SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Training 2016 - Windows Kernel Exploitation"

Difference between revisions of "Training 2016 - Windows Kernel Exploitation"

From BruCON 2016

Jump to: navigation, search
(Created page with "=Windows Kernel Exploitation= ===Course Description=== This training is focused on exploitation of different Windows Kernel Mode vulnerabilities ranging from Pool Overflow t...")
 
(Trainer Biography)
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Windows Kernel Exploitation=
 
=Windows Kernel Exploitation=
 
+
In this 3-day training course, you'll learn to fuzz Windows Kernel Mode driver and find vulnerabilities. You'll be taken from basics of Windows Architecture, it's Kernel and introduction to different software vulnerabilities along with their exploitation in Kernel mode. These 3 days will be full of hands-on, kernel debugging and WinDbg-Fu.
  
 
===Course Description===
 
===Course Description===
Line 13: Line 13:
  
 
= Course contents =
 
= Course contents =
 +
* Windows Kernel Debugging
 +
** Setup Kernel Debugging
 +
** Setup Debugging Symbols
 +
** WinDbg-Fu
 +
* Windows Internals
 +
** Windows NT Architecture
 +
** Executive
 +
** Kernel
 +
** Hardware Abstraction Layer (HAL)
 +
** Privilege Rings
 +
** Key Data Structures
 +
* Memory Management
 +
** Virtual Address Space
 +
** Kernel Stack
 +
** Memory Pool
 +
** Pool Allocator
 +
* Why to Attack Kernel?
 +
** User Mode vs Privileged Mode
 +
** User Mode Exploit Mitigations
 +
* Windows Driver Basics
 +
** I/O Request Packet (IRP)
 +
** I/O Control Code (IOCTL)
 +
** Data Buffering
 +
* Fuzzing Windows Kernel
 +
** IOCTL Fuzzing
 +
* Exploitation
 +
** Pool Overflow
 +
** Use after Free
 +
** Arbitrary Overwrite
 +
** Use of Uninitialized Variable (Stack & Heap)
 +
* Kernel Payload
 +
** Escalation of Privilege Payload
 +
** Kernel Recovery
 +
* Miscellaneous
 +
** Q/A and Feedback
 +
 +
= Target audience =
 +
 +
This course is intended for :
 +
* Information Security Professionals
 +
* Anyone with an interest in understanding Windows Kernel exploitation
 +
* Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level
 +
 +
 +
'''Why take this course ?'''
 +
 +
Upon completion of this training, participants will be able to:
 +
* Understand how kernel and kernel mode driver works
 +
* Understand exploitation techniques for different software vulnerabilities
 +
* Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use After Free(s)
 +
* Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers
 +
* Understand vulnerabilities in terms of code and mitigations applied to fix the vulnerabilities
 +
 +
 +
'''What to expect ?'''
  
 +
* Complete Hands-on
 +
* Fast & Quick Overview of Windows Internals
 +
* WinDbg-Fu
 +
* Windows Kernel Drivers Basics/IOCTL/IRP
 +
* Techniques to Exploit Windows Kernel/Driver vulnerabilities
  
= Target audience =
 
  
This course is for penetration testers, mobile developers or anyone keen to learn mobile application security
+
'''What NOT to expect ?'''
 +
 
 +
* Elite Kernel Hacker in three day(s)
 +
* Basics of ASM/C/Python
 +
 
 +
= Requirements =
 +
Students should be familiar with :
 +
* Basics of operating system and computer architectures
 +
* Basics of User Mode Exploitation (but not a hard required)
 +
* Basics of x86 Assembly and C/Python (but not a hard required)
 +
* Familiarity with WinDbg (but not a hard required)
 +
* Familiarity with Vmware/VirtualBox
 +
* Patience :-)
  
 
= Hardware/software Requirements =
 
= Hardware/software Requirements =
 
+
* A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
*
+
* 40 GB free hard drive space
*  
+
* Administrator privilege on your laptop 
  
 
=Trainer Biography=
 
=Trainer Biography=
[[File:Prateek.Gianchandani.jpg|thumb|125px]]
+
[[File:Ashfaq-Ansari.jpg|thumb|125px]]
Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has presented and trained at Conferences like Defcon, Blackhat USA, Brucon, Hack in paris, Phdays etc.
+
Ashfaq Ansari is the founder of HackSys Team code named "Panthera". He is a Security Researcher with experience in various aspects of Information Security. He has authored "HackSys Extreme Vulnerable Driver" and "Shellcode of Death". He has also written and published various whitepapers on low level software exploitation. His core interest lies in "Low Level Exploitation", "Reverse Engineering", "Program Analysis" and "Hybrid Fuzzing". He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).
  
