3 days lecture + hands-on lab
For Driver Developers, Support Engineers and Software QA Engineers
This course covers the development and debugging of drivers that take advantage of the various filtering and interception technologies provided by the windows kernel. Attendees will learn about SSDT hooking, network filtering at the packet level and at the transport level, file system filtering, registry filtering, process/thread creation and access interception and DLL/driver load interception.
In the hands-on labs attendees get an opportunity to develop, install, test and debug drivers that exercise the above interfaces on Windows 7 running inside a Virtual Machine as well as analyze kernel mode crash dumps that pertain to these technologies.
Proficiency in "C" programming language
Familiarity with Windows kernel architecture and data structures
Upon completion of this course attendees would be able to:
Understand how malware intercept, monitor and modify operations in the system and the various API interception mechanisms available in user and kernel mode.
Implement and debug drivers that use legacy and undocumented hooking mechanisms on x86 platform like SSDT hooking, object type hooking, dispatch table hooking, import address table hooking, interrupt descriptor table (IDT) hooking and direct kernel object manipulation (DKOM).
Implement and debug drivers that use Windows supported methods of interception like process and thread creation and termination, process and thread access operations, module load operations on both x86 and x64 platforms.
Understand the registry filtering model, implement and debug registry filter drivers that intercept, veto and modify registry operations.
Understand the functionality provided by Filter Manager. Implement file system mini-filters drivers to intercept operations on both network and local file systems. Understand the various filter manager data structures and the debugger extension that can be used to display the information from those structures.
Understand that various operations that can be intercepted by NDIS light weight filter drivers. Implement NDIS LWF drivers to intercept and modify network packets and debug problems related to NBL processing.
Understand WFP architecture, implement network filter drivers using the WFP platform to intercept and modify network traffic at the TCP, UDP and IP layers and debug common problems caused by WFP filter drivers.
Legacy HookingSSDT HookingDriver Dispatch Table Hooking Kernel Data Structure Hooking Direct Kernel Object Manipulation (DKOM) Import Table Hooking Interrupt Descriptor Table Hooking Detour Style Hooking OS Supported Hookingx64 Kernel Patch ProtectionObject Access Interception Process and Thread Interception Module Load Interception File System Mini-FiltersFilter Manager ArchitectureContext Management Name Management I/O Operation Processing Handling Create Operations File Sharing and Attributes Handling Renames and Deletes Transactions |
Registry FiltersRegistry Filtering ModelRegistry Key Contexts Registry Path Processing Registry Access Monitoring & Modification NDIS Light Weight FiltersNDIS 6.0 ArchitectureFilter Driver Types Filter Driver States Net Buffer Lists (NBL) Net Buffers (NB) Data Transfer Operations OID Handling Filter Driver Installation Windows Filtering Platform (WFP)WFP ArchitectureWFP Layers, Filters, Sub-layers and Callouts WFP Registration WFP Flow Contexts WFP Traffic Processing WFP Traffic Injection |