Register Now
August 3-8, 2019
Mandalay Bay / Las Vegas

On This Page

Windows Kernel Rootkit Techniques

T.Roy, CodeMachine | August 3-6


In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming, debugging and forensic labs which reinforce the techniques.

In the hands on labs, attendees will implement working kernel modules employing specific rootkit techniques based on source code templates provided to them. Attendees will also analyze memory captures, using WinDBG and other forensic tools, to identify specific rootkit techniques.

The course topics are follows:

Kernel Architecture
  • Kernel Execution Contexts
  • Key Kernel Data Structures
  • Kernel Address Space Layout
  • Memory Protection Mechanisms
  • Objects and Pool Layout
  • X64 Calling Convention and Stack Layout

Kernel Security Mitigations and Bypasses
  • Kernel mode code signing (KMCS)
  • Kernel patch protection (PatchGuard)
  • Supervisor Mode Execution Prevention (SMEP)
  • No-Execute (NX) Pools
  • Pool Safe Unlinking and Integrity Checks
  • Control Flow Guard (CFG)
  • Secure, Measured and Trusted Boot

Kernel Mode Shellcode Techniques
  • Kernel Exploitation Phases
  • Kernel Execution Vectors
  • Shellcode Injection
  • 64-bit Shellcode Considerations
  • Leveraging Special Purpose CPU Registers
  • Multi-Processor Safe Patching

Hooking Techniques
  • Types of Hooking
  • Code Flow Subversion
  • Function Hooking
  • Common Pitfalls
  • Hook Detection

Filtering Mechanisms
  • IRP Filters
  • Image Load Notifications
  • Process and Thread Callbacks
  • Object Callbacks
  • Registry Callbacks
  • File System Mini-Filters
  • Early Load Anti-Malware Drivers (ELAM)
  • Forensic Footprint of Filters

Covert Communications
  • Net Buffer Lists (NBL) and Net Buffers (NB)
  • Windows Filtering Platform (WFP)
  • NDIS Intermediate Drivers
  • NDIS Lightweight Filters (LWF)
  • NDIS Internal Data Structures & Hooking
  • Host Firewall Bypass

Stealth Behavior
  • Kernel Structure Manipulation
  • Rootkit Self-Defense
  • Persistence Methods
  • Anti-Debugging & Anti-VM
  • Detection Bypass
  • Forensic Analysis

Virtualization Based Security
  • Root/Child Partitions
  • Second Level Address Translation (SLAT)
  • Virtual Secure Mode (VSM)
  • Virtual Trust Levels (VTL)
  • Secure Kernel (SK)
  • Isolated User Mode (IUM)
  • Hypervisor enforced code integrity (HVCI)

Key Takeaways

  • How kernel rootkits abuse the facilities provided by the Windows OS to achieve their goals.
  • How mitigations in the latest version of Windows is raising the bar against rootkits.
  • State of the art in offense and defense in Windows kernel mode software.

Who Should Take this Course

Anti-malware engineers, malware analysts, forensics examiners, security researchers, red teamers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.

Student Requirements

This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the Windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug Windows kernel modules.

What Students Should Bring

Laptop Requirements:
  • Virtualization capable CPU(s)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 40 GB free disk space
  • Working USB Port
  • Working Wireless LAN

Software Requirements:
  • Host OS Windows 10 64-bit
  • Enterprise Windows WDK 1809 (EWDK)
  • Debugging Tools for Windows (WinDBG)
  • SysInternals Tools
  • Virtualization Software (Hyper-V, VMWare, VirtualBox)
  • Guest OS Windows 10 64-bit Version 1809 (RS5)
  • System Administrator access required on both host and guest OSs
  • All other software and tools will be provided by the instructor.

What Students Will Be Provided With

  • Printed copy of course material.
  • Kernel debugging command cheat sheet.
  • Source code used in all the hands-on labs.


T. Roy, an author, instructor and consultant, is the founder of CodeMachine, a security research, development and training company based in the USA. He has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention systems. Over the last decade, he has taught courses all over the world and has received many instructor recognition awards. His courses have sold out every time they have been offered at Blackhat.