Windows Kernel Rootkits


Description

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them.

Prerequisites

Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good understanding of Windows kernel internals and APIs. CodeMachine's Windows Internals and Windows Kernel Programming courses provide the Windows kernel knowledge required to get full value from this course.

Learning Objectives

Topics

Details

Kernel Debugger Review

Being able to use the kernel debugger effectively is critical to kernel mode rootkit analysis. The objective of this section is to provide a refresher on the Windows kernel debugger, debugging symbols and debugger usage.

  • Debugger Package
  • Debugger Parameters
  • Kernel Mode Debugging
  • Debugger Symbols
  • Debugger Command Types
  • Debugger Command Reference

Kernel Architecture Review

The objective of this section to discuss the architecture of the Windows kernel, key kernel mode components and core system mechanisms that are critical to kernel mode security software.

  • NTOSKRNL, HAL & Drivers
  • Processes and Threads
  • System & System Idle Process
  • Process and Thread Data Structures
  • Native API Calls
  • KPCR & IRQLs
  • DPCs, APCs & Work Items
  • Kernel Virtual Address Space
  • Address Translation
  • Kernel Pools
  • MDLs & Memory Mapping
  • Objects & Handles
  • I/O Manager Objects
  • x64 Registers & Calling Convention

Kernel Security Mitigations

The objective of this section is to understand how kernel mode exploitation works, the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime and techniques to bypass some of these mitigations.

  • Kernel Attacks and Mitigations
  • Kernel Address Space Layout Randomization (KASLR)
  • NULL Page Allocation Prevention
  • Supervisor Mode Execution Protection (SMEP)
  • Safe Linking and Unlinking
  • Kernel Mode Code Signing (KMCS)
  • Kernel Mode Data Execution Prevention (DEP)
  • Control Flow Guard (CFG)
  • Non-Executable Pools
  • Kernel Mode Shell Code Techniques

Hooking Techniques

The objective of this section is to understand the different techniques to subvert code execution in the kernel, the mitigations that have been added by Microsoft to thwart some of these techniques and the efficacy of these techniques.

  • Types of Hooking
  • Code Flow Subversion
  • Function Hooking
  • Common Pitfalls
  • Hook Detection

Filtering Mechanisms

The objective of this section is to learn about the documented mechanisms available to kernel mode software to intercept various system activity.

  • IRP Filter Drivers
  • Registry Callbacks
  • File System (FltMgr) Mini-Filter Drivers
  • Image Load Notifications
  • Process & Thread Callbacks
  • Object Callbacks
  • Early Load Anti-Malware (ELAM) Drivers

Covert Communications

This objective of this section is to discuss the architecture of the Windows networking stack, the various mechanisms available to intercept networking activity in the system and techniques to bypass some of these mechanisms.

  • Kernel Network Interfaces
  • Windows Filtering Platform (WFP)
  • NDIS Intermediate Drivers
  • Net Buffer Lists (NBL) & Net Buffers (NB)
  • NDIS Lightweight Filters (LWF)
  • NDIS Internal Data Structures & Hooking
  • Host Firewall Bypass

Stealth Behavior

The objective of this section is to learn about various techniques to achieve stealth in the system, reduce forensic footprint and make it harder for detection tools to detect kernel subversion activity.

  • Process Attachment
  • Code Injection
  • Direct Kernel Object Manipulation
  • Stealth Operations
  • Persistence and Startup
  • Rootkit Self-Defense
  • Anti-Debugging & Anti-VM

Detection Tools & Case Studies

The objective of this section is to discuss the current state of kernel mode malware ecosystem. It covers kernel mode rootkits and kernel mode rootkit detection tools. It also covers real-life techniques used by commercial rootkits.

  • Volatility Framework
  • Kernel Rootkit Detection Tools
  • Endpoint Security Products
  • Virtualization Based Security (VBS)
  • TDSS/TDL4 Rootkit Analysis
  • ZeroAccess Rootkit Analysis