In this fast paced four day course, attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor-led demos and code walkthroughs to illustrate the concept and finally, hands-on programming, debugging and forensic labs which reinforce the techniques. The course content is structured as follows:
Kernel Architecture
- Kernel Execution Contexts
- Key Kernel Data Structures
- Kernel Address Space Layout
- Memory Protection Mechanisms
- Objects and Pool Layout
- X64 Calling Convention and Stack Layout
Kernel Security Mitigations and Bypasses
- Kernel mode code signing (KMCS)
- Kernel patch protection (PatchGuard)
- Supervisor Mode Execution Prevention (SMEP)
- No-Execute (NX) Pools
- Pool Safe Unlinking and Integrity Checks
- Control Flow Guard (CFG)
- Secure, Measured and Trusted Boot
Kernel Mode Shellcode Techniques
- Kernel Exploitation Phases
- Kernel Execution Vectors
- Shellcode Injection
- 64-bit Shellcode Considerations
- Leveraging Special Purpose CPU Registers
- Multi-Processor Safe Patching
Hooking Techniques
- Types of Hooking
- Code Flow Subversion
- Function Hooking
- Common Pitfalls
- Hook Detection
Filtering Mechanisms
- IRP Filters
- Image Load Notifications
- Process and Thread Callbacks
- Object Callbacks
- Registry Callbacks
- File System Mini-Filters
- Early Load Anti-Malware Drivers (ELAM)
- Forensic Footprint of Filters
Covert Communications
- Net Buffer Lists (NBL) and Net Buffers (NB)
- Windows Filtering Platform (WFP)
- NDIS Intermediate Drivers
- NDIS Lightweight Filters (LWF)
- NDIS Internal Data Structures & Hooking
- Host Firewall Bypass
Stealth Behavior
- Kernel Structure Manipulation
- Rootkit Self-Defense
- Persistence Methods
- Anti-Debugging & Anti-VM
- Detection Bypass
- Forensic Analysis
Detection Tools & Case Studies
- Memory Acquisition
- Volatility Framework
- Live Rootkit Detection Tools
- Endpoint Security Products
- Rootkit Analysis
Anti-malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing and defending against rootkits and other kernel post exploitation techniques.
This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the Windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug Windows kernel modules.
Printed copy of course and lab material, source code and binaries used in all the hands-on labs and some goodies.
T. Roy, an author, instructor and consultant, is the founder and president of CodeMachine. He has more than 20 years of experience and has taken more than a dozen projects from their infancy all the way through to commercial success. He works in the defense industry and is well versed with the offensive side of cyber-security. He was involved with the development of some of the industry's leading endpoint security solutions like intrusion prevention systems, network firewalls, behavioral anti-malware, document security and data leak prevention systems. Over the last decade, he has taught courses all over the world and has received many instructor recognition awards.
