Ashfaq Ansari: Windows Kernel Exploitation

Presented By: Ashfaq Ansari

This training is the advanced version of Windows Kernel Exploitation Foundation course. In this course we will use Windows 10 RS2 x64 for all the labs. This course starts with the changes in Windows 10 RS2, Internals, hands-on fuzzing of Windows kernel mode drivers. We will understand Pool Internals in order to groom pool memory from user mode for reliable exploitation of pool based vulnerabilities. We will look into how we can bypass KASLR using kernel pointer leaks. We will do hands-on exploitation using Data-Only attack which effectively bypasses SMEP and other exploit mitigation.

At the last day of the training, we will have a CTF to write an exploit for the known kernel vulnerability in any kernel component for Windows 10 RS2 x64.

This training assumes that the attendees have either taken “Foundation course” or have basic understanding of operating system concepts, familiar with software debugging, and knowledge about exploitation of vulnerabilities in user mode.

Upon completion of this training, participants will be able to:
  •  Learn basics of Windows internals
  •  Understand how to fuzz Windows kernel mode drivers to find vulnerabilities
  •  Learn the exploit development process in kernel mode
  •  Understand how to groom kernel pool from user land
  •  Get comfortable with Windows kernel debugging

The 3 day course will take place on the 10th, 11th & 12th September 2018 at the Novotel London West
Cost is £ 1,950 (inc VAT). Buy your place in our shop now.

Course Outline

  • Day 1
    • Windows 10
      • Architecture
    • Fuzzing Windows Drivers (Hands-On)
      • Locating IOCTLs in Windows Drivers
      • Locating input entry points
      • Writing scripts to fuzz the discovered IOCTLs
    • Exploit Mitigations
      • Kernel Address Space Layout Randomization (KASLR)
      • Understanding kASLR
      • Breaking kASLR using kernel pointer leaks
      • Supervisor Mode Execution Prevention (SMEP)
      • SMEP concepts
      • Breaking/bypassing SMEP
    • Pool
      • Internals
      • Tracing object allocations
      • Feng-Shui (Lookaside List & ListHeads List)
    • Exploitation (Hands-On)
      • Pool Overflow
  • Day 2
    • Quick Revision
      • kASLR
      • SMEP
      • Feng Shui
    • Exploitation
      • Pool Overflow (continued)
      • Achieving arbitrary read/write primitive (Data-only attack)
      • Gaining local privilege escalation
      • Different places to corrupt
    • Arbitrary Memory Overwrite
      • Achieving arbitrary read/write primitive (Data-only attack)
      • Gaining local privilege escalation
  • Day 3
    • Quick Revision
      • Pool Overflow
      • Data-only attacks
    • Exploitation CTF
    • Write exploit for a known kernel vulnerability for Windows 10 RS2 x64
    • Miscellaneous
      • Assignment to write a blog post about the vulnerability exploited during CTF
      • Q/A and Feedback

Who should attend?

  • Windows Kernel Exploitation Foundation attendees
  • Bug Hunters & Read Teamers
  • User Mode Exploit Developers
  • Windows Driver Developers & Testers
  • Anyone with an interest in understanding Windows Kernel exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level

Why attend?

Upon completion of this training, participants will be able to:

  • Understand exploitation techniques to defeat mitigation like SMEP
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and Use after Free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers

Prerequisites

  • Basic operating system concepts
  • Good understanding of user mode exploitation
  • Basics of x86 Assembly and C/Python
  • Patience

Hardware & Software Requirements

  • 8 GB Flash drive
  • A laptop capable of running two virtual machines simultaneously (8+ GB of RAM)
  • 40 GB free hard drive space
  • Everyone should have Administrator privilege on their laptop

What to Expect

  • Internals
  • Hands-on
  • WinDbg-Fu
  • Fast & Quick Overview of Windows Internals
  • Windows Kernel Drivers Basics/IOCTL/IRP
  • Techniques to exploit Windows Kernel/Driver vulnerabilities

Students will be provided with

  • Training slides
  • Scripts and exploit code samples
  • BSOD T-Shirt

About the Trainer

Ashfaq Ansari is the founder of HackSys Team code named “Panthera”. He has experience in various aspects of Information Security. He has authored “HackSys Extreme Vulnerable Driver” and “Shellcode of Death”. He has also written and published various white papers on low level software exploitation. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Program Analysis and Hybrid Fuzzing. He is a fan boy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).

Book your 44CON 2018 training course now!

Ashfaq Ansari: Windows Kernel Exploitation

Presented By: Ashfaq Ansari

This training is focused on exploitation of different Windows Kernel Mode vulnerabilities. We will cover basics of Windows Kernel Internals and hands-on fuzzing of Windows Kernel Mode drivers.

We will dive deep into exploit development of various kernel mode vulnerabilities. We will also look into different vulnerabilities in terms of code and the mitigations applied to fix the respective vulnerabilities.

This training assumes that the attendees have less or no prior experience with Windows Kernel Internals and Kernel land as well as User land exploitation techniques

Upon completion of this training, participants will be able to:

  • Learn basics of Windows Internals
  • Understand how to fuzz Windows Kernel mode drivers to find vulnerabilities
  • Learn the exploit development process in Kernel mode
  • Understand how a vulnerability looks like in driver code
  • Understand how a vulnerability can be mitigated in the code
  • Understand how to massage Kernel Pool and Stack
  • Get comfortable with Windows Kernel Debugging

The 3 day course will take place on the 11, 12th & 13th September 2017.

Cost is £ 1,950 (inc VAT). Buy your place in our shop now.

Course Outline

Windows Kernel Debugging:

  • Setup Kernel Debugging
  • Setup Debugging Symbols
  • WinDbg-Fu

Windows Internals:

  • Windows NT Architecture
  • Executive & Kernel
  • Hardware Abstraction Layer (HAL)
  • Privilege Rings
  • Key Data Structures

Memory Management:

  • Virtual Address Space
  • Memory Pool & Pool Allocator

Why to Attack Kernel?: 

  • User Mode vs Privileged Mode
  • User Mode Exploit Mitigations

Windows Driver Basics:

  • I/O Request Packet (IRP)
  • I/O Control Code (IOCTL)
  • Data Buffering (Buffered I/O, Direct I/O, Neither Buffered Nor Direct I/O)

Fuzzing Windows Drivers (Hands-On)

  • Locating IOCTLs in Windows Drivers
  • Locating input entry points
  • Writing scripts to fuzz the discovered IOCTLs
  • Playing with public fuzzers

Exploitation (Hands-On):

  • Pool Feng Shui/Pool Spraying (Lookaside List & ListHeads List)
  • Pool Overflow Exploitation
  • Use after Free Exploitation
  • Time-of-check Time-of-use (TOCTOU)/Race Condition

Kernel Payload (Hands-On):

  • Escalate Privilege of a Process from Kernel Debugger
  • Considerations while writing Escalation of Privilege Payload
  • Kernel Recovery (Fixating Kernel State after exploitation)

Exploit Mitigations:

  • Kernel Address Space Layout Randomization (KASLR)
  • Supervisor Mode Execution Prevention (SMEP)

Miscellaneous:

  • Assignment to write a full blown Windows Kernel exploit
  • Q/A and Feedback

Target Audience 

  • Bug Hunters & Read Teamers
  • User Mode Exploit Developers
  • Windows Driver Developers & Testers
  • Anyone with an interest in understanding Windows Kernel Exploitation
  • Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the Kernel level

Why Attend

Upon completion of this training, participants will be able to:

  • Get comfortable with Windows Kernel Debugging
  • Understand how kernel and kernel mode driver works
  • Understand exploitation techniques for different software vulnerabilities
  • Understand how Windows Pool Allocator works in order to write reliable exploit for complex bugs like Pool Overflow(s) and use after free(s)
  • Learn to write own exploits for the found vulnerabilities in Kernel or Kernel mode drivers
  • Understand vulnerabilities in terms of code and mitigations applied to fix the vulnerabilities.

Student Requirements

  • Basics of User Mode Exploitation is good to have but not required
  • Basics of x86 Assembly and C/Python is good to have but not required
  • Familiarity with Vmware/VirtualBox (only to run virtual machines)
  • Patience

Hardware & Software Requirements

  • 8 GB Flash Drive
  • A laptop capable of running two virtual machines simultaneously (8GB of RAM)
  • 40 GB free hard drive space
  • Everyone should have Administrator privilege on their laptop.

What to expect

  • Complete hands-on
  • WinDbg-Fu
  • Fast & quick overview of Window Internals
  • Windows Kernel Drivers Basics/IOCTL/IRP
  • Techniques to Exploit Windows Kernel/Driver vulnerabilities

What students will be provided with

  • Printed Lab Manual
  • Training slides
  • Scripts and code samples
  • BSOD T-Shirt

About the Trainer

Ashfaq Ansari is the founder of HackSys Team code named “Panthera”. He is a Security Researcher with experience in various aspects of Information Security. He has authored “HackSys Extreme Vulnerable Driver” and “Shellcode of Death”. He has also written and published various whitepapers on low level software exploitation. His core interest lies in “Low Level Exploitation”, “Reverse Engineering”, “Program Analysis” and “Hybrid Fuzzing”. He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null (Pune).

Book your 44CON 2017 training course now!