Introduction:

When there is a vulnerability under Windows explained in a conference, at a point, someone displays on the screen a software called Windbg. Useful, powerful and efficient, this software is perfect for bug tracking, vulnerabilities finding and exploit conception. But due to its old graphical interface, its cryptic command lines, keyboard shortcuts and sometimes outdated tutorials, it is hard to manage, especially for beginners. This workshop is designed for people with some basic knowledge in programming and reverse engineering and for people who would like to improve their skills using a professional-quality debugger in the context of vulnerability research.

The workshop is provided with a dedicated application/service/driver set that illustrates various ways to exploit vulnerabilities. This training set is design with a Lab where we setup everything with the participants. The executable files in the Lab are compiled with all the security features of Visual Studio and executed on an up-to-date version of Windows 11. The goal is to understand how from user access to take the total control of the machine by displaying a command-line with system rights. To do this, we will go step by step. First, we observe how the application interfaces with the service, then we take the control of the service and finally we take control of the driver via the service. The elevation of privileges is then progressive (from the service to the driver). That way, each participant builds up his or her knowledge the way they progress. Each time, the participants pass different levels of security, exploiting conceptual, architectural or implementation issues. In addition, we will see how to pass some of the security features used at compilation time by Visual Studio in a practical way (i.e. without tampering the security). This compilation security is usually used to reduce the possibility of exploiting vulnerabilities.

This workshop focuses on the exploitation of vulnerabilities rather than discovering them as such (although participants will be given some knowledge how to find them). To this end, the use of a debugger like Windbg, when properly practiced, can be a formidable tool to understand how vulnerabilities can be found and exploited.

The first day covers the most important commands that are useful in every day’s life of a vulnerability researcher, including the setup of an analysis environment (allowing to reverse anything in Windows) and tooling configuration. We will take a look at the most useful commands and efficient scripting practices with Windbg to boost our efficiency. Also, we will cover advanced techniques, particularly useful in the context of vulnerability research, such as adding our own symbols to the debugger, anti-debugging bypasses, direct data manipulation in the target process, and executing on the fly our own code in the target process from the debugger.

The second day focusses more on practice, by exploiting the set of services and drivers, step-by-step, surpassing different kind of securities barriers on different levels (software / system / compilation). The goal is to use the techniques understand how Windbg can be used to calibrate different kind of exploits. That way, it will be possible for participants practice the different kind of attacks explaining during the workshop. At the end of these two training days, each participant will have seen different kind of vulnerabilities and may software compilation mitigations. Also, each participant will have learnt how to use Windbg in an efficient way and how a full exploit chain can provide an attacker “NT AUTHORITY\SYSTEM” access.

Table of Content

  1. DAY 1
    • Introduction to Windbg
      • General functioning of a debugger and capabilities
      • User-mode / Kernel-mode debugging
      • Live debugging, crash dump
      • Configuring Windbg (layout, symbols, GUI, modules)
      • Configuring the system for debugging (AEDebug, GFlag)
    • Configuring the Lab
      • Setup the Virtual Machine to be kernel debugged (Network, USB, Baud rate)
      • Advanced kernel debug options (bcdedit)
      • Setup Windbg to debug the Virtual Machine
      • Debugger commands for kernel-mode debugging
    • “Minimal” Windows Internals
      • Process, thread, driver, service
      • Memory management (allocation, rights, stack, heap)
      • Object system (handle, security, ACL/ACE, Privileges)
      • IPC: File, Pipe, Shared Memory, Socket
      • Windows API documentation
    • User-mode debugging
      • Basic commands
        • Disassembly (and short assembly reminder)
        • Memory management
        • Step by step execution
        • Thread management
        • Call stack and frames
        • Breakpoints (code, data, conditional)
        • Data display and structure representation
      • Debugging user-mode process from kernel-mode
      • Advanced debugging
        • Time Travel Debugging
        • Forging your own symbols
        • Bypassing anti-debugging
        • Direct code execution through debugging
        • Direct data manipulation and replay with Windbg
    • Vulnerability research & methodolog
      • Disao General methodology
      • Fuzzing, approaches and limitations
      • Reverse engineering
      • Automatic debugging
      • Application/Driver verifier
    • Lab introduction
      • Attack surface exploration
        • Static analysis vs dynamic analysis
        • Observing the target with Windbg / Sysinternals
      • Observing few bugs
        • Buffer overruns (stack, heap, memory, lists)
        • Memory free issues
      • Interacting with the vulnerable service
      • Exploring specific features in the service
  2. DAY 2
    • Explanation of mitigation under Windows
      • Stack protection, Buffer security check
      • DEP, NX
      • ASLR
      • SEH
      • Control Flow Guard, CET, EHCont
    • Lab: Vulnerability exploitation (user-mode)
      • Address leak
      • Read-what-where
      • Write-what-where
      • Dll hijacking
      • Remote Code execution with shellcode
      • Elevation of privileges and full exploit chain creation
    • Bypassing mitigations
      • Stack protection, DEP, ASL, SEH, ...
    • Lab: Vulnerability exploitation (kernel-mode)
      • Understanding service/driver communication
      • Hijacking the communication
      • Read-what-where
      • Write-what-where
      • Elevation of privileges from kernel to user-mode, exploit chain creation

Pre-Requisites for participation:

  • Basic knowledge of programming. A script or a compiled language is a required.
  • Basic knowledge of reverse engineering. Knowing x86 and x64 is definitively a plus without being a must.

Hardware / Software Requirements

  • A laptop with Intel/AMD CPU (x86 or x64) and administrator rights
  • At least 100 GB of free disk space
  • At least 16 GB of RAM
  • Possibility to install applications from the Windows Store
  • Hyper-V or Virtual Box with a clean Windows 10 or 11 image already installed

Duration

2 days

Who should attend?

  • Vulnerability researchers
  • Red Team Members
  • Pentesters
  • Reverse Engineers
  • Students