Windows Kernel Rootkit Techniques

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This advanced course provides a comprehensive end-to-end view of the modus-operandi of rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by malware through hands-on labs and real-world case studies. Kernel security enhancements that have been progressively added to Windows are discussed along with some circumvention techniques. Attendees will study key techniques used by rootkits to understand the real-world applicability of these concepts for offensive and defensive purposes. This course has been updated for Windows 10 Version 1909 (19H2). The hands-on labs will cover topics such as bypassing kernel security mitigations, injecting kernel shellcode, patching functions, hooking functions, logging keystrokes, hiding registry keys, hiding files, intercepting disk requests, modifying network packets, blocking module loads, performing self-defense of kernel and user mode modules and many others.