Windows Kernel Security Training Courses

http://www.codemachine.com/courses.html#kerdbg

Windows Kernel Internals for Security researchers

This course takes a deep dive to the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various in the Windows kernel with emphasis on internal algo RITHMS, data structures and debugger usage. Every topic in this course are accompanied by hands-on labs, involve extensive use of the kernel Debugger (WINDBG/KD) W ith emphasis on interpreting the debugger output and using this information to understand the state and health of the Syst Em. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior.

Learning Objectives

• Understand the major components in the Windows Kernel and the functionality they provide.
• Understand the key principles behind the design and implementation of the Windows kernel.
• Understand the internal workings of the kernel and how-to-peek into it using the debugger.
• Be able to investigate system data structures using kernel Debugger extension commands.
• Be able to interpret the output of debugger commands and correlate them to the state of the system.
• Be able to navigate between different data structures in the kernel, using debugger commands.
• Be able to locate indicators of compromise while hunting for kernel mode malware.
• Understand how kernel mode rootkits interact with the system.

Prerequisites

Attendees must has a solid understanding of operating system concepts and has a working knowledge of Windows. This course does is not require and has any programming knowledge.

Topicsday 1Architectural Overview:privilege rings, HAL, kernel, executive, device drivers, Win32k.sys, NTDLL, system process, US             ER and kernel threads. Hardware SUPPORT:CPU Registers, segment registers, Global descriptor Table (GDT), Interrupt descriptor Table (IDT), t             Ask State segment (TSS), call gates, local descriptor Table (LDT), model specific registers (MSR). Day 2Critical data structures:process and thread data structures (eprocess, Ethread, Kprocess, Kthread), Kshared_user_data     , kernel process and module list, processor control region (KPCR). system Mechanisms:interrupt Request levels (IRQL), interrupts, traps, system calls, service descriptor tables, Native         API calls (Zw vs Nt), Read/write probes, exception handling, Kernel-user callbacks. Day 3Kernel Execution Environment:interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure     Calls (APC), system threads, work items, worker threads, timers. Memory Management:kernel Virtual address space, page table entries (PTE), virtual address descriptors (VAD), page fra     Me number (PFN) database, kernel mode thread stacks, pools, memory mapping and Memory descriptor lists (MDL). Day 4Objects and Handles:object Manager, object header, object types and procedures, object layout, object security checks     , handle tables, handle table entries, kernel handles, object reference counting. windowing Subsystem:csrss, Win32k.sys, DirectX, GUI threads, WIN32K.SYS data structures, session space, session pool,     Keyboard and mouse input. Day 5Device Drivers:driver Architecture, I/O Manager data Structures (Driver object, Device object, file object, symbolic     link), I/O requests (IRP and I/O stack location), I/O processing, IOCTL requests, data buffering mechanisms. Kernel Security mitigations:kernel mode code signing (KMCS), Kernel Patch Protection (patchguard), KASLR, supervisor Mode execution Prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page Allocat     Ion protection, GS cookie, integrity level restrictions. Windows Kernel and Filter Driver development

Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course are accompanied by hands-on labs that involve extensive coding and debugging of kernel mode SOFTW is to understand the programming model, the Interfaces (APIs), their use cases and common pitfalls. This was a security focused course and does not cover development of drivers in hardware devices like PCI and USB, Bluetoo Th. It does not cover Kernel Mode Driver Framework (KMDF).

Course Objectives

• Get a jump start into Windows kernel mode software development and debugging.
• Be able to perform common programming tasks required by kernel mode drivers.
• Understand the intricacies of kernel mode software development.
• Be able to use different filtering mechanisms provided by Windows to intercept and modify operations in the system.
• Be able to use kernel mode APIs to develop reasonably complex security functionality.
• Be able to use the debugger effectively to perform live debugging of kernel mode drivers.
• Be able to use tools and other than the debugger to debug issues with kernel mode software.
• Understand how kernel mode rootkits and commercial anti-malware implement their functionality.

Prerequisites

The attendees must is proficient in C + + programming. In addition, attendees is expected to has good working knowledge of the Windows kernel. Codemachine ' s Windows Internals for Security Researchers course provides the Windows kernel knowledge required to attend T His course.

