Windows Kernel Exploitation and Rootkits from CodeMachine Inc.

Windows Kernel Exploitation and Rootkits

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them.

Course Overview

Overall Proficiency Level

3 - Advanced

Course Catalog Number

WKER-ADV

Course Prerequisites

Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good understanding of Windows kernel internals and APIs. CodeMachine’s Windows Internals for Security Researchers and Windows Kernel and Filter Driver Development courses provide the Windows kernel knowledge required to attend this course.

Training Purpose

Skill Development

Specific Audience

All

Delivery Method

Classroom

Course Location

PO Box 257
Merrifield, VA 22116

Course Location Map

Your Location
Providers
Courses
Course and Provider Quantity

Classroom

Learning Objectives

Understand vulnerabilities in the Windows kernel and device drivers
Be able to write and modify kernel mode exploits
Understand the security enhancements that have been added to recent versions of Windows
Be able to bypass some of the security mitigations in recent versions of Windows
Understand the post-exploitation steps performed by kernel mode rootkits
Understand the techniques used by popular real world rootkits
Understand how rootkits hide their presence in the system
Understand how rootkits communicate with command and control (C&C) servers
Be able to identify malicious behavior and defend against rootkits

Framework Connections

Design and Development

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

Technology R&D

Feedback

If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.