Black Hat Digital Self Defense USA 2006
Training

training

Black Hat USA Training 2006
Caesars Palace Las Vegas • July 31-August 1

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Black Hat Registration

ROOTKIT: Advanced 2nd Generation Digital Weaponry

Greg Hoglund & Jamie Butler

What to bring:
Each student should bring a laptop as this is a hands-on-class. If not working in a virtual machine, there is the potential that the student’s machine could become unbootable so students should be aware of this and backup whatever they need on the machine before coming to class. Laptops should be 32-bit (no 64 bit machines!) and installed with the following:

  • Windows XP SP 2 (Windows 2000 SP 4 is acceptable)
  • Windows Driver Development Kit (DDK)
  • Windbg installed with working symbols for the student’s particular OS (both of which can be downloaded for free from Microsoft)
  • Microsoft PowerPoint reader to follow along with the slides
  • Adobe PDF Reader for select papers
  • Visual Studio .NET 2003 or later (optional)
  • VMWare Workstation or VMWare Player (highly recommended)
  • Installed and working network card
  • Compuware SoftIce (optional)

Overview:
Rootkits are the primary tool used by malware to hide on a computer system. Rootkits can also be used to tamper-proof your own software against attackers. Take the next step in rootkit technology. This new 2nd generation class teaches advanced techniques such as memory subversion, kernel mode process infection even of “hardened” processes, simple “shellcode” techniques, creating processes from Ring 0, subverting the Windows Object Manager, and kernel mode covert network channels.

Covered in detail will be

  • Memory cloaking via page table manipulation and the 'Shadow Walker' technique of Translation Lookaside Buffer (TLB) desynchronization
  • How and where desktop firewalls hook to monitor communication.
  • A kernel mode hook to monitor all packets
  • Kernel mode networking hooks for a TCP/IP 2-way command and control channel
  • DLL injection into “hardened” processes
  • Spawning a user land process from a driver with the token/credentials of any existing process
  • Subverting logging
  • Call gates, interrupts, and shadow branching

For those students less familiar with the tricks rootkits employ, we will cover the following topics with a few hands-on, coding exercises:

  • Call-hooking
  • How to hide files and directories
  • Attaching to the network
  • Hardware level access
  • Modifying kernel objects directly

Who should take the course?
This class is not intended for people who wish to learn about device drivers or Windows programming - we will not be covering any device driver technology or the kernel mode API's under Windows. The techniques offered in this course are directed at a Windows platform, but are generic enough to be applied in the UNIX environment as well. This class is designed for people wishing to gain an intimate and advanced knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. This is an advanced course and the student must be able to code in the 'c' language. If you already code rootkits for UNIX, this class will give you the basics for converting your skills to a Windows platform.

Students are encouraged to

  • Review the basic_* examples in Hoglund’s vault on rootkit.com
  • Get the examples working on their laptop
  • Watch the messages in DebugView (http://www.sysinternals.com/Utilities/DebugView.html)
  • Use the FU rootkit from rootkit.com to hide a process
  • Read chapters 4, 5, 7, and 9 from "Rootkits: Subverting the Windows Kernel" for a good foundation on rootkit techniques
  • Read "Shadow Walker: Raising The Bar For Windows Rootkit Detection" from phrack.org. The class will cover the more technical details of the paper, so a high-level understanding of the basic concepts presented in the paper is sufficient

Prerequisites:
Students need knowledge and experience with C programming. This class builds upon the original class Offensive Aspects of Rootkit Technology; although a brief overview will be given, experience with rootkit development/disassembly is extremely helpful. A basic understanding of Intel x86 Assembly is useful.

What to bring:
Each student should bring a laptop as this is a hands-on-class. If not working in a virtual machine, there is the potential that the student’s machine could become unbootable so students should be aware of this and backup whatever they need on the machine before coming to class. Laptops should be 32-bit (no 64 bit machines!) and installed with the following:

  • Windows XP SP 2 (Windows 2000 SP 4 is acceptable)
  • Windows Driver Development Kit (DDK)
  • Windbg installed with working symbols for the student’s particular OS (both of which can be downloaded for free from Microsoft)
  • Microsoft PowerPoint reader to follow along with the slides
  • Adobe PDF Reader for select papers
  • Visual Studio .NET 2003 or later (optional)
  • VMWare Workstation or VMWare Player (highly recommended)
  • Installed and working network card
  • Compuware SoftIce (optional)
Trainer:

Greg Hoglund is the CEO and founder of HBGary, Inc., The company offers the Inspector reverse engineering tool suite and services for kernel development and vulnerability research.

James Butler is the CTO of Komoku, Inc., which specializes in high assurance, host integrity monitoring and rootkit detection. Before that, Mr. Butler was the Director of Engineering at HBGary, Inc. focusing on rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Rootkit Technologies".

Greg and Jamie recently authored one of 2005’s best selling computer security books, "Rootkits: Subverting the Windows Kernel", and are active maintainers of the website http://www.rootkit.com.

Greg and Jamie have successfully delivered rootkit training for years. This class builds on the solid foundation of material already developed and covers several new and crucial areas of development. 

Black Hat Registration

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Cost:

Early Bird:
Ends June 30, 2006

Regular:
Ends July 27, 2006

Onsite:
Begins July 28, 2006

$1800 USD

$2000 USD

$2100 USD

Black Hat Logo
(c) 1996-2007 Black Hat