Windows Kernel Exploitation - Foundation and Advanced
Ashfaq Ansari
Virtual Training | July 20 - 26 | 32 hours
Please check the detailed schedule for your time zone.
Participants will gain hands-on experience in a wide range of topics, including Windows and driver internals, various memory corruption types, exploit development techniques, mitigation bypass techniques, pool internals, and Feng-Shui. The course culminates in a CTF challenge, allowing participants to apply their newly acquired skills.
ABSTRACT
This comprehensive course combines the essentials of both the Foundation and Advanced Windows Kernel Exploitation courses. It is designed to guide participants through the intricacies of kernel exploitation, from uncovering and exploiting bugs in Windows kernel mode drivers to bypassing advanced exploit mitigations.
Participants will gain hands-on experience in a wide range of topics, including Windows and driver internals, various memory corruption types, exploit development techniques, mitigation bypass techniques, pool internals, and Feng-Shui. The course culminates in a Capture The Flag (CTF) challenge, allowing participants to apply their newly acquired skills.
During this course we will be using Windows 11 X64 for our lab exercise.
This combined course offers a holistic approach to Windows Kernel Exploitation, ensuring participants are well-equipped with the knowledge and skills required to excel in the realm of kernel exploitation.
INTENDED AUDIENCE
- Bug hunters and Red teamers
- Windows exploit developers
- Windows driver developers and testers
- Ethical hackers and penetration testers looking to upgrade their skillset to the kernel level
- Anyone with an interest in understanding Windows Kernel exploitation
TESTIMONIALS:
The Windows Kernel Exploitation is an excellent training choice for those who seek a high quality material on exploit development for windows kernel. The instructor does amazing job on explaining every topic in detailed manner and always engages with the students. The best part is the CTF which puts your newly acquired knowledge to test which I very much enjoyed.
This is a great class - Ashfaq Ansari explains things very well and was thorough in providing examples and different ways of verifying things were working as expected through each example. I also appreciated that these sessions were recorded; it made everything more accessible and enjoyable. Thank you!
KEY LEARNING OBJECTIVES
Upon completion of this training, participants will be able to:
- Understand Windows kernel debugging and internals
- Grasp the basics of Windows and driver internals
- Identify different memory corruption classes
- Fuzz kernel mode drivers to find vulnerabilities
- Dive deep into the exploit development process in kernel mode
- Bypass advanced exploit mitigations like kASLR, SMEP, and KPTI/KVA Shadow
- Understand pool internals and Feng-Shui
- Develop Arbitrary Read/Write primitives
COURSE DETAILS
AGENDA
MODULE 1
- Windows Internals (Lecture)
- Architecture
- Executive and Kernel
- Hardware Abstraction Layer (HAL)
- Privilege Rings
- Memory Management (Lecture and Hands-on)
- Virtual Address Space
- Memory Pool
- Driver Internals (Lecture and Hands-on)
- I/O Request Packet (IRP)
- I/O Control Code (IOCTL)
- Data Buffering
MODULE 2
- Fuzzing Windows Drivers (Lecture and Hands-on)
- Attack Surface Analysis (Reversing driver using IDA)
- Locating IOCTLs in Windows drivers
- Memory Sanitizers
- Special Pool
- Fuzzing the discovered IOCTLs
- Analyzing the crashes
MODULE 3
- Exploitation Basics (Lecture and Hands-on)
- Stack Buffer Overflow (SMEP and KVA Shadow/KPTI disabled)
- Understanding the vulnerability
- Achieving code execution
- Escalation of Privilege Payload
- Kernel State Recovery
MODULE 4
- Advanced Exploit Mitigations
- Kernel Address Space Layout Randomization (kASLR)
- Understanding kASLR
- Breaking kASLR using kernel pointer leaks
- Supervisor Mode Execution Prevention (SMEP)
- SMEP concepts
- Breaking/bypassing SMEP
- Kernel Page Table Isolation (KPTI/KVA Shadow)
- KPTI concepts
- Breaking/bypassing KPTI
MODULE 5
- Advanced Exploitation Techniques (Lecture and Hands-on)
- Arbitrary Memory Overwrite
- Understand the vulnerability
- Achieving privilege escalation
- Memory Disclosure
- Understand the vulnerability
- Leak function pointer
- Calculate driver base address
- Pool Overflow
- Understand the vulnerability
- Finding corruption target
- Grooming target pool (Feng-Shui)
- Achieving arbitrary read/write primitive (data-only attack)
- Gaining local privilege escalation
- Different places to corrupt
MODULE 6
- Capture The Flag (CTF)
- Time to finish the CTF
- Discuss any other vulnerability class if the students want and time permits
Miscellaneous
- Assignment to write a blog post about the vulnerability exploited during CTF
- Q/A and Feedback
KNOWLEDGE PREREQUISITES
- Basic operating system concepts
- Familiarity with vulnerability classes
- Basics of x86/x64 assembly and C/python
- Basics of ROP
- Patience
REQUIREMENTS
- A laptop capable of running two virtual machines simultaneously (16 GB+ of RAM). Only Intel processors.
- 40 GB free hard drive space
- Vmware Workstation/Player installed
- Everyone should have Administrator privilege on their laptop
ABOUT THE TRAINER
Ashfaq Ansari a.k.a HackSysTeam is a vulnerability researcher and specializes in software exploitation. He is the develpper of HackSys Extreme Vulnerable Driver (HEVD) which has helped many upcoming professionals get started with Windows Kernel exploitation. He holds numerous CVEs under his belt and is the instructor of the popular "Windows Kernel Exploitation" course. His core interest lies in low-level software exploitation both in user and kernel mode, vulnerability research, reverse engineering, hybrid fuzzing, and program analysis.
Virtual Training Schedule
July 21 | Sunday | Live Lecture (4h) |
July 22 | Monday | Live Lecture (4h) |
July 23 | Tuesday | Live Lecture (4h) |
July 24 | Wednesday | Live Lecture (4h) |
July 25 | Thursday | Live Lecture (4h) |
July 26 | Friday | Live Lecture (4h) |
Session Timings
8 am - 12 pm | US Pacific Time |
11 am - 3 pm | US Eastern Time |
4 pm - 8 pm | UK BST |
5 pm - 9 pm | Europe CEST |
Labs and Discord Channel
24 x 7 throughout the class, and beyond!