3-Days Training | 18-20 September, 2019
Most anti-malware solutions and rootkits are implemented as Windows kernel modules because kernel mode software gets unrestricted access to the system. To analyze rootkits, collect forensic evidence and understand the capabilities and limitations of endpoint security software, it is critical to have a good grasp of the architecture and internals of the Windows kernel.
This course takes a deep dive into the internals of the Windows kernel from a security perspective with emphasis on internal algorithms, data structures, debugger usage. All topics are accompanied by discussions of security mitigations that have been progressively added over time to thwart kernel mode exploitation.
This training is a mix of theory, instructor led demos, source code walkthroughs, lab exercises, and quizzes to provide attendees with a good understanding of the material. Attendees will use the kernel debugger (WinDBG) extensively and interpret debugger output to observe the behind the scenes working of the Windows kernel and understand the commonly targeted kernel attack vectors. In addition, attendees will use other tools such as SysInternals, Volatility framework etc. to learn how to hunt for malicious activity and indicators of compromise (IoC).
Attendees will receive a printed copy of the course material, source code of demos used in the class and memory dumps of latest version of Windows 10 64-bit to practice the WinDBG skills learnt in class.
▪ Kernel Architecture
▪ Processes (Normal, System, Minimal, Protected)
▪ Low Level Constructs (Segment Registers, Control Registers, MSRs, GDT, Task Gates)
▪ System Calls (Native APIs, Service Dispatching)
▪ Kernel Mode Execution (DPCs, Timers, APCs, Work Items)
▪ Objects and Handles (Namespace, Header, Type Objects)
▪ Token, Security Descriptors & Access Checks
▪ Kernel Virtual Memory Layout
▪ Page Tables & PTE Attributes
▪ Memory Pools
▪ Memory Descriptor Lists
▪ Kernel Stack Layout
▪ Driver Architecture
▪ Key I/O Manger Data Structures
▪ Application / Driver Communication
▪ Kernel Security Mitigations (KASLR, NX Pool, KPP, DSE etc.)
▪ Hardware Security Enforcements (SMEP, NX, CET etc.)
▪ Virtualization Based Security (VBS)
Working knowledge of Windows and good understanding operating system concepts such as processes, threads, virtual memory, I/O management etc. is necessary. Knowledge of programming is not required for this training.
Attendees are required to bring their own laptops to the class. Laptop must be virtualization capable and must be able to run at least one 64-bit VM. Host OS must be Windows 10 64-bit. Virtualization software (Hyper-V, Virtual Box, VMWare) must be installed with the latest version of Windows 10 64-bit as the guest OS. System Administrator access is required on both host and guest OSs. All other software and tools will be provided by the instructor prior to the start of the class.