Windows Kernel Internals for Security Researchers



Similar documents
The Windows NT Device Driver Book: A Guide for Programmers

Red Hat Linux Internals

Windows8 Internals, Sixth Edition, Part 1

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Windows Internals, Fifth Edition

Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XR and Windows 2000

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Hypervisor-Based, Hardware-Assisted System Monitoring

Plug and Play for Windows 2000

Storm Worm & Botnet Analysis

Chapter 3 Operating-System Structures

COS 318: Operating Systems

The Native AFS Client on Windows The Road to a Functional Design. Jeffrey Altman, President Your File System Inc.

Operating Systems. Lecture 03. February 11, 2013

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Chapter 6, The Operating System Machine Level

Chapter 2 System Structures

Windows Server Virtualization & The Windows Hypervisor

Run-Time Deep Virtual Machine Introspection & Its Applications

COS 318: Operating Systems. Virtual Machine Monitors

Introduction. What is an Operating System?

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

CSE 120 Principles of Operating Systems. Modules, Interfaces, Structure

The Microsoft Windows Hypervisor High Level Architecture

VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund

Exploiting the x86 Architecture to Derive Virtual Machine State Information

OSes. Arvind Seshadri Mark Luk Ning Qu Adrian Perrig SOSP2007. CyLab of CMU. SecVisor: A Tiny Hypervisor to Provide

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

CSC 2405: Computer Systems II

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

ReactOS is (not) Windows. Windows internals and why ReactOS couldn t just use a Linux kernel

Operating Systems 4 th Class

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Introduction. Current personal firewalls are focused on combating usermode malware. Overview. What about protection against rootkits?

Compromise-as-a-Service

CS161: Operating Systems

SYSTEM ecos Embedded Configurable Operating System

Overview of Operating Systems Instructor: Dr. Tongping Liu

Hotpatching and the Rise of Third-Party Patches

Windows NT. Chapter 11 Case Study 2: Windows Windows 2000 (2) Windows 2000 (1) Different versions of Windows 2000

Recon Montreal


Computer-System Architecture

Center of Academic Excellence Cyber Operations Program 2013 Application

Frontiers in Cyber Security: Beyond the OS

Full System Emulation:

Debugging with TotalView

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

CHAPTER 6 TASK MANAGEMENT

POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk

Advanced Endpoint Protection Overview

Example of Standard API

Operating System Tutorial

Chapter 5 Cloud Resource Virtualization

Sandbox Roulette: Are you ready for the gamble?

Architecture of the Kernel-based Virtual Machine (KVM)

Developing File System Mini-Filters for Windows

Freescale Semiconductor, I

Operating Systems Overview

Security Overview of the Integrity Virtual Machines Architecture

OPERATING SYSTEMS STRUCTURES

Nios II Software Developer s Handbook

Inside Windows Rootkits

Using the CoreSight ITM for debug and testing in RTX applications

Detecting the Presence of Virtual Machines Using the Local Data Table

Thomas Fahrig Senior Developer Hypervisor Team. Hypervisor Architecture Terminology Goals Basics Details

UNCLASSIFIED Version 1.0 May 2012

Troubleshooting.NET Applications - Knowing Which Tools to Use and When

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

How To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X

Chapter 15 Windows Operating Systems

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Going Linux on Massive Multicore

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

x86 ISA Modifications to support Virtual Machines

Virtual Machine Security

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Notes and terms of conditions. Vendor shall note the following terms and conditions/ information before they submit their quote.

Secure In-VM Monitoring Using Hardware Virtualization

OPERATING SYSTEM SERVICES

Subverting the Xen hypervisor

Chapter 11 I/O Management and Disk Scheduling

Chapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines

Operating System Structure

INtime 4.0 Software September 2009

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Virtdbg. Using virtualization features for debugging the Windows 7 kernel. Damien Aumaitre. Recon 2011

IOActive Security Advisory

TEGRA X1 DEVELOPER TOOLS SEBASTIEN DOMINE, SR. DIRECTOR SW ENGINEERING

Linux Driver Devices. Why, When, Which, How?

Chapter 14 Virtual Machines

ANDROID DEVELOPER TOOLS TRAINING GTC Sébastien Dominé, NVIDIA

Transcription:

Windows Kernel Internals for Security Researchers Overview This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is accompanied by hands-on labs that involve extensive use of the kernel debugger (WinDBG/KD) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior. Course Prerequisites Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require you to have any programming knowledge. Learning Objectives Understand the major components in the Windows Kernel and the functionality they provide. Understand the key principles behind the design and implementation of the Windows kernel. Understand the internal workings of the kernel and how to peer into it using the debugger Be able to investigate system data structure using kernel debugger extension commands. Be able to interpret the output of debugger commands and correlate them to the state of the system. Be able to navigate between different data structures in the kernel, using debugger commands. Be able to locate indicators of compromise while hunting for kernel mode malware. Understand how kernel mode rootkits and commercial anti-malware interact with the system. Topics DAY 1 Architectural Overview: Privilege Rings, HAL, Kernel, Executive, Device Drivers, Win32k.sys, NTDLL, System Process, User and Kernel Threads. Hardware Support: CPU Registers, Segment Registers, Global Descriptor Table (GDT), Interrupts, Interrupt Descriptor Table (IDT), Task State Segment (TSS), Call Gates, Local Descriptor Table (LDT), Model Specific Registers (MSR). DAY 2 Critical Data Structures: Process and Thread Data Structures (EPROCESS, ETHREAD, KPROCESS, KTHREAD), KSHARED_USER_DATA, Kernel Process and Module List, Processor Control Region (KPCR). System Mechanisms: Interrupt Request Levels (IRQL), interrupts, traps, system calls, service descriptor tables, Native API calls (Zw vs Nt), read/write probes, exception handling, kernel-user callbacks. DAY 3 CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 1

