PACSEC 2021 DOJO
Windows Kernel Exploitation Advanced
Instructor: Ashfaq Ansari
Ashfaq Ansari
Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in low-level software exploitation both in user and kernel mode, vulnerability research, reverse engineering, hybrid fuzzing, and program analysis.
Course Schedule
The next scheduling of this dojo has yet to be decided.
Course Abstract
We will look into how we can bypass kASLR, kLFH, and do hands-on exploitation using data-only attack, which effectively bypasses SMEP and other exploit mitigations.
Upon completion of this training, participants will be able to learn:
Exploit development process in kernel mode
Mitigation bypasses
Pool internals & Feng-Shui
Arbitrary Read/Write primitive
Course Pre-requisites
Basic operating system concepts
Familiarity with vulnerability classes
Basics of x86/x64 assembly and C/python
Basics of ROP
Patience
Course Learning Objectives
Upon completion of this training, participants will be able to:
Understand how kernel and kernel mode driver works
Understand exploitation techniques in kernel mode
Learn to write exploits for the found vulnerabilities in the kernel or kernel mode components
Who Should Attend
Information security professional
Bug hunters & Red teamers
User-mode exploit developers
Windows driver developers & testers
Anyone with interest in understanding Windows Kernel exploitation
Ethical hackers and penetration testers looking to upgrade their skill-set to the kernel level
Course Agenda
Day 1 (4 hours)
Exploit Mitigations
Kernel Address Space Layout Randomization (kASLR)
Understanding kASLR
Breaking kASLR using kernel pointer leaks
Supervisor Mode Execution Prevention (SMEP)
SMEP concepts
Breaking/bypassing SMEP
Kernel Page Table Isolation (KPTI/KVA Shadow)
KPTI concepts
Breaking/bypassing KPTI
Day 2 (4 hours)
Exploitation
Stack Buffer Overflow (SMEP & KPTI enabled)
Understand the vulnerability
Achieving code execution
Arbitrary Memory Overwrite
Understand the vulnerability
Achieving privilege escalation
Day 3 (4 hours)
Revision - day 1
Exploitation
Memory Disclosure
Understand the vulnerability
Leak function pointer
Calculate driver base address
Pool Overflow
Understand the vulnerability
Finding corruption target
Day 4 (4 hours)
Grooming target pool
Achieving arbitrary read/write primitive (data-only attack)
Gaining local privilege escalation
Different places to corrupt
Capture The Flag
Time to finish the CTF
Discuss any other vulnerability class if the students want and time permits
Miscellaneous
Assignment to write a blog post about the vulnerability exploited during CTF
Q/A and feedback
Day 5
Clear doubts or take off depending on if students need a break
Hardware Requirements
A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)
40 GB free hard drive space
Software Requirements
VMware Workstation/Player installed
Everyone should have Administrator privilege on their laptop
What to expect?
Hands-on
WinDbg-Fu
Fast & quick overview of Windows internals
Techniques to exploit Windows kernel/driver vulnerabilities
Included Course Materials
Training slides
Scripts and code samples