Windows Kernel Internals for Security Researchers

Transcription

1 Windows Kernel Internals for Security Researchers Overview This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is accompanied by hands-on labs that involve extensive use of the kernel debugger (WinDBG/KD) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior. Course Prerequisites Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require you to have any programming knowledge. Learning Objectives Understand the major components in the Windows Kernel and the functionality they provide. Understand the key principles behind the design and implementation of the Windows kernel. Understand the internal workings of the kernel and how to peer into it using the debugger Be able to investigate system data structure using kernel debugger extension commands. Be able to interpret the output of debugger commands and correlate them to the state of the system. Be able to navigate between different data structures in the kernel, using debugger commands. Be able to locate indicators of compromise while hunting for kernel mode malware. Understand how kernel mode rootkits and commercial anti-malware interact with the system. Topics DAY 1 Architectural Overview: Privilege Rings, HAL, Kernel, Executive, Device Drivers, Win32k.sys, NTDLL, System Process, User and Kernel Threads. Hardware Support: CPU Registers, Segment Registers, Global Descriptor Table (GDT), Interrupts, Interrupt Descriptor Table (IDT), Task State Segment (TSS), Call Gates, Local Descriptor Table (LDT), Model Specific Registers (MSR). DAY 2 Critical Data Structures: Process and Thread Data Structures (EPROCESS, ETHREAD, KPROCESS, KTHREAD), KSHARED_USER_DATA, Kernel Process and Module List, Processor Control Region (KPCR). System Mechanisms: Interrupt Request Levels (IRQL), interrupts, traps, system calls, service descriptor tables, Native API calls (Zw vs Nt), read/write probes, exception handling, kernel-user callbacks. DAY 3 CodeMachine Inc All Rights Reserved. 1

2 Kernel Execution Environment: Interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure calls (APC), system threads, work items, worker threads, timers. Memory Management: Kernel virtual address space, page table entries (PTE), virtual address descriptors (VAD), page frame number (PFN) database, kernel mode thread stacks, pools, memory mapping and memory descriptor lists (MDL). DAY 4 Objects and Handles: Object manager, object header, object types and procedures, object layout, object security checks, handle tables, handle table entries, kernel handles, object reference counting. Windowing Subsystem: CSRSS, Win32K.sys, DirectX, GUI threads, Win32K.sys data structures, session space, session pool, keyboard and mouse input. DAY 5 Device Drivers: Driver architecture, I/O manager data structures (driver object, device object, file object, symbolic link), I/O requests (IRP and I/O stack location), I/O processing, IOCTL requests, data buffering mechanisms. Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions. CodeMachine Inc All Rights Reserved. 2

3 Windows Kernel and Filter Driver Development Overview Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls. This is a security focused course which does NOT cover development of drivers for hardware devices like PCI and USB, Bluetooth. This does NOT cover the Kernel Mode Driver Framework (KMDF). Course Prerequisites Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good working knowledge of the windows kernel. CodeMachine s Windows Internals for Security Researchers course provides the Windows kernel knowledge required to attend this course. Learning Objectives Get a jump start into Windows kernel mode software development and debugging Be able to perform common programming tasks required by kernel mode drivers. Understand the intricacies of kernel mode software development. Be able to use different filtering mechanisms provided by Windows to intercept and modify operations in the system. Be able to use kernel mode APIs to develop reasonably complex security functionality. Be able to use the debugger effectively to perform live debugging of kernel mode drivers. Be able to use tools other than the debugger to debug issues with kernel mode software. Understand how kernel mode rootkits and commercial anti-malware implement their functionality. Topics DAY 1 Driver Development Environment: Driver development with Visual Studio, Windows driver kit (WDK), WDK headers and libraries, WDK sample code, driver installation and updating, VM debug environment, debug prints Kernel Debugging: Live debugging with WinDBG/KD, breakpoint techniques, execution control, runtime patching, driver code analysis (PREfast), run-time verification (Driver Verifier), kernel tracing DAY 2 Driver Programming Basics: Driver entry points, IRP processing, IOCTL requests, interfacing with usermode applications, application-driver data transfers (buffering methods), kernel memory allocation (pools and lookaside lists), Unicode string handling. CodeMachine Inc All Rights Reserved. 3

4 Asynchronous Execution: Interrupt request levels (IRQL), DPC routines, kernel timers, worker routines and work items, custom driver threads, APC routines, code injection, queuing and kernel linked list manipulation. DAY 3 Locking & Serialization: Kernel mode synchronization, mutexes, ERESOURCES, critical and guarded regions, locking granularity, interlocked operations, events, spin locks and queued spin locks. Advanced Driver Programming: Locking and mapping memory, building custom I/O requests, object attributes, object reference counting, rundown protection, executive callbacks and capturing stack back-traces. DAY 4 IRP Filter Drivers: Driver layering, device attachment and detachment, pre-filtering and post-filtering, I/O request processing, filter and control device objects. Kernel Callbacks: Image load notifications, process and thread creation and deletion callbacks, object callbacks, image verification callbacks, session callbacks, PnP and power callbacks. DAY 5 Complex Filtering: Registry callbacks, file system mini-filter drivers (FltMgr filters), early load antimalware (ELAM) drivers. Network Filters: Network stack architecture, kernel network interfaces, packet data structure (NBL, NB, MDL) manipulation, Windows filtering platform (WFP) drivers, NDIS lightweight filters (LWF) drivers. CodeMachine Inc All Rights Reserved. 4

