Public Training

Windows Kernel Rootkits Public Training

CodeMachine is excited to offer an open enrollment virtual instructor-led session of the hugely popular Windows Kernel Rootkits Techniques training with hands-on labs on the 64-bit version of Windows 10 20H2.

DeliveryLive Instructor-led
Duration5 days
Date15th - 19th, March 2021
Time9:00 AM - 5:00 PM US EST
CostUS $4750
TopicsWindows Kernel Rootkits Course Page
RegistrationRegistration is closed.
StatusSold Out

Learning Objectives

Attendees will get a unique perspective on the offensive and defensive aspects of Windows kernel security and its applicability to contemporary rootkits. Attendees will learn by "listening, seeing, and doing" wherein they will be presented with the theory to lay down a solid foundation of the topic, followed by instructor-led demos and code walkthroughs to illustrate the concept and finally, hands-on programming, debugging, and analysis to reinforce the techniques. Attendees will receive a ton of modular and well-commented source code of the techniques discussed in class, which can be quickly repurposed for real-life red-teaming scenarios.

In the hands-on labs, attendees will use WinDBG to analyze a live VM and system memory dumps to identify and understand specific rootkit techniques. Attendees will use Visual Studio and the WDK to implement working kernel modules employing rootkit techniques to achieve the following offensive and defensive capabilities:

  • Detect hostile environments
  • Escalate privileges to load drivers
  • Perform DKOM reliably across kernel versions
  • Bypass driver signature enforcement
  • Tamper with the systems unloaded module list
  • Detect user presence
  • Block hostile kernel modules from starting
  • Protect LSASS secrets
  • Bypass code flow subversion detection
  • Install user-mode hooks from the kernel
  • Hide directory contents
  • Hide service control manager
  • Detect and block droppers
  • Detect hardware arrival and removal (for dynamic filtering)
  • Remove forensic evidence from memory dumps
  • Hide content of disk sectors
  • Log keystrokes
  • Scan network traffic for patterns
  • Remove content from network packets
  • Selectively block network traffic based on packet content
  • Intercept network packets at the lowest level of the Windows network stack


Please review the lab system setup instructions in the System Setup Guide.


  • x64 CPU with support for hardware virtualization
  • Dual monitors (for instructor's screen share and hands-on labs)
  • Reliable and fast Internet connection
  • Working audio system (speaker and mic)


  • Windows 10 64-bit
  • Visual Studio 2019 (Community+), SDK, WDK 2004 OR Enterprise WDK 20H2 (EWDK)
  • WinDBG Preview
  • Virtualization Software [Hyper-V (preferred), VirtualBox, VMWare]
  • GotoTraining native Windows client
  • All other software and tools will be provided before the training


The cost per attendee is US$4750 payable at the time of registration. After you register with your name and email you will receive a link to the payment page. Payments are securely processed by PayPal. All major credit cards are also accepted. If you would like us to work with your organization's finance department for a Purchase Order, please let us know right away.