Home    |    Instructor-led Training    |    Online Training     
         
 
Courses
ADA
Adobe
Agile
AJAX
Android
Apache
AutoCAD
Big Data
BlockChain
Business Analysis
Business Intelligence
Business Objects
Business Skills
C/C++/Go programming
Cisco
Citrix
Cloud Computing
COBOL
Cognos
ColdFusion
COM/COM+
CompTIA
CORBA
CRM
Crystal Reports
Data Science
Datawarehousing
DB2
Desktop Application Software
DevOps
DNS
Embedded Systems
Google Web Toolkit (GWT)
IPhone
ITIL
Java
JBoss
LDAP
Leadership Development
Lotus
Machine learning/AI
Macintosh
Mainframe programming
Mobile
MultiMedia and design
.NET
NetApp
Networking
New Manager Development
Object oriented analysis and design
OpenVMS
Oracle
Oracle VM
Perl
PHP
PostgreSQL
PowerBuilder
Professional Soft Skills Workshops
Project Management
Rational
Ruby
Sales Performance
SAP
SAS
Security
SharePoint
SOA
Software quality and tools
SQL Server
Sybase
Symantec
Telecommunications
Teradata
Tivoli
Tomcat
Unix/Linux/Solaris/AIX/
HP-UX
Unisys Mainframe
Visual Basic
Visual Foxpro
VMware
Web Development
WebLogic
WebSphere
Websphere MQ (MQSeries)
Windows programming
XML
XML Web Services
Other
Windows Kernel Rootkits
Overview

This course focuses exclusively on interfaces and the underlying mechanisms in the Windows kernel and how they are exploited by malware. Driver developers, malware analysts and security researchers will learn about the different security mitigations that are available in the latest version of Windows and how some of these mitigations are circumvented by kernel mode rootkits. Attendees will also study key parts of popular rootkits and rootkit detectors to understand the real world applicability of these concepts for offensive and defensive purposes.

Hands-on Labs

Every topic in the course is accompanied by hands-on labs that involve extensive usage of the Debugging Tools for Windows (WinDBG) as well as source code walk through of sample kernel mode software that use the techniques described throughout the course.

Prerequisites

This is an intermediate level course and requires attendees to be able to read C/C++ source code. In addition, attendees are expected to have basic working level knowledge of WinDBG and should be familiar with the Windows architecture at the kernel level as well as how device drivers work

The Windows Kernel Internals and Windows Kernel Programming courses provide most of the pre-requisite knowledge for this course.

Course duration

3 Days

Topics

Hooking Techniques

Hooking or code flow subversion is a very critical part of rootkit technology and most rootkits implement this in some form or another. This section discusses different approaches to hooking along with their merits and drawbacks. Discussions consist of hooking functions inline, call tables, import address table (IAT), interrupt descriptor table (IDT), system service descriptor table (SSDT), object type callbacks, driver dispatch table etc.

Kernel Mode Security

Every release of Windows raises the security bar by adding platform security mitigations that make kernel mode rootkits difficult to install and execute. This section discusses some of these techniques and their effectiveness in thwarting rootkits. Mitigation techniques like kernel mode code signing (KMCS), kernel patch protection (KPP/PatchGuard), secure/measured/trusted boot, supervisor-mode execution prevention (SMEP), No-Execute (NX) Pools etc. are covered here.

Filtering

The kernel patch protection technology on 64-bit versions of Windows attempts to prevent hooking in the kernel. To allow kernel mode components (primarily Anti-Malware software) to continue intercepting system wide operations, Windows provides a bunch of filtering mechanisms. This section covers mechanisms such as IRP based filters, registry callbacks, file system mini-filters, image load notifications, process/thread creation/deletion/access callbacks, network filters and early load anti-malware.

Stealth

Invisibility is one of the most important characteristic of a rootkit. This section covers some of the techniques used by rootkits to hide themselves like direct kernel object manipulation (DKOM), position independent code, driver object grafting, filtering directory listings and registry queries. Techniques used by rootkits for privilege escalation, anti-debugging and stealth execution are also covered.

Persistence

In order to regain execution after system reboots, rootkits need to make themselves persistent by writing to the filesystem, disk and optionally to the registry. This section covers the different persistence techniques like auto-start entry points (ASEPs), system binary trojaning, master/ volume boot record (MBR/ VBR) injection, direct disk writes, shadow volumes, alternate data streams (ADS) etc. Techniques used by rootkits for self-protection are also covered.

Detection

Detecting the latest and most sophisticated kernel mode rootkits is an ongoing race among rootkits detectors to study the latest malware trends and add support for them. This section covers some of the contemporary root-kit detectors that take different approaches to pinpointing medication to code and data structures in the kernel. Tools like Volatility Framework, GMER, Kernel Detective etc. as well as classic rootkits like TDSS/TDL4 and ZeroAccess are used as case studies.

Please contact your training representative for more details on having this course delivered onsite or online

Training Outlines - the one stop shopping center for IT training.
© Training Outlines All rights reserved