Topicsday 1Driver Development environment:driver Development with Visual Studio, Windows Driver Kit (WDK), WDK headers and Libra Ries, WDK sample code, driver installation and updating, VM Debug environment, debug printsKernel debugging:live Debugging with WINDBG/KD, breakpoint techniques, execution control, runtime patching, driver co De analysis (PREfast), run-time verification (Driver Verifier), kernel tracingDay 2Driver Programming Basics:driver entry points, IRP processing, IOCTL requests, interfacing with User-mode application s, application-driver data transfers (buffering methods), kernel memory allocation (pools and lookaside lists), Unicode St     Ring handling. asynchronous Execution:interrupt request levels (IRQL), DPC routines, kernel timers, worker routines and work items,     Custom driver threads, APC routines, code injection, queuing and kernel linked list manipulation. Day 3Locking & Serialization:kernel mode synchronization, mutexes, eresources, critical and guarded regions, Locking g     Ranularity, interlocked operations, events, spin locks and queued spin locks. Advanced Driver programming:locking and Mapping memory, building custom I/O requests, object attributes, object refer     ence counting, rundown protection, executive callbacks and capturing Stack back-traces. Day 4IRP Filter drivers:driver layering, device attachment and detachment, pre-filtering and post-filtering, I/O request P     Rocessing, filter and control device objects. Kernel callbacks:image load notifications, process and thread creation and deletion callbacks, object callbacks, Imag     E verification callbacks, session callbacks, PnP and power callbacks. Day 5Complex filtering:registry Callbacks, File system mini-filter drivers (fltmgr filters), Early load anti-malware (ELAM     ) drivers. Network filters:network stack architecture, kernel network interfaces, packet data structure (NBL, NB, MDL) Manipulat     Ion, Windows filtering Platform (WFP) drivers, NDIS lightweight filters (LWF) drivers. Windows Kernel Exploitation and Rootkits

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses in the kernel interfaces (APIs), data structures and mechanisms that is exploited by rootkits to Achi Eve their goals at every stage of their execution. Kernel security enhancements that has been progressively added from Windows 7 to the latest version of Windows is discus Sed along with some circumvention techniques. Every topic in this course are accompanied by hands-on labs where attendees get to implement key components of a rootkits an D test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees is able to detect and defend against them.

Course Objectives

• Understand vulnerabilities in the Windows kernel and device drivers.
• Be able to write and modify kernel mode exploits.
• Understand the security enhancements that has been added to recent versions of Windows.
• Be able to bypass some of the security mitigations in recent versions of Windows.
• Understand the post-exploitation steps performed by kernel mode rootkits.
• Understand the techniques used by popular real world rootkits.
• Understand how rootkits hide their presence in the system.
• Understand how rootkits communicate with command and control (C&C) servers.
• Be able to identify malicious behavior and defend against rootkits.

Prerequisites

The attendees must is proficient in C + + programming. In addition, attendees is expected to has good understanding of Windows kernel internals and APIs. Codemachine ' s Windows Internals for Security researchers and Windows Kernel and Filter Driver development courses provide The Windows kernel knowledge required to attend this course.

Topicsday 1Kernel Architecture Overview:kernel components, x86 and x64 differences, Kernel virtual address space, Kernel pools,     Object layout, tokens and privileges, Native APIs, system calls. Kernel Vulnerabilities:types of Kernel vulnerabilities, arbitrary memory writes, race conditions, type confusion, poo     L overflows and stack overflows. Day 2hooking techniques:types of hooking, code flow subversion, inline hooking, dispatch table hooking, Import address tab     Le (IAT) hooks, kernel callbacks and filtering mechanisms, hook detection. Kernel Security mitigations:kernel mode code signing (KMCS), Kernel Patch Protection (patchguard), KASLR, supervisor Mode execution Prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page Allocat     Ion protection, GS cookie, integrity level restrictions. Day 3Driver exploitation:version Verification, privilege escalation, vulnerable functions, user controlled input, IOCTL fu     Zzing, pool grooming, weaponizing exploits. Kernel Security bypass:stack pivots, ROP gadgets, address leaks, SMEP Bypass, Kernel execution vectors, big pool mani     Pulation. Day 4Kernel Programming Techniques:process Attach and Detach, code injection, bypassing memory protection, Kernel mode she     ll coding techniques, execution affinity, kernel crypto, persistence mechanisms. Stealth behavior:kernel structure manipulation, rootkit self-defense, anti-debugging techniques, ANTI-VM techniques     , stealth user mode communication, stealth filtering, detection bypass. Day 5Covert Communications:ndis driver types, NDIS internal data structures, net buffer lists (NBL), net buffers (NB), int     Ermediate drivers (NDIS IM), lightweight filters (NDIS LWF), NDIS hooking, host firewall bypass. Detection Tools & Case studies:volatility Framework, rootkits detectors, endpoint security products, Rustock, TDSS     /TDL4, ZeroAccess Carberp, Regin. Windows Kernel Debugging and Memory Dump analysis

