Presented By: Ashfaq Ansari
This training is the advanced version of Windows Kernel Exploitation Foundation course. In this course we will use Windows 10 RS2 x64 for all the labs. This course starts with the changes in Windows 10 RS2, Internals, hands-on fuzzing of Windows kernel mode drivers. We will understand Pool Internals in order to groom pool memory from user mode for reliable exploitation of pool based vulnerabilities. We will look into how we can bypass KASLR using kernel pointer leaks. We will do hands-on exploitation using Data-Only attack which effectively bypasses SMEP and other exploit mitigation.
At the last day of the training, we will have a CTF to write an exploit for the known kernel vulnerability in any kernel component for Windows 10 RS2 x64.
This training assumes that the attendees have either taken “Foundation course” or have basic understanding of operating system concepts, familiar with software debugging, and knowledge about exploitation of vulnerabilities in user mode.
- Learn basics of Windows internals
- Understand how to fuzz Windows kernel mode drivers to find vulnerabilities
- Learn the exploit development process in kernel mode
- Understand how to groom kernel pool from user land
- Get comfortable with Windows kernel debugging
Who should attend?
- Windows Kernel Exploitation Foundation attendees
- Bug Hunters & Read Teamers
- User Mode Exploit Developers
- Windows Driver Developers & Testers
- Anyone with an interest in understanding Windows Kernel exploitation
- Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level
Upon completion of this training, participants will be able to:
- Understand exploitation techniques to defeat mitigation like SMEP
- Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use after Free(s)
- Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers
- Basic operating system concepts
- Good understanding of user mode exploitation
- Basics of x86 Assembly and C/Python
Hardware & Software Requirements
- 8 GB Flash drive
- A laptop capable of running two virtual machines simultaneously (8+ GB of RAM)
- 40 GB free hard drive space
- Everyone should have Administrator privilege on their laptop
What to Expect
- Fast & Quick Overview of Windows Internals
- Windows Kernel Drivers Basics/IOCTL/IRP
- Techniques to exploit Windows Kernel/Driver vulnerabilities
Students will be provided with
- Training slides
- Scripts and exploit code samples
- BSOD T-Shirt
About the Trainer
Ashfaq Ansari is the founder of HackSys Team code named “Panthera”. He has experience in various aspects of Information Security. He has authored “HackSys Extreme Vulnerable Driver” and “Shellcode of Death”. He has also written and published various white papers on low level software exploitation. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Program Analysis and Hybrid Fuzzing. He is a fan boy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).