CanSecWest: Security Masters Dojo Vancouver
Windows Kernel Exploitation - Advanced
Register for the March 16-17, 2020 (2-day course)
Instructor(s):
Ashfaq Ansari
Description:
This training is the advanced version of the Kernel Exploitation Foundation course. In this course we will use Windows 10 RS2 x64 for all the labs. This course starts with the changes in Windows 10 RS2, hands-on fuzzing of the Windows kernel mode driver (different driver than one used in Foundation course).
We will understand Pool Internals in order to groom pool memory from user mode for reliable exploitation of pool-based vulnerabilities.
We will look into how we can bypass KASLR using kernel pointer leaks. We will do hands-on exploitation using a Data-Only attack, which effectively bypasses SMEP and other exploit mitigation.
This training assumes that the attendees have either taken the "Foundation course" or have basic understanding of operating system concepts, familiar with software debugging, and knowledge about exploitation of vulnerabilities in user mode.
What to Expect?
- Hands-on
- WinDbg-Fu
- Fast & Quick Overview of Windows Internals
- Windows Kernel Drivers Basics/IOCTL/IRP
- Techniques to exploit Windows Kernel/Driver vulnerabilities
Key Learning Objectives:
Upon completion of this training, participants will be able to:
- Understand how to fuzz Windows kernel mode drivers to find vulnerabilities
- Learn the exploit development process in kernel mode
- Understand how to groom kernel pool from user land
- Get comfortable with Windows kernel debugging
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Course Modules:
Day 1
Windows 10
- Architecture
- Locating IOCTLs in Windows Drivers
- Locating input entry points
- Writing scripts to fuzz the discovered IOCTLs
- Kernel Address Space Layout Randomization (kASLR)
- Understanding kASLR
- Breaking kASLR using kernel pointer leaks
- Supervisor Mode Execution Prevention (SMEP)
- SMEP concepts
- Breaking/bypassing SMEP
- Internals
- Tracing object allocations
- Feng-Shui (Lookaside List & ListHeads List)
- Pool Overflow Exploitation (Data-only attack bypassing exploit mitigation)
Day 2
Quick Revision
- kASLR
- SMEP
- Feng Shui
- Pool Overflow
- Achieving arbitrary read/write primitive (Data-only attack)
- Gaining local privilege escalation
- Different places to corrupt
- Assignment to write a blog post about the vulnerability exploited during CTF
- Q/A and Feedback
Pre-requisites:
Attendees should have either taken the Kernel Exploitation Foundation course on March 16-17, or have basic understanding of operating system concepts, familiar with software debugging, and knowledge about exploitation of vulnerabilities in user mode.
- Basic operating system concepts
- Good understanding of user mode exploitation
- Basics of x86 Assembly and C/Python
- Patience
What you will need to bring:
Hardware & Software Requirements:
- 8 GB Flash drive
- A laptop capable of running two virtual machines simultaneously (8 GB of RAM)
- 40 GB free hard drive space
- Everyone should have Administrator privilege on their laptop
Students will be provided with:
- A printed Lab Manual
- Training slides
- Scripts and code samples
- A BSOD T-Shirt
Who Should Attend:
Windows Kernel Exploitation Foundation attendees, Bug Hunters & Red Teamers, User Mode Exploit Developers, Windows Driver Developers & Testers, anyone with an interest in understanding Windows Kernel exploitation, Ethical Hackers and Penetration Testers looking to upgrade their skill-set to the kernel level.











