Windows Kernel Rootkits

 

 

 

Description:-

In order to achieve complete stealth and gain unrestricted access to the system, rootkits operate in kernel mode. This course specifically concentrates on the kernel interfaces (APIs), data structures, and mechanisms that rootkits exploit throughout their execution. It covers the various security enhancements that have been implemented in the Windows kernel, starting from Windows 7 up to the latest version, as well as techniques to bypass them.

This advanced course offers a comprehensive understanding of how rootkits work, delving into the inner workings of the Windows kernel and how malware takes advantage of these mechanisms. Through hands-on labs and real-world case studies, attendees will gain practical knowledge of the key techniques employed by rootkits, enabling them to apply these concepts both offensively and defensively.

This training is highly beneficial for individuals involved in the development, detection, analysis, and defense against rootkits and other post-exploitation techniques targeting the Windows kernel. This includes EPP/EDR software developers, anti-malware engineers, security researchers, and red/blue/purple team members.

Additionally, a specialized version of this training is available for malware and rootkit forensics analysts. This version focuses on investigating rootkits using tools like WinDBG and Volatility, rather than implementing rootkit functionality. It does not require attendees to have a programming background and covers topics related to rootkit detection and case studies.

Hands-on Labs:-

In this course, each topic is complemented by practical labs where participants have the opportunity to apply essential elements of a rootkit and experiment with them on 64-bit Windows systems. This hands-on approach helps solidify their comprehension of the theory.

Requirements:-

To fully benefit from this course, participants should have a strong command of C/C++ programming, a solid grasp of Windows kernel internals and APIs, and the ability to utilize the kernel debugger (WinDBG) for kernel module debugging. CodeMachine's Windows Kernel Internals and Windows Kernel Development courses equip individuals with the necessary Windows kernel expertise to make the most out of this training.

Learning Objectives:-

• Acquire knowledge about weaknesses in the Windows kernel and device drivers.
• Possess the capability to create and alter exploits in kernel-mode.
• Comprehend the security improvements implemented in the Windows kernel throughout its evolution.
• Possess the ability to circumvent certain security measures in recent iterations of Windows.
• Grasp the procedures executed by kernel-mode rootkits after exploitation.
• Comprehend the methodologies employed by actual rootkits.
• Understand the techniques utilized by rootkits to conceal their existence within the system.
• Understand how rootkits intercept network activity at a system wide level.
• Possess the skill to detect malicious behavior and safeguard against rootkits.

Topics:-

• Kernel Attacks
• Kernel Shellcoding
• Kernel Hooking and Injection
• Kernel Callbacks
• Kernel Filtering
• Kernel Networking
• Virtualization Based Security

Course Details

Kernel Attacks:-

The purpose of this section is to acquire knowledge about weaknesses in kernel-mode drivers and the methods employed by attackers to elevate privileges and achieve code execution. It encompasses various subjects including the stages of rootkit execution, remote and local code execution, identification of hostile environments, exploitation of vulnerable drivers, determination of kernel version, techniques for privilege escalation, manipulation of internal kernel structure, and control over the kernel-mode instruction pointer. Additionally, this section also delves into system defenses such as kernel-mode address space layout randomization (KASLR), supervisor mode execution prevention (SMEP), and kernel virtual address shadowing (KVAS).

• Kernel attack workflow
• Types of vulnerabilities
• Environment detection
• Exploiting drivers
• Direct kernel object manipulation (DKOM)
• Privilege escalation
• Kernel execution vectors

Kernel Shellcoding:-

The purpose of this section is to gain knowledge on the development of kernel-mode shellcode using raw x64 assembler and high-level languages. It encompasses various subjects including considerations and limitations of kernel-mode shellcode, tools for shellcoding (MASM/NASM/YASM), workarounds for x64 assembler limitations, creation of kernel-mode shellcode in C/C++, utilization of the PE file .pdata section, injection and execution of shellcode, loading reflective drivers, techniques for bypassing write protection in kernel-mode, invocation of kernel internal (un-exported) functions, accessing kernel internal global data structures, and elimination of shellcode execution artifacts. Additionally, this section also addresses system defenses such as driver signature enforcement (KMCS), kernel-mode DEP, and non-executable non-paged pool (NonPagedPoolNx).

