|What to bring:
Students should have experience with 'c' programming and should have the Windows 2000/XP Device Driver Development Kit (DDK) installed.
Student need a laptop with Windows 2000/XP installed
Student needs the Windows 2000/XP DDK (device driver development kit)
Student should have working SoftIce installed (optional)
Students need a desire to get their hands dirty and should not be afraid of blue-screening their computer
Software bugs are not going away. More people than ever before now have access to the tools and the techniques for finding exploitable bugs. Many software bugs can be exploited to install virii, worms, and backdoor programs. The kernel rootkit remains the single most powerful subversive program that can be installed on a vulnerable system.
Rootkits can remain undetected for years and can offer limitless offensive capabilities such as logic bombs, self-replicating virii, and keystroke monitors. This class offers a hands-on experience coding a kernel rootkit from scratch.
Nothing is better than hands-on experience. Students will build a basic kernel rootkit that can hide processes, files, and directories.
Who should take the course:
This class is not intended for people who wish to learn about device drivers or windows programming - we will not be covering any device driver technology or the kernel mode API's under windows.
The techniques offered in this course are directed at a windows platform, but are generic enough to be applied in the unix environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for unix, this class will give you the basics for converting your skills to a windows platform. If you have never coded a rootkit this will be a great opportunity to get started and you will leave the class with real skills you can put to use in the field.
Student will learn:
The following topics will be treated as hands-on coding:
- Structure of a basic kernel-mode device driver
- How to load/unload a rootkit from kernel mode
- Interrupt hooking
- How to hide files and directories
- How to hide processes
The following advanced topics will be covered in lecture form, but will not be offered as hands on coding:
- Networking code/NDIS
- Command Shell
- Launching a win32 process
The student will install a debug monitor and be able to send debug data out of the kernel driver. The student will be able to load and unload the rootkit without having to install a device driver in the registry. For students who cannot obtain the DDK, the teacher will provide a server and will compile the student code for the student. This will be displayed on a projector so that students can observe the compilation process. For students who do not have SoftIce, the teacher will project an interactive SoftIce session so the students can observe single stepping and other features of the kernel debugger. If students have trouble with their rootkit, the teacher will install the rootkit on the demonstration server and help debug the code. The student should leave this class with a working rootkit of their own effort.
- Students should have experience with 'c' programming and should have the Windows 2000/XP Device Driver Development Kit (DDK) installed.
- Student needs a laptop with Windows 2000/XP installed
- Student needs the Windows 2000/XP DDK (device driver development kit)
- Student should have working SoftIce installed (optional)
- Students need a desire to get their hands dirty and should not be afraid of blue-screening their computer
Course Length: 2 days
Cost: US $1600 25 April 2003, or US $1800 after 25 April 2003
NOTE: this is a two day course. A Black Hat Certificate of Completion will be offered.
Greg Hoglund has focused his career on the issues facing the security community. Capitalizing on his growing security knowledge, he wrote one of the earliest security scanners, which he sold to WebTrends, Inc. and joined the company in a strategic product-development role. Today, his scanner is renamed the WebTrends Security Analyzer and is installed in over half of the Fortune 500 companies. Hoglund later joined Tripwire, Inc. in a key R&D role at the computer security company.
Hoglund steadily expanded the breadth and intensity of his security knowledge, emerging as a recognized expert on many facets of security technology. He has been a frequent speaker at computer security conferences - including Blackhat, DefCon, Infosec, and SANS in the US, Europe and Asia-Pacific - and has authored several respected papers on security topics.
Hoglund's experience and expertise led directly to co-founding Cenzic Inc. with Penny Leavy in May of 2000 to provide a true security-QA platform that will effectively enable security risk management.