Windows Kernel Exploitation

May 13, 14 and 15th

Overview

This training is the upgraded version of Windows Kernel Exploitation Foundation course. In this course we will use Windows 10 RS2 x64 for all the labs and has a CTF that runs throughout the training.

This course starts with the changes in Windows 10 RS2, Internals, hands-on fuzzing of Windows kernel mode drivers. We will understand pool manager internals in order to groom kernel pool memory from user mode for reliable exploitation of pool based vulnerabilities.

We will look into how we can bypass kASLR using kernel pointer leaks. We will do hands-on exploitation using Data-Only attack which effectively bypasses SMEP and other exploit mitigation.

Upon completion of this training, participants will be able to:

  • Learn basics of Windows internals
  • Understand how to fuzz Windows kernel mode drivers to find vulnerabilities
  • Learn the exploit development process in kernel mode
  • Understand how to groom kernel pool from user land
  • Get comfortable with Windows kernel debugging

Outline

Day 1

  • Windows 10
    • Architecture
  • Fuzzing Windows Drivers (Hands-On)
    • Driver internals
    • Locating IOCTLs in Windows drivers
    • Locating input entry points
    • Fuzzing the discovered IOCTLs
  • Exploit Mitigations
    • Kernel Address Space Layout Randomization (kASLR)
      • Understanding kASLR
      • Breaking kASLR using kernel pointer leaks
    • Supervisor Mode Execution Prevention (SMEP)
      • SMEP concepts
      • Breaking/bypassing SMEP
  • Pool Manager
    • Internals
    • Feng-Shui (Lookaside List & ListHeads List)

Day 2

  • Quick Revision
    • kASLR
    • SMEP
    • Feng-Shui
  • Exploitation
    • Pool Overflow
      • Understanding vulnerability class
      • Finding corruption target
      • Grooming target pool
      • Achieving arbitrary read/write primitive (Data-only attack)
      • Gaining local privilege escalation
        • Different places to corrupt

Day 3

  • Quick Revision
    • Pool Overflow
    • Data-only attacks
  • Exploitation
    • Arbitrary Memory Overwrite
      • Understanding vulnerability class
      • Finding corruption target
      • Grooming target pool
      • Achieving arbitrary read/write primitive (Data-only attack)
      • Gaining local privilege escalation
  • Capture The Flag
    • Time to finish the CTF
    • Discuss any other vulnerability class if the students want and time permits
  • Miscellaneous
    • Assignment to write a blog post about the vulnerability exploited during CTF
    • Q/A and Feedback

Who should attend?

  • Windows Kernel Exploitation Foundation attendees
  • Bug Hunters & Red Teamers
  • User Mode Exploit Developers
  • Windows Driver Developers & Testers
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

Why attend?

Upon completion of this training, participants will be able to:

  • Understand exploitation techniques to defeat mitigation like SMEP
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use after Free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers

Prerequisites

  • Basic operating system concepts
  • Good understanding of user mode exploitation
  • Basics of x86/x64 Assembly and C/Python
  • Patience

Hardware & Software Requirement

  • 8 GB Flash drive
  • A laptop capable of running two virtual machines simultaneously (8 GB+ of RAM)
  • 40 GB free hard drive space
  • Vmware Workstation/Player installed
  • Everyone should have Administrator privilege on their laptop

What to Expect?

  • Hands-on
  • WinDbg-Fu
  • Fast & Quick Overview of Windows Internals
  • Techniques to exploit Windows Kernel/Driver vulnerabilities

What students will be provided with?

  • Training slides
  • Scripts and code samples
  • BSOD T-Shirt

Bio

Ashfaq Ansari Vulnerability Researcher, Payatu Software Labs LLP.

Ashfaq Ansari a.k.a "HackSysTeam", is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Hybrid Fuzzing and Program Analysis.

Return to training sessions