Windows Kernel Exploitation

Trainer Name: Ashfaq Ansari
Title: Windows Kernel Exploitation
Duration: 2 Days
Dates: 1st - 2nd March

Introduction

This training is focused on exploitation of different Windows Kernel Mode vulnerabilities. We will cover basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will dive deep into exploit development of various kernel mode vulnerabilities. We will also look into different vulnerabilities in terms of code and the mitigations applied to fix the respective vulnerabilities. This training assumes that the attendees have no prior experience with Windows Kernel Internals and Kernel land as well as User land exploitation techniques.



Upon completion of this training, participants will be able to:

• Learn basics of Windows Internals
• Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
• Learn the exploit development process in Kernel mode
• Understand how a vulnerability looks like in driver code
• Understand how a vulnerability can be mitigated in the code
• Understand how to massage Kernel Pool and Stack
• Get comfortable with Windows Kernel Debugging

Who should attend?

• Bug Hunters & Red Teamers
• User Mode Exploit Developers
• Windows Driver Developers & Testers
• Anyone with an interest in understanding Windows Kernel exploitation
• Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

Curriculum

Windows Kernel Debugging

• Setup Kernel Debugging
• Setup Debugging Symbols
• WinDbg-Fu

Windows Internals

• Windows NT Architecture
• Executive & Kernel
• Hardware Abstraction Layer (HAL)
• Privilege Rings
• Key Data Structures

Memory Management

• Virtual Address Space
• Kernel Stack
• Memory Pool & Allocator

Why to Attack Kernel?

• User Mode vs Privileged Mode
• User Mode Exploit Mitigations

Windows Driver Basics

• I/O Request Packet (IRP)
• I/O Control Code (IOCTL)
• Data Buffering (Buffered I/O, Direct I/O, Neither Buffered Nor Direct I/O)

Fuzzing Windows Drivers (Hands-On)

• Locating IOCTLs in Windows Drivers
• Locating input entry points
• Writing scripts to fuzz the discovered IOCTLs

Exploitation (Hands-On)

• Pool Feng Shui/Pool Spraying
• Pool Overflow Exploitation
• Use after Free Exploitation
• Time-of-check Time-of-use (TOCTOU)/Race Condition

Kernel Payload (Hands-On)

• Escalate Privilege of a Process from Kernel Debugger
• Considerations while writing Escalation of Privilege Payload
• Kernel Recovery (Fixating Kernel State after exploitation)

Miscellaneous

• Assignment to write a full blown Windows Kernel exploit
• Q/A and Feedback

Prerequisites

• Basics of User Mode Exploitation is good to have but not required
• Basics of x86 Assembly and C/Python is good to have but not required
• Familiarity with VMware/VirtualBox (only to run virtual machines)
• Patience

Hardware & Software Requirement

• 8 GB Flash drive
• A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
• 40 GB free hard drive space
• Everyone should have Administrator privilege on their laptop

What students will be provided with?

• Printed Lab Manual
• Training slides
• Scripts and code samples
• BSOD T-Shirt

About the Trainer

Ashfaq Ansari

Ashfaq Ansari is the founder of HackSys Team code named "Panthera". He has experience in various aspects of Information Security. He has authored "HackSys Extreme Vulnerable Driver" and "Shellcode of Death". He has also written and published various white papers on low level software exploitation. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Program Analysis and Hybrid Fuzzing. He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).

Want to connect with Ashfaq?

You may find Ashfaq on these social networks :

http://null.co.in/profile/411-ashfaq-ansari
https://twitter.com/HackSysTeam
http://hacksys.vfreaks.com/
https://github.com/hacksysteam