Back to All Events

Windows Kernel Exploitation Advanced


Course Schedule

May 16-17.

This training is REMOTE/ONLINE ONLY.

 

Course Abstract

We will look into how we can bypass kASLR, kLFH, and do hands-on exploitation using data-only attack, which effectively bypasses SMEP and other exploit mitigations.

Upon completion of this training, participants will be able to learn:

  • Exploit development process in kernel mode

  • Mitigation bypasses

  • Pool internals & Feng-Shui

  • Arbitrary Read/Write primitive

 

What to Expect?

  • Hands-on
  • WinDbg-Fu
  • Fast & quick overview of Windows internals
  • Techniques to exploit Windows kernel/driver vulnerabilities
 

Course Pre-requisites

  • Basic operating system concepts

  • Familiarity with vulnerability classes

  • Basics of x86/x64 assembly and C/python

  • Basics of ROP

  • Patience

 

About the Instructor: Ashfaq Ansari

Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in low-level software exploitation both in user and kernel mode, vulnerability research, reverse engineering, hybrid fuzzing, and program analysis.

 
 

Course Learning Objectives

  • Upon completion of this training, participants will be able to:

  • Understand how kernel and kernel mode driver works

  • Understand exploitation techniques in kernel mode

  • Learn to write exploits for the found vulnerabilities in the kernel or kernel mode components

 

Who Should Attend

  • Information security professional

  • Bug hunters & Red teamers

  • User-mode exploit developers

  • Windows driver developers & testers

  • Anyone with interest in understanding Windows Kernel exploitation

  • Ethical hackers and penetration testers looking to upgrade their skill-set to the kernel level

 

Course Agenda

  • Exploit Mitigations

    • Kernel Address Space Layout Randomization (kASLR)

      • Understanding kASLR

      • Breaking kASLR using kernel pointer leaks

    • Supervisor Mode Execution Prevention (SMEP)

      • SMEP concepts

      • Breaking/bypassing SMEP

    • Kernel Page Table Isolation (KPTI/KVA Shadow)

      • KPTI concepts

      • Breaking/bypassing KPTI

  • Exploitation

    • Stack Buffer Overflow (SMEP & KPTI enabled)

      • Understand the vulnerability

      • Achieving code execution

    • Arbitrary Memory Overwrite

      • Understand the vulnerability

      • Achieving privilege escalation

  • Revision - day 1

  • Exploitation

    • Memory Disclosure

      • Understand the vulnerability

      • Leak function pointer

      • Calculate driver base address

    • Pool Overflow

      • Understand the vulnerability

      • Finding corruption target

  • Grooming target pool

  • Achieving arbitrary read/write primitive (data-only attack)

  • Gaining local privilege escalation

    • Different places to corrupt

  • Capture The Flag

    • Time to finish the CTF

    • Discuss any other vulnerability class if the students want and time permits

  • Miscellaneous

    • Assignment to write a blog post about the vulnerability exploited during CTF

    • Q/A and feedback

  • Clear doubts or take off depending on if students need a break

 

Included Course Materials

  • Training slides

  • Scripts and code samples

 

Hardware Requirements

  • A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)

  • 40 GB free hard drive space

 

Software Requirements

  • VMware Workstation/Player installed

  • Everyone should have Administrator privilege on their laptop

 
 
Previous
Previous
May 16

Introduction to Reverse Engineering with Ghidra

Next
Next
May 16

Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation