Each student should bring a laptop as this is a hands-on-class. If not working in a virtual machine, there is the potential that the student’s machine could become unbootable so students should be aware of this and backup whatever they need on the machine before coming to class. Laptops should be 32-bit (no 64 bit machines!) and installed with the following:
Windows XP SP 2 (Windows 2000 SP 4 is acceptable)
Windows Driver Development Kit (DDK)
Windbg installed with working symbols for the student’s particular OS (both of which can be downloaded for free from Microsoft)
Microsoft PowerPoint reader to follow along with the slides
Adobe PDF Reader for select papers
Visual Studio .NET 2003 or later (optional)
VMWare Workstation or VMWare Player (highly recommended)
Installed and working network card
Compuware SoftIce (optional)
Black Hat DC Training 2008
Westin Washington DC City Center • Feburary 18-19
ROOTKIT: Advanced 2nd Generation Digital Weaponry
Greg Hoglund & Jamie Butler
A new course designed and taught by world renown security vulnerability researcher David Litchfield.
Rootkits are the primary tool used by malware to hide on a computer system. Rootkits can also be used to tamper-proof your own software against attackers. Take the next step in rootkit technology. This new 2nd generation class teaches advanced techniques such as memory subversion, kernel mode process infection even of “hardened” processes, simple “shellcode” techniques, creating processes from Ring 0, subverting the Windows Object Manager, and kernel mode covert network channels.
Covered in detail will be
Memory cloaking via page table manipulation and the 'Shadow Walker' technique of Translation Lookaside Buffer (TLB) desynchronization
How and where desktop firewalls hook to monitor communication.
A kernel mode hook to monitor all packets
Kernel mode networking hooks for a TCP/IP 2-way command and control channel
DLL injection into “hardened” processes
Spawning a user land process from a driver with the token/credentials of any existing process
Call gates, interrupts, and shadow branching
For those students less familiar with the tricks rootkits employ, we will cover the following topics with a few hands-on, coding exercises:
How to hide files and directories
Attaching to the network
Hardware level access
Modifying kernel objects directly
Who Should Take the Course?
This class is not intended for people who wish to learn about device drivers or Windows programming - we will not be covering any device driver technology or the kernel mode API's under Windows. The techniques offered in this course are directed at a Windows platform, but are generic enough to be applied in the UNIX environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for UNIX, this class will give you the basics for converting your skills to a Windows platform.
Students are encouraged to
Review the basic_* examples in Hoglund’s vault on rootkit.com
Get the examples working on their laptop
Watch the messages in DebugView (http://www.sysinternals.com/Utilities/DebugView.html)
Use the FU rootkit from rootkit.com to hide a process
Read chapters 4, 5, 7, and 9 from "Rootkits: Subverting the Windows Kernel" for a good foundation on rootkit techniques
Read "Shadow Walker: Raising The Bar For Windows Rootkit Detection" from phrack.org. The class will cover the more technical details of the paper, so a high-level understanding of the basic concepts presented in the paper is sufficient
Students need knowledge and experience with C programming. This class builds upon the original class Offensive Aspects of Rootkit Technology; although a brief overview will be given, experience with rootkit development/disassembly is extremely helpful. A basic understanding of Intel x86 Assembly is useful.
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.
is the CEO and founder of HBGary, Inc., The company offers the Inspector reverse engineering tool suite and services for kernel development and vulnerability research.
is a Principal Software Engineer at MANDIANT. He has nearly a decade of experience researching offensive security technologies and developing detection algorithms. He began his career as an analyst with the National Security Agency and subsequently worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. He was most recently the CTO of Komoku, Inc. and Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies.
Jamie received a M.S. of Computer Science from the University of Maryland and holds a Top Secret security clearance. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the bestseller,
"Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers, is a frequent speaker at computer security conferences such as the Black Hat Security Briefings, and has appeared on Tech TV and CNN.