Reversing & Attacking Drivers and Other Techniques To Attack Windows Kernel

One of the best ways to defend a system is to know how to attack it. This is the spirit of this workshop based on Windows operating system, mainly its kernel, and exploitable drivers. Indeed, this focusses on attacking and exploiting Windows with (kernel-mode) driver components and privilege elevations techniques. In this context, we focus on both finding and exploiting vulnerabilities.

By providing a detailed explanation about Windows internals, especially on the way the drivers operate, we can focus on reverse engineering of drivers to look for vulnerabilities inside. This includes design flaws, misconfigurations, and implementation issues. Typically, we cover all different methodologies used to check drivers’ security. From the vulnerabilities we present, we provide techniques to exploit them to achieve different goals (privilege escalation, denial of service, information disclosure …). In the end, we cover different mitigations to reduce impact of vulnerable drivers in the system.

When it will be possible, we take time to see how it is possible to exploit a vulnerability. By practicing the full attack chain, we can see how to become administrator from a regular user mode application through kernel exploitation.

By understanding the “functioning” the kernel and drivers’ technology within the system and vulnerability in kernel-mode with potential impacts become much easier after the workshop. It is also a good way to learn how to improve system security by providing specific mitigating controls.

What to expect:

In the end of the workshop, each participant will have four key takeaways:

• A strong understanding of Windows kernel internals
• The ability to reverse any device driver on Windows and to look for vulnerabilities inside a driver with different techniques
• A rough overview about mitigating controls on Windows

Course Content (ToC):

• Day-1 - Part-1 & Part-2
• Day 2 - Part-3, Part-4 & Part-5

• Day - 1  - Windows key concepts & components
  • Windows Internals
    • Windows’ General architecture
    • Registry of Windows
    • CPU Protection levels
    • Virtual memory and address space layout
    • Objects and handles
    • ACL/ACE, privileges, and securable objects
    • Drivers in Windows
    • Boot loading procedure
  • Primer on vulnerabilities categories in Windows (with some examples how to exploit them)
    • Design vulnerabilities
    • Implementation vulnerabilities
    • Configuration /operation vulnerabilities
  • Lab: Exploiting (some of the mentioned) vulnerabilities
    • Different ways for elevation of privileges
  • Lab: Exploitation environment
    • Setting Windows Virtual Machine in debug mode
    • Windbg debugger attached in kernel mode by network
    • Windbg practice with most useful debugging commands
    • Observing principal objects (EPROCESS, ETHREAD, KPCR, KINTERUPT, CONTEXT, XSAVE_STATE, …) and interacting with in Windows’ kernel
    • Registering, loading, and unloading drivers
• Day 2   - - Windows Drivers vulnerabilities
  • General WDM device driver
    • General architecture of drivers
    • Signing policy & Code integrity
    • Reversing main drivers' routines (DriverEntry, DriverUnload, AddDevice, IRP dispatch routines, …)
  • Drivers' common vulnerabilities
    • STRIDE
    • The fabulous three: WinIO, WinRing0, WDDK Win NT 3.51
    • Driver’s interface access check
    • IRP buffering methods & fuzzing
    • IRP handling issues
    • TOCTOU, design issues, MSR, callbacks, file/registry inputs, …
  • Labs:
    • Driver verifier technology
    • Practice vulnerability research
      • Recon on drivers (tooling/debugger)
      • Reverse engineering a driver
      • Driver’s interface with the debugger
      • Driver’s vulnerability exploring
      • Fuzzing on IOCTLs
    • Vulnerable device drivers’ samples, many examples & practice
      • Compilation time securities: (GS, SafeSEH, ASLR, DEP, CFG, retpoline, KASAN)
      • Runtime securities: Patchguard, HVCI, Exploit protection (former EMET), ASR, WDAC
      • Intel Securities: SMEP, SMAP, NX…

Pre-requisite & Participant Requirements:

• C (or C++) programming knowledge.
• Basics about Intel x86-64 CPU is a plus but not a requirement.
• Basics about Reverse Engineering, especially IDA but Ghidra could work also if the student is autonomous with it.
• Basics about Windbg debugging (or any other debugger) is a solid plus without being a definitive requirement.

No prior knowledge about Windows internals is required.

Hardware/Software requirements

• A laptop with Intel/AMD CPU (x86 or x64)
• At least 100 GB of free disk space
• At least 16 GB of RAM
• Windbg Preview
• Hyper-V or Virtual Box with a Windows 10 or 11 image
• IDA With pseudo code available (best case) or Ghidra

What will be given to each participant

• Slides of the workshop
• Cheat sheet to debug with Windbg
• Samples of vulnerable drivers to practice
• A lab environment where to analyze drivers

Who should attend:

• Cyber security engineer
• Pen-tester / auditors
• Reverse engineers
• Developers
• Malware analyst
• Anyone enthusiast in this area fulfilling the participant requirements

What not to expect:

• Any disclosure of 0-day
• A focus specific technology of drivers (network, devices, antivirus …)
• Coming with a specific driver to “analyze”