Course Schedule
May 14-15
This training is REMOTE/ONLINE ONLY.
Course Abstract
In this course, we will use Windows 10 RS6 x64 for all the labs and has a CTF that runs throughout the training. This course starts with the basics of Windows & driver internals, different memory corruption classes, and fuzzing of kernel mode drivers.
Upon completion of this training, participants will be able to learn:
Basics of Windows and driver internals
Different memory corruption classes
Fuzz kernel mode drivers to find vulnerabilities
Exploit development process in kernel mode
Kernel debugging
What to Expect?
Hands-on
WinDbg-Fu
Fast & quick overview of Windows internals
Techniques to exploit Windows kernel/driver vulnerabilities
Course Pre-requisites
Basic operating system concepts
Familiarity with vulnerability classes
Basics of x86/x64 assembly and C/python
Basics of ROP
Patience
About the Instructor: Ashfaq Ansari
Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in low-level software exploitation both in user and kernel mode, vulnerability research, reverse engineering, hybrid fuzzing, and program analysis.
Course Learning Objectives
Upon completion of this training, participants will be able to:
Understand how kernel and kernel mode driver works
Understand exploitation techniques in kernel mode
Learn to write exploits for the found vulnerabilities in the kernel or kernel mode components
Who Should Attend
Information security professional
Bug hunters & Red teamers
User-mode exploit developers
Windows driver developers & testers
Anyone with interest in understanding Windows Kernel exploitation
Ethical hackers and penetration testers looking to upgrade their skill-set to the kernel level
Course Agenda
Windows Internals
Architecture
Executive & Kernel
Hardware Abstraction Layer (HAL)
Privilege Rings
Memory Management
Virtual Address Space
Memory Pool
Driver Internals
I/O Request Packet (IRP)
I/O Control Code (IOCTL)
Data Buffering
Fuzzing Windows Drivers (multiple drivers)
Locating IOCTLs in Windows drivers
Memory Sanitizers
Special Pool
Fuzzing the discovered IOCTLs
Analyze the crashes
Revision - day 1
Fuzzing Windows Drivers (continued)
Exploitation
Stack Buffer Overflow (SMEP & KPTI disabled)
Understand the vulnerability
Achieving code execution
Escalation of Privilege Payload
Kernel State Recovery
Miscellaneous
Q/A and feedback
Clear doubts or take off depending on if students need a break
Included Course Materials
Training slides
Scripts and code samples
Hardware Requirements
A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)
40 GB free hard drive space
Software Requirements
VMware Workstation/Player installed
Everyone should have Administrator privilege on their laptop