Windows Kernel Security Training Courses

http://www.codemachine.com/courses.html#kerdbg

Windows Kernel Internals for Security Researchers

This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is accompanied by hands-on labs that involve extensive use of the kernel debugger (WinDBG/KD) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior.

Learning Objectives

• Understand the major components in the Windows Kernel and the functionality they provide.
• Understand the key principles behind the design and implementation of the Windows kernel.
• Understand the internal workings of the kernel and how to peek into it using the debugger.
• Be able to investigate system data structures using kernel debugger extension commands.
• Be able to interpret the output of debugger commands and correlate them to the state of the system.
• Be able to navigate between different data structures in the kernel, using debugger commands.
• Be able to locate indicators of compromise while hunting for kernel mode malware.
• Understand how kernel mode rootkits interact with the system.

Prerequisites

Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require you to have any programming knowledge.

Topics

Day 1

Architectural Overview: Privilege rings, HAL, kernel, executive, device drivers, Win32k.sys, NTDLL, system process, user and kernel threads.            

Hardware Support: CPU registers, segment registers, global descriptor table (GDT), interrupt descriptor table (IDT), task state segment (TSS), call gates, local descriptor table (LDT), model specific registers (MSR).            

Day 2

Critical Data Structures: Process and thread data structures (EPROCESS, ETHREAD, KPROCESS, KTHREAD), KSHARED_USER_DATA, kernel process and module list, processor control region (KPCR).    

System Mechanisms: Interrupt request levels (IRQL), interrupts, traps, system calls, service descriptor tables, Native API calls (Zw vs Nt), read/write probes, exception handling, kernel-user callbacks.        

Day 3

Kernel Execution Environment: Interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure calls (APC), system threads, work items, worker threads, timers.    

Memory Management: Kernel virtual address space, page table entries (PTE), virtual address descriptors (VAD), page frame number (PFN) database, kernel mode thread stacks, pools, memory mapping and memory descriptor lists (MDL).    

Day 4

Objects and Handles: Object manager, object header, object types and procedures, object layout, object security checks, handle tables, handle table entries, kernel handles, object reference counting.    

Windowing Subsystem: CSRSS, Win32K.sys, DirectX, GUI threads, Win32K.sys data structures, session space, session pool, keyboard and mouse input.    

Day 5

Device Drivers: Driver architecture, I/O manager data structures (driver object, device object, file object, symbolic link), I/O requests (IRP and I/O stack location), I/O processing, IOCTL requests, data buffering mechanisms.    

Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions.    

---

Windows Kernel and Filter Driver Development

Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls. This is a security focused course and does NOT cover development of drivers for hardware devices like PCI and USB, Bluetooth. It does NOT cover Kernel Mode Driver Framework (KMDF).

Course Objectives

• Get a jump start into Windows kernel mode software development and debugging.
• Be able to perform common programming tasks required by kernel mode drivers.
• Understand the intricacies of kernel mode software development.
• Be able to use different filtering mechanisms provided by Windows to intercept and modify operations in the system.
• Be able to use kernel mode APIs to develop reasonably complex security functionality.
• Be able to use the debugger effectively to perform live debugging of kernel mode drivers.
• Be able to use tools other than the debugger to debug issues with kernel mode software.
• Understand how kernel mode rootkits and commercial anti-malware implement their functionality.

Prerequisites

Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good working knowledge of the windows kernel. CodeMachine's Windows Internals for Security Researchers course provides the Windows kernel knowledge required to attend this course.

Topics

Day 1

Driver Development Environment: Driver development with Visual Studio, Windows driver kit (WDK), WDK headers and libraries, WDK sample code, driver installation and updating, VM debug environment, debug prints    

Kernel Debugging: Live debugging with WinDBG/KD, breakpoint techniques, execution control, runtime patching, driver code analysis (PREfast), run-time verification (Driver Verifier), kernel tracing    

Day 2

Driver Programming Basics: Driver entry points, IRP processing, IOCTL requests, interfacing with user-mode applications, application-driver data transfers (buffering methods), kernel memory allocation (pools and lookaside lists), Unicode string handling.    

Asynchronous Execution: Interrupt request levels (IRQL), DPC routines, kernel timers, worker routines and work items, custom driver threads, APC routines, code injection, queuing and kernel linked list manipulation.    

Day 3

Locking & Serialization: Kernel mode synchronization, mutexes, ERESOURCES, critical and guarded regions, locking granularity, interlocked operations, events, spin locks and queued spin locks.    

Advanced Driver Programming: Locking and mapping memory, building custom I/O requests, object attributes, object reference counting, rundown protection, executive callbacks and capturing stack back-traces.    

Day 4

IRP Filter Drivers: Driver layering, device attachment and detachment, pre-filtering and post-filtering, I/O request processing, filter and control device objects.    

Kernel Callbacks: Image load notifications, process and thread creation and deletion callbacks, object callbacks, image verification callbacks, session callbacks, PnP and power callbacks.    

Day 5

Complex Filtering: Registry callbacks, file system mini-filter drivers (FltMgr filters), early load anti-malware (ELAM) drivers.    

Network Filters: Network stack architecture, kernel network interfaces, packet data structure (NBL, NB, MDL) manipulation, Windows filtering platform (WFP) drivers, NDIS lightweight filters (LWF) drivers.    

---

Windows Kernel Exploitation and Rootkits

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them.

