Windows Kernel Rootkit Techniques

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This advanced course provides a comprehensive end-to-end view of the modus-operandi of rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by malware through hands-on labs and real-world case studies. Kernel security enhancements that have been progressively added to Windows including ones that depend on Virtualized Based Security (VBS) are discussed along with some circumvention techniques. Attendees will study key techniques used by rootkits to understand the real-world applicability of these concepts for offensive and defensive purposes. This course has been updated for Windows 10 21H2. The training comprises of theory, instructor-led demos, code walkthroughs, and most importantly, hands-on labs where students use Visual Studio 2022 and Windows Driver Kit (WDK), to implement rootkit functionality and use WinDBG to detect, identify, and analyze rootkit behavior on Windows 10 21H2 64-bit.