• Kernel mode shellcode
• Shellcoding tools
• Shellcoding in C/C++
• PE exception table
• Calling non-exported functions
• Kernel Payload Loader
• Circumventing memory protection

Kernel Hooking and Injection:-

The purpose of this section is to gain knowledge on subversion techniques in the kernel that involve code flow, as well as methods for injecting and executing code in user-mode processes from kernel-mode. It encompasses various topics including function prolog/epilog hooking, trampolines, synchronization across multiple processors, code caves, kernel function tables, function pointer hooking, stealth filtering through data structure redirection, user-mode code injection, user-mode asynchronous procedure calls (APCs), manipulation of thread register context, user-mode callbacks, and methods for detecting hooks. Additionally, system defenses such as kernel control flow guard (KCFG) and kernel patch protection (PatchGuard) are also discussed. 

Code flow subversion methods

• Code flow subversion methods
• Function hooking
• Function pointer hijack
• Import hooking
• Data structure hooking
• Code injection and execution
• Hook detection

Kernel Callbacks:-

The purpose of this section is to acquire knowledge about the various callback mechanisms that kernel-mode drivers can utilize to intercept systemwide activity that is of significance from a security standpoint. It encompasses subjects like the utilization of process callbacks to prevent process creation, thread callbacks to identify remote thread injection, image notification callbacks to hinder driver loading, object manager callback to restrict process memory access, shutdown callbacks to implement self-protection, bug-check callbacks for anti-forensics, and power callbacks for user presence detection.

• Process callbacks
• Thread callbacks
• Image notification callbacks
• Object manager callbacks
• Shutdown notifications
• Bug-check callbacks
• Power notification callbacks

Kernel Filtering:-

The purpose of this section is to acquire knowledge regarding the various filtering mechanisms that kernel-mode drivers can utilize in order to intercept device, file access, and registry access. It encompasses subjects like device stacks, filter drivers, the utilization of IRP filters for keylogging and disk access, filter registration, dynamic device attachment/detachment, registry filters, management of registry key context, concealing registry entries, filter manager, FS mini-filters, context management, concealing directory entries, and locating filter driver callbacks while neutralizing filter callbacks. 

• Filtering models
• IRP filters
• PnP hardware detection
• Stealth filtering
• Registry filters
• File system mini-filters
• Neutering filters

Kernel Networking:-

The purpose of this section is to explore the components of the kernel-mode networking stack, the interfaces used to intercept networking activity within the system, and the injection of network data. It encompasses various subjects including the architecture of Windows networking, kernel network interfaces, representation of network packet data, NDIS drivers (miniport, intermediate, protocol, and filter), WFP architecture, Windows firewall, content inspection and modification of TCP streams, network layer-2 filtering, NDIS internal data structures, and low-level network I/O.

• Kernel network interfaces
• Net buffer lists (NBL) and net buffers (NB)
• Windows filtering platform (WFP)
• WFP MAC layer filtering
• NDIS driver types
• NDIS lightweight filters (LWF)
• NDIS internal data structures and hooking

Virtualization Based Security:-

The purpose of this section is to gain knowledge about virtualization-based security and its influence on rootkits. It encompasses subjects like the prerequisites of the Hyper-V platform, VT-x/AMD-V, second-level address translation (SLAT), mode based execution control (MBEC), the top-level functional specification (TLFS) of Hyper-V, virtual trust levels (VTL0/VTL1), normal kernel, secure kernel, the functionality of secure kernel patch guard (SKPG), restrictions imposed by HVCI on kernel drivers, the impact of KCFG on code flow subversion, secure pools, and the effects of KDP on DKOM.

 

• Hyper-V Architecture
• Virtual Trust Levels (VTL)
• Secure Kernel (SK)
• HyperGuard (SKPG)
• HyperVisor Protected Code Integrity (HVCI)
• Kernel Control Flow Graph (KCFG)
• Kernel Data Protection (KDP)

 

Download Click here