On This Page

Windows Kernel Rootkit Techniques

T. Roy, CodeMachine Inc. | August 1-4


In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming and debugging labs which reinforce the techniques. The course content is structured as follows:

Day 1

*Kernel Architecture*
X86 & X64 KVAS
Object and Pool Layout
Privilege Escalation
Memory Protection
Application Sandboxes

*Kernel Security Mitigations*
Kernel mode code signing (KMCS)
Kernel patch protection (PatchGuard)
Secure/Measured/Trusted Boot
Supervisor Mode Execution Prevention (SMEP)
No-Execute (NX) Pools
Pool Integrity Checks

Day 2

*Kernel Security Bypasses*
Stack Pivots
ROP Gadgets
KASLR & Address Leaks
SMEP Bypass
Kernel Execution Vectors

*Hooking Techniques*
Types of Hooking
Code Flow Subversion
Function Hooking
Common Pitfalls
Hook Detection

Day 3

*Filtering Mechanisms*
Registry Callbacks
File System Mini-Filters
Image Load Notifications
Process & Thread Callbacks
Object Callbacks
Early Load Anti-Malware Drivers (ELAM)

*Covert Communications*
Net Buffer Lists (NBL) & Net Buffers (NB)
Windows Filtering Platform (WFP)
NDIS Intermediate Drivers
NDIS Lightweight Filters (LWF)
NDIS Internal Data Structures & Hooking
Host Firewall Bypass

Day 4

*Stealth Behavior*
Kernel Structure Manipulation
Rootkit Self-Defense
Persistence Methods
Anti-Debugging & Anti-VM
Detection Bypass

*Detection Tools & Case Studies*
Volatility Framework
GMER/Kernel Detective
Endpoint Security Products

Who Should Take this Course

Anti-Malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.

Student Requirements

This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug drivers.

What Students Should Bring

Laptop Requirements:
  • Virtualization capable CPU(s)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 20 GB free disk space
  • Working USB Port
  • Working Wireless LAN

Software Requirements:
  • Host OS Windows 8.1 Update (X64 version)
  • Windows Driver Kit (Windows 7 SP1)
  • Debugging Tools for Windows
  • Favorite text editor
  • Virtualization Software (VMWare, Hyper-V, VirtualBox)
  • System Administrator access required on both host and guest OSs
  • WinDBG must be setup and configured on the host to debug the guest OS
  • All other software will be provided by the instructor.

What Students Will Be Provided With

Printed copy of course and lab material, source code and binaries used in all the hands-on labs and some goodies.


T. Roy, an author, instructor and consultant, is the founder and president of CodeMachine. He spends most of his time researching Windows internals and security, developing software and traveling around the world sharing this knowledge. He holds a Master's Degree in Computer Engineering, has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He works in the defense and intelligence community and is well versed with the offensive side of cyber-security. Additionally, he was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention systems and has intimate knowledge of the limitations that these solutions have. Over the last decade he has taught courses in more than 20 countries. He has taught Microsoft's own engineers and has received many instructor recognition awards. He is also an adjunct professor and teaches computer forensics to graduate students. He has an innate talent for taking complex concepts and explaining them in a lucid manner. Through his teaching, he shares the knowledge he has acquired through years of hands-on experience.