Windows Kernel Rootkits Techniques and Analysis

Instructor: Bruce Dang
Dates: 15-18 June
Capacity: 20 Seats

This class is tailored for malware analysts, system developers, forensic analysts, incident responders, or enthusiasts who want to analyze Windows kernel rootkits or develop software for similar tasks. It introduces the Windows architecture and how various kernel components work together at the lowest level. It discusses how rootkits leverage these kernel components to facilitate nefarious activities such as hiding processes, files, network connections, and other common objects. As part of the analytical process, we will delve into the kernel programming environment; we will implement some kernel-mode utilities to aid our understanding.

Needless to say, the class will contain many hands-on labs and exercises using real-world rootkits. There are no made-up examples in the class.

INTENDED AUDIENCE

Malware analysts, systems programmer, forensic analysts, security engineers, network security analysts, kernel enthusiasts.

TOPICS COVERED

• * x86/x64/ARM architecture and system facilities
• * Windows kernel architecture
• * Debugging facilities
• * Data structures
• * Memory management
• * Process and threads
• * Files and networking
• * User-kernel facilities
• * Drivers
• * Tool development

Class Requirements

Prerequisites:

In order to get the most out of this class, you need to have some programming experience; if you are not comfortable with that, you can still understand the material and immediately apply it to your daily job, however you might need to work extra hard in class.

Hardware:

• * A laptop that can run VMWare Workstation.

Minimum Software to install:

• * IDA Pro 6.x. You need the Pro version because we will be analyzing 64-bit rootkits as well.
• * VMWare Workstation with VMs for the following Windows versions: Windows XP SP3/x86, Windows 2003 R2/x64, Windows 7 x86/x64, Windows 8 x86/x64. If you can't/don't want to buy VMWare workstation, just get a 30-day trial version.
• * Visual Studio 2013 Express + WDK 8.1

Bio

Bruce Dang is an information security researcher with interests in low-level systems. He currently works as a senior security development engineer lead at Microsoft; his team's focus spans all things product-security related from hardware, OS, and web services. He specializes in reverse engineering and Windows kernel-level security projects. Previous to Microsoft, he worked as a developer in the financial sector. He was the first person to publicly discuss techniques of analyzing file format based exploits and has patents in the area of generic shell code and exploit detection. His public research includes Office exploit analysis, ROP detection, shell code detection, and kernel driver decompilation techniques; on the malware side, he is known for first analyzing vulnerabilities in the Stuxnet worm. He has spoken at major security conferences worldwide, i.e., REcon (Canada), Blackhat (Vegas and Tokyo), Chaos Computer Club (Germany), Computer Antivirus Research Organization (Hungary), etc. In addition to sharing his knowledge at public conferences, he has also provided private training and lectures to government agencies. He is also the author of the best-selling reverse engineering textbook, Practical Reverse Engineering: x86, x64, Windows kernel, and obfuscation, published by John Wiley & Sons.

To Register

Click here to register.