rss feed link header graphic

Black Hat DC Training 2008

Westin Washington DC City Center • Feburary 18-19

ROOTKIT: Advanced 2nd Generation Digital Weaponry

Greg Hoglund & Jamie Butler

A new course designed and taught by world renown security vulnerability researcher David Litchfield.

Rootkits are the primary tool used by malware to hide on a computer system. Rootkits can also be used to tamper-proof your own software against attackers. Take the next step in rootkit technology. This new 2nd generation class teaches advanced techniques such as memory subversion, kernel mode process infection even of “hardened” processes, simple “shellcode” techniques, creating processes from Ring 0, subverting the Windows Object Manager, and kernel mode covert network channels.

Covered in detail will be

  • Memory cloaking via page table manipulation and the 'Shadow Walker' technique of Translation Lookaside Buffer (TLB) desynchronization
  • How and where desktop firewalls hook to monitor communication.
  • A kernel mode hook to monitor all packets
  • Kernel mode networking hooks for a TCP/IP 2-way command and control channel
  • DLL injection into “hardened” processes
  • Spawning a user land process from a driver with the token/credentials of any existing process
  • Subverting logging
  • Call gates, interrupts, and shadow branching
For those students less familiar with the tricks rootkits employ, we will cover the following topics with a few hands-on, coding exercises:
  • Call-hooking
  • How to hide files and directories
  • Attaching to the network
  • Hardware level access
  • Modifying kernel objects directly

Who Should Take the Course?
This class is not intended for people who wish to learn about device drivers or Windows programming - we will not be covering any device driver technology or the kernel mode API's under Windows. The techniques offered in this course are directed at a Windows platform, but are generic enough to be applied in the UNIX environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for UNIX, this class will give you the basics for converting your skills to a Windows platform.

Students are encouraged to

  • Review the basic_* examples in Hoglund’s vault on
  • Get the examples working on their laptop
  • Watch the messages in DebugView (
  • Use the FU rootkit from to hide a process
  • Read chapters 4, 5, 7, and 9 from "Rootkits: Subverting the Windows Kernel" for a good foundation on rootkit techniques
  • Read "Shadow Walker: Raising The Bar For Windows Rootkit Detection" from The class will cover the more technical details of the paper, so a high-level understanding of the basic concepts presented in the paper is sufficient

Students need knowledge and experience with C programming. This class builds upon the original class Offensive Aspects of Rootkit Technology; although a brief overview will be given, experience with rootkit development/disassembly is extremely helpful. A basic understanding of Intel x86 Assembly is useful.

Course Length:
Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.


Greg Hoglund

is the CEO and founder of HBGary, Inc., The company offers the Inspector reverse engineering tool suite and services for kernel development and vulnerability research.

Jamie Butler

is a Principal Software Engineer at MANDIANT. He has nearly a decade of experience researching offensive security technologies and developing detection algorithms. He began his career as an analyst with the National Security Agency and subsequently worked in the commercial sector as the lead kernel developer on a Windows host intrusion detection system. He was most recently the CTO of Komoku, Inc. and Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies.

Jamie received a M.S. of Computer Science from the University of Maryland and holds a Top Secret security clearance. He is the co-author and teacher of "Offensive Aspects of Rootkit Technologies" and co-author of the bestseller, "Rootkits: Subverting the Windows Kernel." (Addison-Wesley, 2005). In addition, Jamie has authored numerous papers, is a frequent speaker at computer security conferences such as the Black Hat Security Briefings, and has appeared on Tech TV and CNN.

Ends January 1

Ends February 8

Begins February 8

$2000 USD

$2200 USD

$2400 USD