ABSTRACT
This comprehensive course combines the essentials of both the Foundation and Advanced Windows Kernel Exploitation courses. It is designed to guide participants through the intricacies of kernel exploitation, from uncovering and exploiting bugs in Windows kernel mode drivers to bypassing advanced exploit mitigations.
Participants will gain hands-on experience in a wide range of topics, including Windows and driver internals, various memory corruption types, exploit development techniques, mitigation bypass techniques, pool internals, and Feng-Shui. The course culminates in a Capture The Flag (CTF) challenge, allowing participants to apply their newly acquired skills.
During this course we will be using Windows 11 X64 for our lab exercise.
This combined course offers a holistic approach to Windows Kernel Exploitation, ensuring participants are well-equipped with the knowledge and skills required to excel in the realm of kernel exploitation.
INTENDED AUDIENCE
KEY LEARNING OBJECTIVES
Upon completion of this training, participants will be able to:
- Understand Windows kernel debugging and internals
- Grasp the basics of Windows and driver internals
- Identify different memory corruption classes
- Fuzz kernel mode drivers to find vulnerabilities
- Dive deep into the exploit development process in kernel mode
- Bypass advanced exploit mitigations like kASLR, SMEP, and KPTI/KVA Shadow
- Understand pool internals and Feng-Shui
- Develop Arbitrary Read/Write primitives
COURSE DETAILS
AGENDA
MODULE 1WINDOWS INTERNALS (LECTURE)
- Architecture
- Executive and Kernel
- Hardware Abstraction Layer (HAL)
- Privilege Rings
MEMORY MANAGEMENT (LECTURE AND HANDS-ON)
- Virtual Address Space
- Memory Pool
DRIVER INTERNALS (LECTURE AND HANDS-ON)
- I/O Request Packet (IRP)
- I/O Control Code (IOCTL)
- Data Buffering
MODULE 2FUZZING WINDOWS DRIVERS (LECTURE AND HANDS-ON)
- Attack Surface Analysis (Reversing driver using IDA)
- Locating IOCTLs in Windows drivers
- Memory Sanitizers
- Special Pool
- Fuzzing the discovered IOCTLs
- Analyzing the crashes
MODULE 3EXPLOITATION BASICS (LECTURE AND HANDS-ON)
- Stack Buffer Overflow (SMEP and KVA Shadow/KPTI disabled)
- Understanding the vulnerability
- Achieving code execution
- Escalation of Privilege Payload
- Kernel State Recovery
MODULE 4ADVANCED EXPLOIT MITIGATIONS
- Kernel Address Space Layout Randomization (kASLR)
- Understanding kASLR
- Breaking kASLR using kernel pointer leaks
- Supervisor Mode Execution Prevention (SMEP)
- SMEP concepts
- Breaking/bypassing SMEP
- Kernel Page Table Isolation (KPTI/KVA Shadow)
- KPTI concepts
- Breaking/bypassing KPTI
MODULE 5ADVANCED EXPLOITATION TECHNIQUES (LECTURE AND HANDS-ON)
- Arbitrary Memory Overwrite
- Understand the vulnerability
- Achieving privilege escalation
- Memory Disclosure
- Understand the vulnerability
- Leak function pointer
- Calculate driver base address
- Pool Overflow
- Understand the vulnerability
- Finding corruption target
- Grooming target pool (Feng-Shui)
- Achieving arbitrary read/write primitive (data-only attack)
- Gaining local privilege escalation
- Different places to corrupt
MODULE 6CAPTURE THE FLAG (CTF)
- Time to finish the CTF
- Discuss any other vulnerability class if the students want and time permits
MISCELLANEOUS
- Assignment to write a blog post about the vulnerability exploited during CTF
- Q/A and Feedback
KNOWLEDGE PREQUISITES
- Basic operating system concepts
- Familiarity with vulnerability classes
- Basics of x86/x64 assembly and C/python
- Basics of ROP
- Patience
SYSTEM REQUIREMENTS
- A laptop capable of running two virtual machines simultaneously (16 GB+ of RAM). Only Intel processors.
- 40 GB free hard drive space
- Vmware Workstation/Player installed
- Everyone should have Administrator privilege on their laptop
ABOUT THE TRAINER
Ashfaq Ansari A.K.A hacksysteam is a vulnerability researcher and specializes in software exploitation. He is the develpper of hacksys extreme vulnerable driver (hevd) which has helped many upcoming professionals get started with windows kernel exploitation.
He holds numerous cves under his belt and is the instructor of the popular “windows kernel exploitation” course. His core interest lies in low-level software exploitation both in user and kernel mode, vulnerability research, reverse engineering, hybrid fuzzing, and program analysis.