Back to All Events

Windows Kernel Exploitation Foundations


Overview

This is a fast paced course designed to introduce attendees to Windows Kernel Exploitation. We will cover the basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will deep-dive into exploit development of Pool based buffer overflow vulnerability in Kernel driver.

PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.

Key Learning Objectives

Upon completion of this training, participants will be able to:

  • Know the basics of Windows Internals
  • Understand how kernel and kernel mode driver works
  • Understand exploitation techniques in kernel mode
  • Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex
  • Deal with bugs like Pool Overflow(s) and Use After Free(s)
  • Learn to write your own exploits for the found vulnerabilities in Kernel or Kernel mode drivers

What Not to Expect:

  • Becoming an elite Kernel Hacker in two/three day(s)
  • Basics of ASM/C/Python

 

Course Content

Windows Internals

  • Windows NT Architecture
  • Executive and Kernel
  • Hardware Abstraction Layer (HAL)
  • Privilege Rings

Memory Management

  • Virtual Address Space
  • Memory Pool
  • Pool Allocator

Why to Attack Kernel?

  • User Mode vs Privileged Mode
  • User Mode Exploit Mitigations

Windows Driver Basics

  • I/O Request Packet (IRP)
  • I/O Control Code (IOCTL)
  • Data Buffering

Fuzzing Windows Kernel

  • IOCTL Fuzzing

Exploitation

  • Pool Overflow

Kernel Payload

  • Escalation of Privilege Payload
  • Kernel Recovery

Miscellaneous

  • Q/A and Feedback


Who should attend? Information Security Professionals, anyone with an interest in understanding Windows Kernel exploitation, Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level. 

Prerequisites

  • Basics of User Mode Exploitation
  • Basics of x86 Assembly and C/Python
  • Familiarity with Vmware/VirtualBox
  • Familiarity with WinDbg
  • Patience

 

Hardware & Software Requirement

A laptop capable of running two virtual machines simultaneously (8 GB of RAM) and 40 GB free hard drive space. Everyone should have Administrator privilege on their laptop.

Earlier Event: March 10
Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation
Later Event: March 10
Vulnerability Discovery and Triage Automation Training