To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode.
This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution.
Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques.
Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory.
By learning how rootkits actually work, attendees are able to detect and defend against them.
Attendees must be proficient in C/C++ programming.
In addition, attendees are expected to have good understanding of Windows kernel internals and APIs.
CodeMachine's Windows Internals and Windows Kernel Development courses provide the Windows kernel knowledge required to get full value from this course.
Being able to use the kernel debugger effectively is critical to kernel mode rootkit analysis.
The objective of this section is to provide a refresher on the Windows kernel debugger, debugging symbols and debugger usage.
The objective of this section to discuss the architecture of the Windows kernel, key kernel mode components and core system mechanisms that are critical to kernel mode security software.
The objective of this section is to understand how kernel mode exploitation works, the different exploit mitigations that have been added to the Windows kernel over the course of its lifetime and techniques to bypass some of these mitigations.
The objective of this section is to understand the different techniques to subvert code execution in the kernel, the mitigations that have been added by Microsoft to thwart some of these techniques and the efficacy of these techniques.
The objective of this section is to learn about the documented mechanisms available to kernel mode software to intercept various system activity.
This objective of this section is to discuss the architecture of the Windows networking stack, the various mechanisms available to intercept networking activity in the system and techniques to bypass some of these mechanisms.
The objective of this section is to learn about various techniques to achieve stealth in the system, reduce forensic footprint and make it harder for detection tools to detect kernel subversion activity.
The objective of this section is to discuss the current state of kernel mode malware ecosystem. It covers kernel mode rootkits and kernel mode rootkit detection tools. It also covers real-life techniques used by commercial rootkits.