Kernel Execution Environment: Interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure calls (APC), system threads, work items, worker threads, timers. Memory Management: Kernel virtual address space, page table entries (PTE), virtual address descriptors (VAD), page frame number (PFN) database, kernel mode thread stacks, pools, memory mapping and memory descriptor lists (MDL). DAY 4 Objects and Handles: Object manager, object header, object types and procedures, object layout, object security checks, handle tables, handle table entries, kernel handles, object reference counting. Windowing Subsystem: CSRSS, Win32K.sys, DirectX, GUI threads, Win32K.sys data structures, session space, session pool, keyboard and mouse input. DAY 5 Device Drivers: Driver architecture, I/O manager data structures (driver object, device object, file object, symbolic link), I/O requests (IRP and I/O stack location), I/O processing, IOCTL requests, data buffering mechanisms. Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions. CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 2

Windows Kernel and Filter Driver Development Overview Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls. This is a security focused course which does NOT cover development of drivers for hardware devices like PCI and USB, Bluetooth. This does NOT cover the Kernel Mode Driver Framework (KMDF). Course Prerequisites Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good working knowledge of the windows kernel. CodeMachine s Windows Internals for Security Researchers course provides the Windows kernel knowledge required to attend this course. Learning Objectives Get a jump start into Windows kernel mode software development and debugging Be able to perform common programming tasks required by kernel mode drivers. Understand the intricacies of kernel mode software development. Be able to use different filtering mechanisms provided by Windows to intercept and modify operations in the system. Be able to use kernel mode APIs to develop reasonably complex security functionality. Be able to use the debugger effectively to perform live debugging of kernel mode drivers. Be able to use tools other than the debugger to debug issues with kernel mode software. Understand how kernel mode rootkits and commercial anti-malware implement their functionality. Topics DAY 1 Driver Development Environment: Driver development with Visual Studio, Windows driver kit (WDK), WDK headers and libraries, WDK sample code, driver installation and updating, VM debug environment, debug prints Kernel Debugging: Live debugging with WinDBG/KD, breakpoint techniques, execution control, runtime patching, driver code analysis (PREfast), run-time verification (Driver Verifier), kernel tracing DAY 2 Driver Programming Basics: Driver entry points, IRP processing, IOCTL requests, interfacing with usermode applications, application-driver data transfers (buffering methods), kernel memory allocation (pools and lookaside lists), Unicode string handling. CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 3

Asynchronous Execution: Interrupt request levels (IRQL), DPC routines, kernel timers, worker routines and work items, custom driver threads, APC routines, code injection, queuing and kernel linked list manipulation. DAY 3 Locking & Serialization: Kernel mode synchronization, mutexes, ERESOURCES, critical and guarded regions, locking granularity, interlocked operations, events, spin locks and queued spin locks. Advanced Driver Programming: Locking and mapping memory, building custom I/O requests, object attributes, object reference counting, rundown protection, executive callbacks and capturing stack back-traces. DAY 4 IRP Filter Drivers: Driver layering, device attachment and detachment, pre-filtering and post-filtering, I/O request processing, filter and control device objects. Kernel Callbacks: Image load notifications, process and thread creation and deletion callbacks, object callbacks, image verification callbacks, session callbacks, PnP and power callbacks. DAY 5 Complex Filtering: Registry callbacks, file system mini-filter drivers (FltMgr filters), early load antimalware (ELAM) drivers. Network Filters: Network stack architecture, kernel network interfaces, packet data structure (NBL, NB, MDL) manipulation, Windows filtering platform (WFP) drivers, NDIS lightweight filters (LWF) drivers. CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 4

Windows Kernel Exploitation and Rootkits Overview To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them. Course Prerequisites Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good understanding of Windows kernel internals and APIs. CodeMachine s Windows Internals for Security Researchers and Windows Kernel and Filter Driver Development courses provide the Windows kernel knowledge required to attend this course. Learning Objectives Understand vulnerabilities in the Windows kernel and device drivers. Be able to write and modify kernel mode exploits. Understand the security enhancements that have been added to recent versions of Windows. Be able to bypass some of the security mitigations in recent versions of Windows. Understand the post-exploitation steps performed by kernel mode rootkits. Understand the techniques used by popular real world rootkits. Understand how rootkits hide their presence in the system. Understand how rootkits communicate with command and control (C&C) servers. Be able to identify malicious behavior and defend against rootkits. Topics DAY 1 Kernel Architecture Overview: Kernel components, x86 and x64 differences, kernel virtual address space, kernel pools, object layout, tokens and privileges, Native APIs, system calls. Kernel Vulnerabilities: Types of kernel vulnerabilities, arbitrary memory writes, race conditions, type confusion, pool overflows and stack overflows. DAY 2 Hooking Techniques: Types of hooking, code flow subversion, inline hooking, dispatch table hooking, import address table (IAT) hooks, kernel callbacks and filtering mechanisms, hook detection. CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 5

Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions. DAY 3 Driver Exploitation: Version verification, privilege escalation, vulnerable functions, user controlled input, IOCTL fuzzing, pool grooming, weaponizing exploits. Kernel Security Bypass: Stack pivots, ROP gadgets, KASLR & address leaks, SMEP bypass, kernel execution vectors, big pool manipulation. DAY 4 Kernel Programming Techniques: Process attach and detach, code injection, bypassing memory protection, kernel mode shell coding techniques, execution affinity, kernel crypto, persistence mechanisms. Stealth Behavior: Kernel structure manipulation, rootkit self-defense, anti-debugging techniques, anti- VM techniques, stealth user mode communication, stealth filtering, detection bypass. DAY 5 Covert Communications: NDIS driver types, NDIS internal data structures, Net Buffer Lists (NBL), Net Buffers (NB), intermediate drivers (NDIS IM), lightweight filters (NDIS LWF), NDIS hooking, host firewall bypass. Detection Tools & Case Studies: Volatility framework, rootkit detectors, endpoint security products, Rustock, TDSS/TDL4, ZeroAccess Carberp, Regin. CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 6

Windows Kernel Debugging and Memory Dump Analysis Overview This course is targeted at kernel software developers, support engineers and software QA engineers. It starts with the building blocks required to do effective kernel debugging like kernel internals concepts, key data structures used by drivers and debugger commands to examine the state and health of the system. It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers. Every topic in the course is accompanied by hands-on labs that involve extensive usage of the Debugging Tools for Windows (WinDBG) as well as other tools that ship with the WDK. These hands-on labs provide attendees with real life experience of debugging kernel mode issues. Course Prerequisites Attendees must be able to read C/C++ source code. In addition, attendees are expected to have basic working level knowledge of WinDBG and should be familiar with the Windows device driver (WDK) APIs. Learning Objectives Understand the internal workings of the kernel and how to peer into it using the debugger. Understand the kernel data structures that are used by drivers and how to navigate between them. Be able to use the kernel debugger commands and extensions and interpret debugger output. Be able to apply the knowledge of kernel internals and debugger commands to identify. symptoms of system failure/instability, perform bug triaging and perform fault isolation. Be able to analyze and root cause problems down to a code change in the driver. Be able to debug hard-to-reproduce hangs and crashes. DAY 1 Kernel Architecture Overview: NTOSKRNL, HAL & Drivers, Processes and Threads, System & System Idle Process, Process and Thread Data Structures, System Calls, System Service Dispatching, Kernel Processor Control Region (KPCR) Kernel Execution Environment: Interrupt Request Levels (IRQL), Interrupt Service Routines (ISR), Deferred Procedure Calls (DPC), Asynchronous Procedure Calls (APC), System Worker Threads DAY 2 Kernel Synchronization: Dispatcher Objects, Interlocked Operations, Mutexes, Executive Resources, Spin Locks Memory Management: Kernel VAS Layout, Page Table Entries (PTEs), Page Frame Number, (PFN) Database, System Cache, Kernel Mode Stacks, Kernel Pools, Memory Descriptor Lists (MDL), Memory Mapping CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 7

DAY 3 I/O Management: Hardware Device Tree, Driver Types (Bus, Function, Filter), Device Types (FDO, PDO, FiDO), Filter Drivers, Driver Architecture, Driver Entry Points, I/O Request Flow IRPs & I/O Stack Locations, IRP Processing, IRP Completion, IRP Data Buffering Crash Dump Analysis: System Bugchecks, Crash Dump Generation, Types of Bugchecks, Automated Analysis, Module Identification, Context Switching, Hardware Failures, Examining System State DAY 4 Calling Convention and Call Stacks: Kernel Stack Layout, Calling Convention, x64 Call Stacks, Kernel Stack Overflow, Debugging Double Faults, Debugging Corrupt Stacks Debugging Deadlocks and Hangs: Causes of Hangs, Classic Deadlock, Deadlock Debugging Driver Power State Failure, I/O Request Stalls, Pool Depletion, SysPTE Depletion DAY 5 Advanced Analysis Techniques: Debugging Strategies, Root Cause Analysis, Stack Patterns, Invalid Memory Access, Pool Corruption Patterns, Structure Corruption, Mapping Data Structures to Modules, Code Flow Analysis Debugging Tools: Driver Verifier, Special Pool, Unloaded Modules, Run Time Stack Capture, Gflags, Object Reference Tracking, Pool Tag Breakpoints, PTE Tracking, Checked Builds CodeMachine Inc. 2000-2015. All Rights Reserved. www.codemachine.com 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information