On This Page

Windows Kernel Rootkit Techniques

T.Roy, CodeMachine Inc. | July 30-August 2


In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming and debugging labs which reinforce the techniques. The course content is structured as follows:

Kernel Architecture
  • Kernel Address Space Layout
  • Object and Pool Layout
  • Privilege Escalation
  • Memory Protection
  • Virtual Secure Mode (VSM)

Kernel Security Mitigations
  • Kernel mode code signing (KMCS)
  • Kernel patch protection (PatchGuard)
  • Secure/Measured/Trusted Boot
  • Supervisor Mode Execution Prevention (SMEP)
  • No-Execute (NX) Pools
  • Pool Integrity Checks

Kernel Security Bypasses
  • Stack Pivots
  • ROP Gadgets
  • KASLR & Address Leaks
  • SMEP Bypass
  • Kernel Execution Vectors

Hooking Techniques
  • Types of Hooking
  • Code Flow Subversion
  • Function Hooking
  • Common Pitfalls
  • Hook Detection

Filtering Mechanisms
  • Registry Callbacks
  • File System Mini-Filters
  • Image Load Notifications
  • Process & Thread Callbacks
  • Object Callbacks
  • Early Load Anti-Malware Drivers (ELAM)

Covert Communications
  • Net Buffer Lists (NBL) & Net Buffers (NB)
  • Windows Filtering Platform (WFP)
  • NDIS Intermediate Drivers
  • NDIS Lightweight Filters (LWF)
  • NDIS Internal Data Structures & Hooking
  • Host Firewall Bypass

Stealth Behavior
  • Kernel Structure Manipulation
  • Rootkit Self-Defense
  • Persistence Methods
  • Anti-Debugging & Anti-VM
  • Detection Bypass

Detection Tools & Case Studies
  • Volatility Framework
  • GMER/Kernel Detective
  • Endpoint Security Products
  • ZeroAccess

Who Should Take this Course

Anti-Malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.

Student Requirements

This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug drivers.

What Students Should Bring

Laptop Requirements:
  • Virtualization capable CPU(s)
  • Minimum 8GB of RAM (for running one guest VM)
  • Minimum 40 GB free disk space
  • Working USB Port
  • Working Wireless LAN

Software Requirements:
  • Host OS Windows 10 (X64 version)
  • Visual Studio 2015 Update 1
  • Windows Driver Kit (Windows 10 Version 1511)
  • Debugging Tools for Windows (included in WDK)
  • SysInternals Tools
  • Virtualization Software (VMWare, Hyper-V, VirtualBox)
  • Guest OS Windows 10 (X64 version)
  • System Administrator access required on both host and guest OSs
  • WinDBG must be setup and configured on the host to debug the guest OS
  • All other software will be provided by the instructor.

What Students Will Be Provided With

Printed copy of course and lab material, source code and binaries used in all the hands-on labs and some goodies.


T. Roy, an author, instructor and consultant, is the founder and president of CodeMachine. He holds a Master's Degree in Computer Engineering, has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He works in the defense and intelligence community and is well versed with the offensive side of cyber-security. Additionally, he was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention systems. Over the last decade he has taught courses all over the world and has received many instructor recognition awards.