Windows Kernel Rootkits Techniques and Analysis

In this course, we teach students how to: reverse engineer NSA rootkits, write their own rootkits, and build their own endpoint detection and response software for defence purposes
- Bruce Dang, Instructor

Windows Kernel Rootkits Techniques and Analysis

This class is tailored for malware analysts, system developers, forensic analysts, incident responders, or enthusiasts who want to analyze Windows kernel rootkits or develop software for similar tasks. It introduces the Windows architecture and how various kernel components work together at the lowest level. It discusses how rootkits leverage these kernel components to facilitate nefarious activities such as hiding processes, files, network connections, and other common objects. As part of the analytical process, we will delve into the kernel programming environment; we will implement some kernel-mode utilities to aid our understanding.

Needless to say, the class will contain many hands­-on labs and exercises using real­-world rootkits. There are no made­-up examples in the class.

What You Should Expect
After this class, you should have a systematic understanding of Windows kernel to analyze rootkits and develop kernel­-mode drivers for your job. You will also understand and apply kernel concepts to carry out forensic investigations on a Windows machine. In addition, you will be able read and understand research on Windows kernel and related subjects. You will no longer feel intimidated by the kernel after this class.

In previous classes, practically all students were able to analyse kernel rootkits and develop drivers on their own at the end of the course. Many of these students have never written a driver before in their life and they felt comfortable doing it after the third day. Here are some examples of what some students accomplished after class: analyzed well­-known kernel APTs, analyzed Windows Patchguard, developed a driver to remap keys, researched into hypervisor development.

Intended Audience
Malware analysts, systems programmer, forensic analysts, security engineers, network security analysts, kernel enthusiasts.

About the Instructor
Bruce Dang is an information security researcher with interests in low­-level systems. He is currently working at Veramine trying to make the world a safer place. He previously worked as a senior security development engineer lead at Microsoft; his team's focus spans all things product­ security related from hardware, OS, and web services. He specialises in reverse engineering and Windows kernel­-level security projects. Before Microsoft, he worked as a developer in the financial sector. He was the first person to publicly discuss techniques of analyzing file format based exploits and has patents in the area of generic shellcode and exploit detection. His public research includes Microsoft Office exploit analysis, ROP detection, shellcode detection, and kernel driver decompilation techniques; on the malware side, he is known for first analyzing vulnerabilities in the Stuxnet worm. He has spoken at major security conferences worldwide, i.e., REcon (Canada), Blackhat (Vegas and Tokyo), Chaos Computer Club (Germany), Computer Antivirus Research Organization (Hungary), etc. In addition to sharing his knowledge at public conferences, he has also provided private training and lectures to government agencies. He is also the author of the best­selling reverse engineering textbook, Practical Reverse Engineering: x86, x64, Windows kernel, and obfuscation, published by John Wiley and Sons in 2014.

Course Outline:

x86/x64 architecture and system
Review of x86/x64 system mechanisms for BIOS/kernel developers. We discuss concepts and data structures related to debug registers, control registers, model­specific registers, segmentation, system calls, virtual memory mechanisms, privilege isolation, interrupts, and many more. For each concept, we explain how they can be used to write low­level software. Of course, we will also show how Windows use these mechanisms.

Windows kernel architecture
We describe the general architecture of the Windows kernel. This includes an overview of various subsystems such as process, memory management, executive, configuration management, and object management. In addition to explaining how the subsystems interact with each other, we also explain their programming interfaces and show how they can be used by developers do malicious or nonmalicious functionalities.

Debugging
Since the course will involve debugging and reverse engineering kernel­level software, we also explain the Windows kernel debugging subsystem. In the process, we will discuss how the kernel debugger works and show various debug/antidebug techniques. We will also walkthrough kernel debugging setup and introduce concepts relevant to kernel debugging.

Data structures
Reverse engineering and kernel forensics involve recovering and understanding various kernel data structures and their relationship. In this section, we describe and explain all fundamental Windows kernel data structures for security and forensics analysts. Some example structures include IDT, KPCR, KPRCB, DPC, E/KTHREAD, E/KPROCESS, etc.

Memory management
We dive into the core concepts of memory management in Windows. Coverage includes discussions of kernel pool allocator, paging, address space setup/teardown, page tables, address translations, and many more.

Processes and threads
We describe how processes and threads are implemented in Windows and the different ways they can be manipulated by kernel­mode code. Examples include file hiding, thread injection, thread suspension, process tracking, and many more. We will also discuss the different interfaces exposed by the process manager.

Files and networking
The file and network subsystems are a good place for malware persistence and communication, respectively. This section explains how they work and how to program with them. Examples include file hiding, network packet inspection, traffic rerouting, kernel­mode network programming.

User­-kernel facilities
Windows provide many facilities for user­mode programs to communicate with kernel­mode services and vice versa. We explain how these mechanisms work and their implementation. We will also discuss how rootkits may use such mechanisms and implement some examples.

Drivers
Driver development is key to understanding rootkits and kernel forensics. In this section, we teach all the necessary concepts to writing drivers (or rootkits) for those without any kernel experience. You will learn about IRPs, IRQLs, dispatch handling, buffering methods, interrupts, native APIs, IOCTLs, DPCs, APCs, workitems, and many more kernel concepts. By the end of this class, you will certainly be comfortable writing your own drivers for forensics and security­related purposes.

Kernel/exploit development
Kernel exploits are frequently used to escalate from normal user to kernel privilege. This section discusses various classes of kernel vulnerabilities, how to spot them, and how they can be exploited. We will explain how to write your own kernel­mode shellcode as well.

Every section in this course includes hands­on analysis and programming exercises.

Enrol


Fees
  • Early bird: $5,500.00 AUD including GST.
  • Standard: $6,600.00 AUD including GST.
  • Group Special: 1 free ticket for 5 paid tickets.

Enrolment
No open registration programmes scheduled. Contact us to run this learning programme onsite.
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.

Requirements

In order to get the most out of this class, you need to have some programming experience; if you are not comfortable with that, you can still understand the material and immediately apply it to your daily job, however you might need to work extra hard in class.


Hardware Requirements
Laptop running Windows as the host OS.
You will spend a lot of time tracing, debugging, and developing rootkits/drivers. Hence, for the purpose of this class, please bring a laptop running Windows as the host OS. In previous courses, some students brought MacBooks (running OS X and VMWare Fusion) and end up spending a lot of time fighting with configuration settings; while it is technically possible to have two Windows VMs (one target, one host), it is painfully slow and difficult.
The class involves toggling between VMs. Hence, if your laptop has an SSD, you will have a better experience.

Software Requirements
You should have the following software installed on your host OS:
Do not make the mistake of installing these software while in class as it will take many hours.
In addition, you will need to have VM images for these OSes:
  • Windows 10 RS2
  • Windows 8.1 x64
  • Windows 7 x86/x64 (you will need both because we will deal with both 32 and 64 bits rootkits/drivers)