5 Windows Kernel Exploitation and Rootkits Overview To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them. Course Prerequisites Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good understanding of Windows kernel internals and APIs. CodeMachine s Windows Internals for Security Researchers and Windows Kernel and Filter Driver Development courses provide the Windows kernel knowledge required to attend this course. Learning Objectives Understand vulnerabilities in the Windows kernel and device drivers. Be able to write and modify kernel mode exploits. Understand the security enhancements that have been added to recent versions of Windows. Be able to bypass some of the security mitigations in recent versions of Windows. Understand the post-exploitation steps performed by kernel mode rootkits. Understand the techniques used by popular real world rootkits. Understand how rootkits hide their presence in the system. Understand how rootkits communicate with command and control (C&C) servers. Be able to identify malicious behavior and defend against rootkits. Topics DAY 1 Kernel Architecture Overview: Kernel components, x86 and x64 differences, kernel virtual address space, kernel pools, object layout, tokens and privileges, Native APIs, system calls. Kernel Vulnerabilities: Types of kernel vulnerabilities, arbitrary memory writes, race conditions, type confusion, pool overflows and stack overflows. DAY 2 Hooking Techniques: Types of hooking, code flow subversion, inline hooking, dispatch table hooking, import address table (IAT) hooks, kernel callbacks and filtering mechanisms, hook detection. CodeMachine Inc All Rights Reserved. 5

6 Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions. DAY 3 Driver Exploitation: Version verification, privilege escalation, vulnerable functions, user controlled input, IOCTL fuzzing, pool grooming, weaponizing exploits. Kernel Security Bypass: Stack pivots, ROP gadgets, KASLR & address leaks, SMEP bypass, kernel execution vectors, big pool manipulation. DAY 4 Kernel Programming Techniques: Process attach and detach, code injection, bypassing memory protection, kernel mode shell coding techniques, execution affinity, kernel crypto, persistence mechanisms. Stealth Behavior: Kernel structure manipulation, rootkit self-defense, anti-debugging techniques, anti- VM techniques, stealth user mode communication, stealth filtering, detection bypass. DAY 5 Covert Communications: NDIS driver types, NDIS internal data structures, Net Buffer Lists (NBL), Net Buffers (NB), intermediate drivers (NDIS IM), lightweight filters (NDIS LWF), NDIS hooking, host firewall bypass. Detection Tools & Case Studies: Volatility framework, rootkit detectors, endpoint security products, Rustock, TDSS/TDL4, ZeroAccess Carberp, Regin. CodeMachine Inc All Rights Reserved. 6

7 Windows Kernel Debugging and Memory Dump Analysis Overview This course is targeted at kernel software developers, support engineers and software QA engineers. It starts with the building blocks required to do effective kernel debugging like kernel internals concepts, key data structures used by drivers and debugger commands to examine the state and health of the system. It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers. Every topic in the course is accompanied by hands-on labs that involve extensive usage of the Debugging Tools for Windows (WinDBG) as well as other tools that ship with the WDK. These hands-on labs provide attendees with real life experience of debugging kernel mode issues. Course Prerequisites Attendees must be able to read C/C++ source code. In addition, attendees are expected to have basic working level knowledge of WinDBG and should be familiar with the Windows device driver (WDK) APIs. Learning Objectives Understand the internal workings of the kernel and how to peer into it using the debugger. Understand the kernel data structures that are used by drivers and how to navigate between them. Be able to use the kernel debugger commands and extensions and interpret debugger output. Be able to apply the knowledge of kernel internals and debugger commands to identify. symptoms of system failure/instability, perform bug triaging and perform fault isolation. Be able to analyze and root cause problems down to a code change in the driver. Be able to debug hard-to-reproduce hangs and crashes. DAY 1 Kernel Architecture Overview: NTOSKRNL, HAL & Drivers, Processes and Threads, System & System Idle Process, Process and Thread Data Structures, System Calls, System Service Dispatching, Kernel Processor Control Region (KPCR) Kernel Execution Environment: Interrupt Request Levels (IRQL), Interrupt Service Routines (ISR), Deferred Procedure Calls (DPC), Asynchronous Procedure Calls (APC), System Worker Threads DAY 2 Kernel Synchronization: Dispatcher Objects, Interlocked Operations, Mutexes, Executive Resources, Spin Locks Memory Management: Kernel VAS Layout, Page Table Entries (PTEs), Page Frame Number, (PFN) Database, System Cache, Kernel Mode Stacks, Kernel Pools, Memory Descriptor Lists (MDL), Memory Mapping CodeMachine Inc All Rights Reserved. 7

8 DAY 3 I/O Management: Hardware Device Tree, Driver Types (Bus, Function, Filter), Device Types (FDO, PDO, FiDO), Filter Drivers, Driver Architecture, Driver Entry Points, I/O Request Flow IRPs & I/O Stack Locations, IRP Processing, IRP Completion, IRP Data Buffering Crash Dump Analysis: System Bugchecks, Crash Dump Generation, Types of Bugchecks, Automated Analysis, Module Identification, Context Switching, Hardware Failures, Examining System State DAY 4 Calling Convention and Call Stacks: Kernel Stack Layout, Calling Convention, x64 Call Stacks, Kernel Stack Overflow, Debugging Double Faults, Debugging Corrupt Stacks Debugging Deadlocks and Hangs: Causes of Hangs, Classic Deadlock, Deadlock Debugging Driver Power State Failure, I/O Request Stalls, Pool Depletion, SysPTE Depletion DAY 5 Advanced Analysis Techniques: Debugging Strategies, Root Cause Analysis, Stack Patterns, Invalid Memory Access, Pool Corruption Patterns, Structure Corruption, Mapping Data Structures to Modules, Code Flow Analysis Debugging Tools: Driver Verifier, Special Pool, Unloaded Modules, Run Time Stack Capture, Gflags, Object Reference Tracking, Pool Tag Breakpoints, PTE Tracking, Checked Builds CodeMachine Inc All Rights Reserved. 8