ringzerø

Abstract

This comprehensive course combines the essentials of both the Foundation and Advanced Windows Kernel Exploitation courses. It is designed to guide participants through the intricacies of kernel exploitation, from uncovering and exploiting bugs in Windows kernel mode drivers to bypassing advanced exploit mitigations.

Participants will gain hands-on experience in a wide range of topics, including Windows and driver internals, various memory corruption types, exploit development techniques, mitigation bypass techniques, pool internals, and Feng-Shui. The course culminates in a Capture The Flag (CTF) challenge, allowing participants to apply their newly acquired skills.

During this course we will be using Windows 11 X64 for our lab exercise.

This combined course offers a holistic approach to Windows Kernel Exploitation, ensuring participants are well-equipped with the knowledge and skills required to excel in the realm of kernel exploitation.

Key Learning Objectives

Upon completion of this training, participants will be able to:

• Understand Windows kernel debugging and internals
• Grasp the basics of Windows and driver internals
• Identify different memory corruption classes
• Fuzz kernel mode drivers to find vulnerabilities
• Dive deep into the exploit development process in kernel mode
• Bypass advanced exploit mitigations like kASLR, SMEP, and KPTI/KVA Shadow
• Understand pool internals and Feng-Shui
• Develop Arbitrary Read/Write primitives

Intended Audience

• Information security professionals
• Bug hunters and Red teamers
• Windows exploit developers
• Windows driver developers and testers
• Ethical hackers and penetration testers looking to upgrade their skillset to the kernel level
• Anyone with an interest in understanding Windows Kernel exploitation

Detailed Agenda

Module 1

Windows Internals (Lecture)

• Architecture
• Executive and Kernel
• Hardware Abstraction Layer (HAL)
• Privilege Rings

Memory Management (Lecture and Hands-on)

• Virtual Address Space
• Memory Pool

Driver Internals (Lecture and Hands-on)

• I/O Request Packet (IRP)
• I/O Control Code (IOCTL)
• Data Buffering

Module 2

Fuzzing Windows Drivers (Lecture and Hands-on)

• Attack Surface Analysis (Reversing driver using IDA)
  • Locating IOCTLs in Windows drivers
• Memory Sanitizers
  • Special Pool
• Fuzzing the discovered IOCTLs
• Analyzing the crashes

Module 3

Exploitation Basics (Lecture and Hands-on)

• Stack Buffer Overflow (SMEP and KVA Shadow/KPTI disabled)
  • Understanding the vulnerability
  • Achieving code execution
• Escalation of Privilege Payload
• Kernel State Recovery

Module 4

Advanced Exploit Mitigations

• Kernel Address Space Layout Randomization (kASLR)
  • Understanding kASLR
  • Breaking kASLR using kernel pointer leaks
• Supervisor Mode Execution Prevention (SMEP)
  • SMEP concepts
  • Breaking/bypassing SMEP
• Kernel Page Table Isolation (KPTI/KVA Shadow)
  • KPTI concepts
  • Breaking/bypassing KPTI

Module 5

Advanced Exploitation Techniques (Lecture and Hands-on)

• Arbitrary Memory Overwrite
  • Understand the vulnerability
  • Achieving privilege escalation
• Memory Disclosure
  • Understand the vulnerability
  • Leak function pointer
  • Calculate driver base address
• Pool Overflow
  • Understand the vulnerability
  • Finding corruption target
  • Grooming target pool (Feng-Shui)
  • Achieving arbitrary read/write primitive (data-only attack)
  • Gaining local privilege escalation
    • Different places to corrupt

Module 6

Capture The Flag (CTF)

• Time to finish the CTF
• Discuss any other vulnerability class if the students want and time permits

Miscellaneous

• Assignment to write a blog post about the vulnerability exploited during CTF
• Q/A and Feedback

Knowledge Prequisites

• Basic operating system concepts
• Familiarity with vulnerability classes
• Basics of x86/x64 assembly and C/python
• Basics of ROP
• Patience

System Requirements

• A laptop capable of running two virtual machines simultaneously (16 GB+ of RAM). Only Intel processors.
• 40 GB free hard drive space
• Vmware Workstation/Player installed
• Everyone should have Administrator privilege on their laptop