Windows Kernel Rootkit Techniques

T.Roy, CodeMachine | July 22-25



Overview

In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor-led demos and code walkthroughs to illustrate the concept and finally, hands-on programming, debugging and forensic labs which reinforce the techniques. The course content is structured as follows:

Kernel Architecture
  • Kernel Execution Contexts
  • Key Kernel Data Structures
  • Kernel Address Space Layout
  • Memory Protection Mechanisms
  • Objects and Pool Layout
  • X64 Calling Convention and Stack Layout


Kernel Security Mitigations and Bypasses
  • Kernel mode code signing (KMCS)
  • Kernel patch protection (PatchGuard)
  • Supervisor Mode Execution Prevention (SMEP)
  • No-Execute (NX) Pools
  • Pool Safe Unlinking and Integrity Checks
  • Control Flow Guard (CFG)
  • Secure, Measured and Trusted Boot


Kernel Mode Shellcode Techniques
  • Kernel Exploitation Phases
  • Kernel Execution Vectors
  • Shellcode Injection
  • 64-bit Shellcode Considerations
  • Leveraging Special Purpose CPU Registers
  • Multi-Processor Safe Patching


Hooking Techniques
  • Types of Hooking
  • Code Flow Subversion
  • Function Hooking
  • Common Pitfalls
  • Hook Detection


Filtering Mechanisms
  • IRP Filters
  • Image Load Notifications
  • Process and Thread Callbacks
  • Object Callbacks
  • Registry Callbacks
  • File System Mini-Filters
  • Early Load Anti-Malware Drivers (ELAM)
  • Forensic Footprint of Filters

Covert Communications
  • Net Buffer Lists (NBL) and Net Buffers (NB)
  • Windows Filtering Platform (WFP)
  • NDIS Intermediate Drivers
  • NDIS Lightweight Filters (LWF)
  • NDIS Internal Data Structures & Hooking
  • Host Firewall Bypass


Stealth Behavior
  • Kernel Structure Manipulation
  • Rootkit Self-Defense
  • Persistence Methods
  • Anti-Debugging & Anti-VM
  • Detection Bypass
  • Forensic Analysis


Detection Tools & Case Studies
  • Memory Acquisition
  • Volatility Framework
  • Live Rootkit Detection Tools
  • Endpoint Security Products
  • Rootkit Analysis


Who Should Take this Course

Anti-malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.

Student Requirements

This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the Windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug Windows kernel modules.

What Students Should Bring

Laptop Requirements:
  • Virtualization capable CPU(s)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 40 GB free disk space
  • Working USB Port
  • Working Wireless LAN

Software Requirements:
  • Host OS Windows 10 64-bit
  • Visual Studio 2015 Update 1 + Windows Driver Kit for Windows 10 Version 1607 (RS1) OR Windows Enterprise WDK for Windows 10 Version 1607 (RS1)
  • Debugging Tools for Windows (included in WDK)
  • SysInternals Tools
  • Volatility Framework
  • Virtualization Software (Hyper-V, VMWare, VirtualBox)
  • Guest OS Windows 10 64-bit Version 1607 (RS1)
  • System Administrator access required on both host and guest OSs
  • WinDBG must be setup and configured on the host to debug the guest OS
  • All other software will be provided by the instructor.

What Students Will Be Provided With

Printed copy of course and lab material, source code and binaries used in all the hands-on labs and some goodies.

Trainers

T. Roy, an author, instructor and consultant, is the founder and president of CodeMachine. He has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He works in the defense industry and is well versed with the offensive side of cyber-security. He was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention systems. Over the last decade, he has taught courses all over the world and has received many instructor recognition awards.