What to bring:
Students need knowledge and experience with C programming.
Laptops should be 32-bit and installed with the following:
Windows XP (Windows 2000 is acceptable)
Windows Device Driver Development Kit (DDK)
Windbg, which is free from Microsoft
Working Microsoft Symbols for your OS which you can download from Microsoft (Optional)
Rootkits are the primary tool used by malware to hide on a computer system. Take the next step in rootkit technology. This new 2nd-generation class teaches virtual memory subversion, fun with desktop firewalls, building kernel-mode command & control channels, and how to use in-memory rootkits without using device drivers or on-disk executables.
Covered in detail will be
- Memory subversion, including page table manipulation and the 'Shadow Walker' technique of Translation Lookaside Buffer (TLB) desynchronization
- How and where desktop firewalls hook to monitor communication
- Kernel-mode networking hooks for a TCP/IP 2-way command and control channel
- Loading and installation of rootkits without leaving a persistent device driver or executable binary on the filesystem
For those students less familiar with the tricks rootkits employ, we will still briefly cover the following topics with hands-on, coding exercises:
- Structure of a basic kernel-mode device driver
- How to load/unload a rootkit
- Interrupt hooking
- How to hide files and directories
- How to hide processes
- Attaching to the network
- Hardware level access
- Modifying memory descriptors
- Modifying kernel objects directly
The student will install a debug monitor and be able to send debug data out of the kernel driver. For students who do not have SoftIce, the instructors will project an interactive SoftIce session so the students can observe single stepping and other features of the kernel debugger. If students have trouble with their rootkit, the instructors will install the rootkit on the demonstration server and help debug the code. The student should leave this class with a working rootkit of their own effort.
Who should take the course?
This class is not intended for people who wish to learn about device drivers or Windows programming - we will not be covering any device driver technology or the kernel mode API's under Windows. The techniques offered in this course are directed at a Windows platform, but are generic enough to be applied in the UNIX environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for UNIX, this class will give you the basics for converting your skills to a Windows platform. If you have never coded a rootkit this will be a great opportunity to get started and you will leave the class with real skills you can put to use in the field.
- Students need knowledge and experience with C programming.
- Laptops should be 32-bit and installed with the following:
- Network card
- Windows XP (Windows 2000 is acceptable)
- Windows Device Driver Development Kit (DDK)
- Windbg, which is free from Microsoft http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
- Working Microsoft Symbols for your OS which you can download from Microsoft http://www.microsoft.com/whdc/DevTools/Debugging/symbolpkg.mspx
- SoftIce (Optional)
Students are encouraged to
- Review the basic_* examples in Hoglund’s vault on rootkit.com
- Get the examples working on their laptop
- Compile basic_3.zip with the DDK
- Load the driver with InstDriver also in Hoglund’s vault
- Watch the messages in DebugView (http://www.sysinternals.com/Utilities/DebugView.html)
- Use the FU rootkit from rootkit.com to hide a process
- Read chapters 4, 5, 7, and 9 from "Rootkits: Subverting the Windows Kernel" for a good foundation on rootkit techniques
- Read "Shadow Walker: Raising The Bar For Windows Rootkit Detection" from phrack.org. The class will cover the more technical details of the paper, so a high-level understanding of the basic concepts presented in the paper is sufficient
Greg Hoglund is the CEO and founder of HBGary, Inc., and Jamie Butler joined the company two years ago as Director of Engineering. The company offers the Inspector reverse engineering tool suite and services for kernel development and vulnerability research.
Greg and Jamie recently authored one of 2005’s best selling computer security books, Rootkits: Subverting the Windows Kernel, and are active maintainers of the website http://www.rootkit.com.
Greg and Jamie have successfully delivered rootkit training for years. This class builds on the solid foundation of material already developed and covers several new and crucial areas of development.