Windows Kernel Exploitation

Title: Windows Kernel Exploitation

Duration: 3 Days

Objective

This training is focused on exploitation of different Windows Kernel Mode vulnerabilities ranging from Pool Overflow to Use after Free. We will cover basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will dive deep into exploit development of various kernel mode vulnerabilities. We will also look into different vulnerabilities in terms of code and the mitigations applied to fix the respective vulnerabilities.

Upon completion of this training, participants will be able to:

  • Learn basics of Windows Internals
  • Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
  • Learn the exploit development process in Kernel mode
  • Understand how a vulnerability looks like in driver code
  • Understand how a vulnerability can be mitigated

Course Content

Introduction to Windows

  • Windows Architecture
  • Objects and Handles
  • Major Data Structures

Memory Management

  • Virtual Address Space
  • Virtual Memory Manager
  • Virtual Memory Model
  • Segmentation
  • Page and Paging
  • Pool Memory

Why to Attack Kernel?

  • User Mode vs Privileged Mode
  • User Mode Exploit Mitigations

Windows Driver Basics

  • I/O Request Packet (IRP)
  • I/O Control Codes (IOCTLs)
  • Data Buffering
  • Interrupt and Interrupt Service Routine (ISR)
  • Interrupt Descriptor Table (IDT)
  • Exceptions and Trap Frame
  • Deferred Procedure Call (DPC)
  • Asynchronous Procedure Call (APC)

Windows Kernel Debugging

  • Setup Kernel Debugging
  • Setup Debugging Symbols
  • WinDbg-Fu

Fuzzing Windows Kernel

  • IOCTL Fuzzing

Exploitation

  • Pool Overflow
  • Use After Free
  • Stack Overflow
  • Type Confusion
  • Integer Overflow
  • Stack Overflow GS
  • Arbitrary Overwrite
  • Null Pointer Dereference

Kernel Payload

  • Escalation of Privilege Payload
  • Advance Payloads
  • Kernel Recovery

Exploit Mitigations

  • KASLR
  • SMEP

Sandbox

  • Overview of Sandbox
  • Sandbox Escape Using Kernel Primitive

Q/A & Feedback

Who should attend?

  • Information Security Professionals
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

Why attend?

Upon completion of this training, participants will be able to:

  • Understand how kernel and kernel mode driver works
  • Understand exploitation techniques for different software vulnerabilities
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use After Free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers
  • Understand vulnerabilities in terms of code and mitigations applied to fix the vulnerabilities

Prerequisites

  • Basics of User Mode Exploitation
  • Basics of x86 Assembly and C/Python
  • Familiarity with Vmware/VirtualBox
  • Familiarity with WinDbg
  • Patience

Hardware & Software Requirement

  • A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
  • 40 GB free hard drive space
  • Everyone should have Administrator privilege on their laptop

What to Expect?

  • Complete Hands-on
  • Fast & Quick Overview of Windows Internals
  • WinDbg-Fu
  • Windows Kernel Drivers Basics/IOCTL/IRP
  • Techniques to Exploit Windows Kernel/Driver vulnerabilities

What Not to Expect?

  • Elite Kernel Hacker in two/three day(s)
  • Basics of ASM/C/Python