This course aims to teach learners how to develop kernel mode rootkits for Windows 2000 systems. The course covers topics such as hooking system calls, hiding files and processes, runtime kernel patching, kernel buffer overflows, and load protection with a password. The teaching method involves a detailed exploration of the structure of the NT system and various techniques for implementing rootkits. This course is intended for cybersecurity professionals, software developers, and individuals interested in understanding advanced techniques for system manipulation and security exploitation in Windows environments.
Overview
Syllabus
Intro
BLACK HAT WINDOWS 2000 SECURITY
Structure of NT System Module
A Driver can register multiple 'Device Objects
Filtering data using device-chains
Many techniques No Devices Required
Hooking System-Calls in the Syscall Table
Placing the System Call Hook
Hiding Files and Directories
Hiding Processes, Threads, and Drivers via 'snip'
Hooking Software Interrupts
Registering a Network Sniffer
Making it so that the driver cannot be unloaded
What needs to be done to support dynamic unloading
A bit-better driver query
Watch for memory reads that would reveal the rootkit dev/physmem, etc.
Hide or redirect file-access to the SYS file
Runtime Kernel Patching
Search Memory for Process Structures and Alter the Security Descriptor
Altering CODE Hot-Patching Code Addresses
Make a function-call do nothing, simple RET patch
Loading a Module via kmem
Write code into leftover space around page boundary or in unused section within PE file
Kernel Buffer-Overflows
Exception Handling or graceful shutdown or disabling of driver
Difficulty for drivers that have Callbacks to IRP completion routines, other drivers, etc.
Integrity Check Modules
Load Protection with a Password
Intercept LoadModule and log the names (audit)
Kernel-space 'Virus'-scanning
Watch the SYSCALL tables
Taught by
Black Hat
