Instructor: Yarden Shafir
Dates: June 23 to 26 2025
Capacity: 25 Seats
Covering Windows 11 (22H2), the upcoming Windows 11 "Germanium"
(24H2), and Server 2022, you'll unravel the secrets of how bootkits,
software supply chain implants, backdoors, and other kernel and
firmware malware work. You'll learn how they, and others, abuse
various system functionality, obscure mechanisms, and data structures,
in order to do their dirty work, and how you can too defend against
it!
You'll observe and experiment with how kernel-mode code operates and
how it can be subject to compromise by user-mode attackers wishing to
elevate their privileges, as well as how to detect, both live and
forensically, such attempts. Finally, you'll learn about how CPU
architecture deeply ties into OS design, and how Intel's and AMD's
mistakes can lead to more pwnage.
We'll cover the new Windows 11 kernel changes, including Kernel Data
Protection (KDP), eXtended Control Flow Guard (XFG), and Kernel
Control-flow Enforcement Technology (KCET), and explain how the
Trusted Platform Module (TPM) is used for Measured Boot. We'll go
inside the Octagon and learn about System Guard Runtime Assertions and
the rewritten Secure Launch framework that leverages Intel TXT and AMD
SKINIT for new DRTM-based attestation.
Of course, we'll also discuss key Windows 10 fundamentals such as
Virtual Trust Levels (VTL) combined with Virtualization Based Security
(VBS), and how these technologies allow HyperVisor Code Integrity
(HVCI) and Kernel Control Flow Guard (KCFG) to prevent unsigned kernel
code execution, even when faced with Ring 0 vulnerabilities, while
also powering Biometric Isolation and Credential Guard, make
pass-the-hash attacks virtually impossible. Enclaves and Attestation,
both through Software Guard Extensions (SGX) and VBS, and TPM-based
Measured Boot, will also be on the menu.
Windows 10 builds upon many Windows 8.1 mechanisms such as Protected
Process Light and custom Code Signing Policies, so we'll review this
as well, plus new Windows 8 kernel features (AppContainer, Secure
Boot, and more) relevant to driver operation and exploitation
techniques will be discussed, including an overview of over two dozen
new security mitigations that have been added to the operating system.
We'll see how these changes to the architecture have dramatically
constrained exploit techniques. Windows 7 kernel changes will be
discussed too, such as the new Object Manager data structures.
All while learning the theory, you will use tools such as WinDbg,
SysInternals Tools and Process Hacker to analyze, poke, and prod
kernel-mode Windows components, as well as write your own debugger
commands leveraging the new NatVis/LINQ predicate and capabilities, as
well as write some JavaScript (ECMAScript 6) scripts using their new
debugger engine.
Throughout the class, we'll focus on using various techniques and
tools to inspect the Windows kernel for consistency, tracing its
operation, and editing it, as well as ways in which offensive and
defensive attackers can mess with the system's state in unexpected,
"clean" ways. We'll also give several examples of malicious and/or
buggy drivers in a typical Windows system, as well as architectural
bugs over Windows' lifetime.
Attendees will receive a physical handout of the entire course
materials for future reference, plus a full set of 40+ WinDbg scripts
that the instructors have written over their lifetime, and all
commands/outputs that were used in the course. Live paste-board
sharing will be available to facilitate learning.
IMPORTANT: It's helpful to understand x86/x64 assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.
Basic knowledge of Windows, processor architecture, and operating systems is helpful. You should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.
You must have a Windows machine to attend, and you should have the Windows Driver Kit 11 release for 22H2 or later (22621), which you can freely grab from MSDN.
A virtual machine (VirtualBox or Hyper-V are strongly preferred, configured in UEFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 11. Locally, any version of Windows 7 or above, 32-bit or 64-bit is fine, but it's strongly preferred you bring a Windows 10 or 11 box. You should install the Windows Driver Kit on your host, not the VM. If you have a Linux or Mac device, then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.
The instructors will use a 64-bit Windows 11 device.
GHIDRA/IDA/HexRays helpful, but not required.
Yarden is a senior security researcher and a consultant for Winsider Seminars & Solutions Inc.,co-teaching security trainings. Previously she worked at Trail of Bits, CrowdStrike and SentineOne, working on EDR features and Windows research. Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as Pool internals, CET internals, extension host hooking and kernel exploit mitigations. Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.
Click here to register.