode device driver
- How to load/unload a rootkit from kernel mode
- Interrupt hooking
- How to hide files and directories
- How to hide processes
- Attaching to the network
- Hardware level access to the keyboard controller
- Modifying memory descriptors
- Modifying kernel objects directly
The student will install a debug monitor and be able to send debug data out of the kernel driver. The student will be able to load and unload the rootkit without having to install a device driver in the registry. For students who cannot obtain the DDK, the teacher will provide a server and will compile the student code for the student. This will be displayed on a projector so that students can observe the compilation process. For students who do not have SoftIce, the teacher will project an interactive SoftIce session so the students can observe single stepping and other features of the kernel debugger. If students have trouble with their rootkit, the teacher will install the rootkit on the demonstration server and help debug the code. The student should leave this class with a working rootkit of their own effort.
Who should take the course?
This class is not intended for people who wish to learn about device drivers or windows programming - we will not be covering any device driver technology or the kernel mode API's under windows. The techniques offered in this course are directed at a windows platform, but are generic enough to be applied in the unix environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for unix, this class will give you the basics for converting your skills to a windows platform. If you have never coded a rootkit this will be a great oppurtunity to get started and you will leave the class with real skills you can put to use in the field.
Pre-requisites & What you need to bring:
- Students should have experience with 'c' programming and should have the Windows 2000/XP Device Driver Development Kit (DDK) installed.
- Student needs a laptop with Windows 2000/XP installed
- Student needs the Windows 2000/XP DDK (device driver development kit)
- Student should have working SoftIce installed (optional)
- Students need a desire to get their hands dirty and should not be afraid of blue-screening their computer.
Course Length: 2 days
Cost: US $1600 on or before July 3, 2003, or US $1800 after July 3, 2003
NOTE: this is a two day course. A Black Hat Certificate of Completion will be offered.
Greg Hoglund is a recognized speaker and business person working out of California. His work has focused on reverse engineering and exploiting software. Hoglund has developed several automated tools and commerical products. Hoglund most recently developed the fault-injection product called 'Hailstorm' and has now moved on to form a new company called HBGary, LLC. HBGary provides services to analyze and exploit software. In his spare time, Hoglund hosts the popular internet site www.rootkit.com and takes his dog, Oreo, for walks on the beach.
Jamie Butler has been doing security research and development for the past seven years. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor on rootkit.com.