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/prateekg147 @prateekg147]
+
<br>[[Image:300px-twitter-icon.jpg|17px]] [https://twitter.com/HackSysTeam @HackSysTeam]
  
 
Links :  
 
Links :  
* [http://highaltitudehacks.com/ Patreek's Website]
+
* [https://github.com/hacksysteam/ Ashfaq's GitHUB]
* [https://github.com/antojoseph Anto's code / GitHUB]
+
* [https://github.com/hacksysteam/HackSysExtremeVulnerableDriver ExtremeVulnerableDriver]
 
''Mon. 24 - 26 October 2016 (09:00 - 17:00) (3-day)''
 
''Mon. 24 - 26 October 2016 (09:00 - 17:00) (3-day)''
  

Latest revision as of 21:07, 27 July 2016

Windows Kernel Exploitation

In this 3-day training course, you'll learn to fuzz Windows Kernel Mode driver and find vulnerabilities. You'll be taken from basics of Windows Architecture, it's Kernel and introduction to different software vulnerabilities along with their exploitation in Kernel mode. These 3 days will be full of hands-on, kernel debugging and WinDbg-Fu.

Course Description

This training is focused on exploitation of different Windows Kernel Mode vulnerabilities ranging from Pool Overflow to Use after Free. We will cover basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers. We will dive deep into exploit development of various kernel mode vulnerabilities. We will also look into different vulnerabilities in terms of code and the mitigations applied to fix the respective vulnerabilities.

Upon completion of this training, participants will be able to:

  • Learn basics of Windows Internals
  • Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
  • Learn the exploit development process in Kernel mode
  • Understand how a vulnerability looks like in driver code
  • Understand how a vulnerability can be mitigated

Course contents

  • Windows Kernel Debugging
    • Setup Kernel Debugging
    • Setup Debugging Symbols
    • WinDbg-Fu
  • Windows Internals
    • Windows NT Architecture
    • Executive
    • Kernel
    • Hardware Abstraction Layer (HAL)
    • Privilege Rings
    • Key Data Structures
  • Memory Management
    • Virtual Address Space
    • Kernel Stack
    • Memory Pool
    • Pool Allocator
  • Why to Attack Kernel?
    • User Mode vs Privileged Mode
    • User Mode Exploit Mitigations
  • Windows Driver Basics
    • I/O Request Packet (IRP)
    • I/O Control Code (IOCTL)
    • Data Buffering
  • Fuzzing Windows Kernel
    • IOCTL Fuzzing
  • Exploitation
    • Pool Overflow
    • Use after Free
    • Arbitrary Overwrite
    • Use of Uninitialized Variable (Stack & Heap)
  • Kernel Payload
    • Escalation of Privilege Payload
    • Kernel Recovery
  • Miscellaneous
    • Q/A and Feedback

Target audience

This course is intended for :

  • Information Security Professionals
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level


Why take this course ?

Upon completion of this training, participants will be able to:

  • Understand how kernel and kernel mode driver works
  • Understand exploitation techniques for different software vulnerabilities
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use After Free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers
  • Understand vulnerabilities in terms of code and mitigations applied to fix the vulnerabilities


What to expect ?

  • Complete Hands-on
  • Fast & Quick Overview of Windows Internals
  • WinDbg-Fu
  • Windows Kernel Drivers Basics/IOCTL/IRP
  • Techniques to Exploit Windows Kernel/Driver vulnerabilities


What NOT to expect ?

  • Elite Kernel Hacker in three day(s)
  • Basics of ASM/C/Python

Requirements

Students should be familiar with :

  • Basics of operating system and computer architectures
  • Basics of User Mode Exploitation (but not a hard required)
  • Basics of x86 Assembly and C/Python (but not a hard required)
  • Familiarity with WinDbg (but not a hard required)
  • Familiarity with Vmware/VirtualBox
  • Patience :-)

Hardware/software Requirements

  • A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
  • 40 GB free hard drive space
  • Administrator privilege on your laptop

Trainer Biography

Ashfaq-Ansari.jpg

Ashfaq Ansari is the founder of HackSys Team code named "Panthera". He is a Security Researcher with experience in various aspects of Information Security. He has authored "HackSys Extreme Vulnerable Driver" and "Shellcode of Death". He has also written and published various whitepapers on low level software exploitation. His core interest lies in "Low Level Exploitation", "Reverse Engineering", "Program Analysis" and "Hybrid Fuzzing". He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).


300px-twitter-icon.jpg @HackSysTeam

Links :

Mon. 24 - 26 October 2016 (09:00 - 17:00) (3-day)

Register.jpg

Back to Training Overview