Back to All Events

Windows Kernel Exploitation Foundations


Course Schedule

To be announced as to the format of the dojo (in-person, on-line, hybrid)

This 2 Day Dojo will be offering both IN-PERSON AND ON-LINE Attendance.

However, IN-PERSON attendance is dependent on whether or not the instructor can get a visa, so it is NOT guaranteed. In the event that a visa is NOT GRANTED, the DOJO will be ONLINE-ONLY.

  • March 18 - March 19 (Saturday to Sunday)

 

Course Abstract

In this course, we will use Windows 10 RS6 x64 for all the labs and has a CTF that runs throughout the training. This course starts with the basics of Windows & driver internals, different memory corruption classes, and fuzzing of kernel mode drivers.

Upon completion of this training, participants will be able to learn:

  • Basics of Windows and driver internals

  • Different memory corruption classes

  • Fuzz kernel mode drivers to find vulnerabilities

  • Exploit development process in kernel mode

  • Kernel debugging

 

What to Expect?

  • Hands-on

  • WinDbg-Fu

  • Fast & quick overview of Windows internals

  • Techniques to exploit Windows kernel/driver vulnerabilities

 

Course Pre-requisites

  • Basic operating system concepts

  • Familiarity with vulnerability classes

  • Basics of x86/x64 assembly and C/python

  • Basics of ROP

  • Patience

 

Course Learning Objectives

Upon completion of this training, participants will be able to:

  • Understand how kernel and kernel mode driver works

  • Understand exploitation techniques in kernel mode

  • Learn to write exploits for the found vulnerabilities in the kernel or kernel mode components

 

Who Should Attend

  • Information security professional

  • Bug hunters & Red teamers

  • User-mode exploit developers

  • Windows driver developers & testers

  • Anyone with interest in understanding Windows Kernel exploitation

  • Ethical hackers and penetration testers looking to upgrade their skill-set to the kernel level

 

Course Agenda

  • Windows Internals

    • Architecture

    • Executive & Kernel

    • Hardware Abstraction Layer (HAL)

    • Privilege Rings

  • Memory Management

    • Virtual Address Space

    • Memory Pool

  • Driver Internals

    • I/O Request Packet (IRP)

    • I/O Control Code (IOCTL)

    • Data Buffering

  • Fuzzing Windows Drivers (multiple drivers)

    • Locating IOCTLs in Windows drivers

    • Memory Sanitizers

      • Special Pool

    • Fuzzing the discovered IOCTLs

    • Analyze the crashes

  • Revision - day 1

  • Fuzzing Windows Drivers (continued)

  • Exploitation

    • Stack Buffer Overflow (SMEP & KPTI disabled)

      • Understand the vulnerability

      • Achieving code execution

  • Escalation of Privilege Payload

  • Kernel State Recovery

  • Miscellaneous

    • Q/A and feedback

  • Clear doubts or take off depending on if students need a break

 

Included Course Materials

  • Training slides

  • Scripts and code samples

 

Hardware Requirements

  • A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)

  • 40 GB free hard drive space

 

Software Requirements

  • VMware Workstation/Player installed

  • Everyone should have Administrator privilege on their laptop

 

About the Instructor: Ashfaq Ansari

Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in low-level software exploitation both in user and kernel mode, vulnerability research, reverse engineering, hybrid fuzzing, and program analysis.

 
 
Previous
Previous
March 18

x86-64 OS Internals

Next
Next
March 20

Windows Kernel Exploitation Advanced