This course are targeted at kernel software developers, support engineers and software QA engineers. It starts with the building blocks required to doing effective kernel debugging like kernel internals concepts, key data Stru Ctures used by drivers and debugger commands to examine the state and health of the system. It then dives into various techniques and strategies so can be applied to perform triaging, fault isolation D root causing of crashes and hangs caused by kernel mode drivers. Every topic in the course are accompanied by hands-on labs, involve extensive usage of the debugging Tools for Windows (WinDBG) as well as other tools, ship with the WDK. These hands-on labs provide attendees with real life experience of debugging kernel mode issues.

Course Objectives

• Understand the internal workings of the kernel and how to peer into it using the debugger.
• Understand the kernel data structures that is used by drivers and what to navigate between them.
• Be able to use the kernel debugger commands and extensions and interpret debugger output.
• Be able to apply the knowledge of kernel internals and debugger commands to identify. Symptoms of System failure/instability, perform bug triaging and perform fault isolation.
• Be able to analyze and root cause problems down to a code change in the driver.
• Be able to debug hard-to-reproduce hangs and crashes.

Prerequisites

Attendees must is able to read C + + source code. In addition, attendees is expected to has basic working level knowledge of WinDBG and should is familiar with the Window S device driver (WDK) APIs.

Topicsday 1Kernel Architecture Overview:kernel, Executive, HAL, drivers, processes and threads, System & System Idle Process     , process and thread data structures, system calls, processor control region (KPCR). Kernel Execution Environment:interrupt request levels (IRQL), Interrupt service routines (ISR), deferred procedure CA     LLS (DPC), asynchronous procedure Calls (APC), system worker threads, custom driver threads. Day 2Kernel Synchronization:dispatcher objects, interlocked operations, mutexes, critical and guarded regions, Executive R      esources, spin locks. Memory management:kernel VAS layout, page table entries (PTEs), page frame number (PFN) database, System Sache, Kerne     L mode stacks, kernel pools, Memory descriptor lists (MDL), memory mapping. Day 3I/O management:hardware device tree, driver types (bus, function, filter), device types (FDO, PDO, FiDO), filter driv ERS, driver architecture, driver entry points, I/O request flow, IRPs, I/O stack locations, IRP processing, IRP completion     , IRP data buffering. Crash dump Analysis:system bugchecks, Crash dump generation, types of bugchecks, automated analysis, module identific     ation, context switching, hardware failures, examining system state. Day 4calling convention and call Stacks:kernel stack layout, calling convention, x64 call Stacks, Kernel stack Overflow, d     Ebugging double faults, debugging corrupt stacks. debugging deadlocks and hangs:causes of hangs, classic deadlock, deadlock debugging, driver power state failure, I/O     Request stalls, pool depletion, syspte depletion. Day 5Advanced Analysis techniques:debugging strategies, root cause analysis, stack patterns, invalid memory access, Pool C     Orruption patterns, structure corruption, mapping data structures to modules, code flow analysis. Debugging Tools:driver Verifier, special pool, unloaded modules, run time stack capture, Gflags, object reference tra     cking, pool tag breakpoints, PTE tracking, checked builds. Delivery

All of our courses is available for private on-site delivery, worldwide. Each attendee must bring their own system to perform the hands-on labs. System Setup instructions is here.  We is happy to customize course contents based on your unique needs. Please contact us for course pricing information.

Windows Kernel Security Training Courses