To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. This advanced course provides a comprehensive end-to-end view of the modus-operandi of rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by malware through hands-on labs and real-world case studies. Kernel security enhancements that have been progressively added to Windows are discussed along with some circumvention techniques. Attendees will study key techniques used by rootkits to understand the real-world applicability of these concepts for offensive and defensive purposes. This training is beneficial to anyone responsible for developing, detecting, analyzing, and defending against rootkits and other Windows kernel post-exploitation techniques including EPP/EDR software developers, anti-malware engineers, security researchers, red/blue/purple teamers. A special version of this training is also available for malware, rootkit forensics analysts where the focus is not on implementing rootkit functionality but rather on investigating rootkits using tools such as WinDBG and Volatility. This analyst version does not require attendees to have a programming background and contains topics related to rootkit detection and case studies.
Syllabus
Kernel Attacks
- Kernel attack workflow
- Types of vulnerabilities
- Environment detection
- Exploiting drivers
- Direct kernel object manipulation (DKOM)
- Privilege escalation
- Kernel execution vectors
Kernel Shellcoding
- Kernel mode shellcode
- Shellcoding tools
- Shellcoding in C/C++
- PE exception table
- Calling non-exported functions
- Kernel Payload Loader
- Circumventing memory protection
Kernel Hooking and Injection
- Code flow subversion methods
- Function hooking
- Function pointer hijack
- Import hooking
- Data structure hooking
- Code injection and execution
- Hook detection
Kernel Callbacks
- Process callbacks
- Thread callbacks
- Image notification callbacks
- Object manager callbacks
- Shutdown notifications
- Bug-check callbacks
- Power notification callbacks
Kernel Filtering
- Filtering models
- IRP filters
- PnP hardware detection
- Stealth filtering
- Registry filters
- File system mini-filters
- Neutering filters
Kernel Networking
- Kernel network interfaces
- Net buffer lists (NBL) and net buffers (NB)
- Windows filtering platform (WFP)
- WFP MAC layer filtering
- NDIS driver types
- NDIS lightweight filters (LWF)
- NDIS internal data structures and hooking
Virtualization Based Security
- Hyper-V Architecture
- Virtual Trust Levels (VTL)
- Secure Kernel (SK)
- HyperGuard (SKPG)
- HyperVisor Protected Code Integrity (HVCI)
- Kernel Control Flow Graph (KCFG)
- Kernel Data Protection (KDP)