In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor led demos and code walkthroughs to illustrate the concept and finally, hands-on programming and debugging labs which reinforce the techniques. The course content is structured as follows:
Kernel Architecture
- Kernel Address Space Layout
- Object and Pool Layout
- Privilege Escalation
- Memory Protection
- Virtual Secure Mode (VSM)
Kernel Security Mitigations
- Kernel mode code signing (KMCS)
- Kernel patch protection (PatchGuard)
- Secure/Measured/Trusted Boot
- Supervisor Mode Execution Prevention (SMEP)
- No-Execute (NX) Pools
- Pool Integrity Checks
Kernel Security Bypasses
- Stack Pivots
- ROP Gadgets
- KASLR & Address Leaks
- SMEP Bypass
- Kernel Execution Vectors
Hooking Techniques
- Types of Hooking
- Code Flow Subversion
- Function Hooking
- Common Pitfalls
- Hook Detection
Filtering Mechanisms
- Registry Callbacks
- File System Mini-Filters
- Image Load Notifications
- Process & Thread Callbacks
- Object Callbacks
- Early Load Anti-Malware Drivers (ELAM)
Covert Communications
- Net Buffer Lists (NBL) & Net Buffers (NB)
- Windows Filtering Platform (WFP)
- NDIS Intermediate Drivers
- NDIS Lightweight Filters (LWF)
- NDIS Internal Data Structures & Hooking
- Host Firewall Bypass
Stealth Behavior
- Kernel Structure Manipulation
- Rootkit Self-Defense
- Persistence Methods
- Anti-Debugging & Anti-VM
- Detection Bypass
Detection Tools & Case Studies
- Volatility Framework
- GMER/Kernel Detective
- Endpoint Security Products
- TDSS/TDL4
- ZeroAccess
Anti-Malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.
This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug drivers.
Printed copy of course and lab material, source code and binaries used in all the hands-on labs and some goodies.
T. Roy, an author, instructor and consultant, is the founder and president of CodeMachine. He holds a Master's Degree in Computer Engineering, has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He works in the defense and intelligence community and is well versed with the offensive side of cyber-security. Additionally, he was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention systems. Over the last decade he has taught courses all over the world and has received many instructor recognition awards.