Course Objectives

• Understand vulnerabilities in the Windows kernel and device drivers.
• Be able to write and modify kernel mode exploits.
• Understand the security enhancements that have been added to recent versions of Windows.
• Be able to bypass some of the security mitigations in recent versions of Windows.
• Understand the post-exploitation steps performed by kernel mode rootkits.
• Understand the techniques used by popular real world rootkits.
• Understand how rootkits hide their presence in the system.
• Understand how rootkits communicate with command and control (C&C) servers.
• Be able to identify malicious behavior and defend against rootkits.

Prerequisites

Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good understanding of Windows kernel internals and APIs. CodeMachine's Windows Internals for Security Researchers and Windows Kernel and Filter Driver Development courses provide the Windows kernel knowledge required to attend this course.

Topics

Day 1

Kernel Architecture Overview: Kernel components, x86 and x64 differences, kernel virtual address space, kernel pools, object layout, tokens and privileges, Native APIs, system calls.    

Kernel Vulnerabilities: Types of kernel vulnerabilities, arbitrary memory writes, race conditions, type confusion, pool overflows and stack overflows.    

Day 2

Hooking Techniques: Types of hooking, code flow subversion, inline hooking, dispatch table hooking, import address table (IAT) hooks, kernel callbacks and filtering mechanisms, hook detection.    

Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions.    

Day 3

Driver Exploitation: Version verification, privilege escalation, vulnerable functions, user controlled input, IOCTL fuzzing, pool grooming, weaponizing exploits.    

Kernel Security Bypass: Stack pivots, ROP gadgets, address leaks, SMEP bypass, kernel execution vectors, big pool manipulation.    

Day 4

Kernel Programming Techniques: Process attach and detach, code injection, bypassing memory protection, kernel mode shell coding techniques, execution affinity, kernel crypto, persistence mechanisms.    

Stealth Behavior: Kernel structure manipulation, rootkit self-defense, anti-debugging techniques, anti-VM techniques, stealth user mode communication, stealth filtering, detection bypass.    

Day 5

Covert Communications: NDIS driver types, NDIS internal data structures, net buffer lists (NBL), net buffers (NB), intermediate drivers (NDIS IM), lightweight filters (NDIS LWF), NDIS hooking, host firewall bypass.    

Detection Tools & Case Studies: Volatility framework, rootkit detectors, endpoint security products, Rustock, TDSS/TDL4, ZeroAccess Carberp, Regin.    

---

Windows Kernel Debugging and Memory Dump Analysis

This course is targeted at kernel software developers, support engineers and software QA engineers. It starts with the building blocks required to do effective kernel debugging like kernel internals concepts, key data structures used by drivers and debugger commands to examine the state and health of the system. It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers. Every topic in the course is accompanied by hands-on labs that involve extensive usage of the Debugging Tools for Windows (WinDBG) as well as other tools that ship with the WDK. These hands-on labs provide attendees with real life experience of debugging kernel mode issues.

Course Objectives

• Understand the internal workings of the kernel and how to peer into it using the debugger.
• Understand the kernel data structures that are used by drivers and how to navigate between them.
• Be able to use the kernel debugger commands and extensions and interpret debugger output.
• Be able to apply the knowledge of kernel internals and debugger commands to identify. symptoms of system failure/instability, perform bug triaging and perform fault isolation.
• Be able to analyze and root cause problems down to a code change in the driver.
• Be able to debug hard-to-reproduce hangs and crashes.

Prerequisites

Attendees must be able to read C/C++ source code. In addition, attendees are expected to have basic working level knowledge of WinDBG and should be familiar with the Windows device driver (WDK) APIs.

Topics

Day 1

Kernel Architecture Overview: Kernel, executive, HAL, drivers, processes and threads, system & system idle process, process and thread data structures, system calls, processor control region (KPCR).    

Kernel Execution Environment: Interrupt request levels (IRQL), interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure calls (APC), system worker threads, custom driver threads.    

Day 2

Kernel Synchronization: Dispatcher objects, interlocked operations, mutexes, critical and guarded regions, executive resources, spin locks.     

Memory Management: Kernel VAS layout, page table entries (PTEs), page frame number (PFN) database, system sache, kernel mode stacks, kernel pools, memory descriptor lists (MDL), memory mapping.    

Day 3

I/O Management: Hardware device tree, driver types (bus, function, filter), device types (FDO, PDO, FiDO), filter drivers, driver architecture, driver entry points, I/O request flow, IRPs, I/O stack locations, IRP processing, IRP completion, IRP data buffering.    

Crash Dump Analysis: System bugchecks, crash dump generation, types of bugchecks, automated analysis, module identification, context switching, hardware failures, examining system state.    

Day 4

Calling Convention and Call Stacks: Kernel stack layout, calling convention, x64 call stacks, kernel stack overflow, debugging double faults, debugging corrupt stacks.    

Debugging Deadlocks and Hangs: Causes of hangs, classic deadlock, deadlock debugging, driver power state failure, I/O request stalls, pool depletion, SysPTE depletion.    

Day 5

Advanced Analysis Techniques: Debugging strategies, root cause analysis, stack patterns, invalid memory access, pool corruption patterns, structure corruption, mapping data structures to modules, code flow analysis.    

Debugging Tools: Driver verifier, special pool, unloaded modules, run time stack capture, Gflags, object reference tracking, pool tag breakpoints, PTE tracking, checked builds.    

---

Delivery

All of our courses are available for private on-site delivery, worldwide. Each attendee must bring their own system to perform the hands-on labs. System setup instructions are here. We are happy to customize course contents based on your unique needs.  Please contact us for course pricing information.