Black Hat Digital Self Defense USA 2006
Training

training

Black Hat USA Training 2006
Caesars Palace Las Vegas • July 29-30

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Black Hat Registration

Offensive Aspects Of Rootkit Technology

Sherri Sparks

What to bring:
Students need knowledge and experience with C programming.

Laptops should be 32-bit and installed with the following:

  • Network card
  • Windows XP (Windows 2000 is acceptable)
  • Windows Device Driver Development Kit (DDK)
  • Windbg, which is free from Microsoft
  • Working Microsoft Symbols for your OS which you can download from Microsoft
  • VM Player (free from VMWare)
  • SoftIce (Optional)

Note: A VmWare virtual machine with the above items installed is not only acceptable, but strongly encouraged.  Blue screens are common during the development of this kind of code and, in the worse cases, they can result in having to reinstall your Operating System. If you will not be using a VM, backups of your OS and tools are also strongly encouraged.

The primary purpose of a rootkit is to hide on a computer system. A rootkit may hide processes from task manager, files / directories from Anti Viral software, or network ports from programs like Netstat. Once an isolated breed of malware, rootkits are now seeing widespread applications for their techniques ranging from spyware to commercial software protection.

This course will cover the basic principles behind current rootkit subversion techniques.  Topics will include:

  • Basic kernel driver development issues
    • Structure of a kernel-mode device driver
    • How to load / unload kernel device drivers
  • Userland rootkit techniques
    • Code injection methods
    • IAT hooking
    • Inline call hooking
  • Kernel rootkit techniques
    • Interrupt hooking
    • System service hooking
    • Direct modification of kernel objects
  • Rootkit applications
    • How to hide files and directories
    • How to hide processes
    • How to hide network ports
  • Rootkit detection
    • Heuristics (i.e. detecting the presence of hooks)
    • Cross view based approaches
  • Misc topics
    • Removing memory protection
    • Rootkit uses for hardware debug registers

The student will install a debug monitor and be able to send debug data out of their rootkit kernel driver. For students who do not have SoftIce, the instructors will project an interactive SoftIce session so the students can observe single stepping and other features of the kernel debugger. If students have trouble with their rootkit, the instructors will work with the student as much as possible to debug the problem. The student should leave this class with a working rootkit of their own effort.

Who should take the course?
This class is not intended for people who wish to learn about device drivers or Windows programming. The techniques offered in this course are directed at a Windows platform, but are generic enough to be applied in the UNIX environment as well. This class is designed for people wishing to gain an intimate knowledge of how rootkits operate. This includes practitioners who wish to build their own rootkit technology and security experts who simply want to further their understanding of the rootkit threat. The student must be able to code in the 'C' language. If you already code rootkits for UNIX, this class will give you the basics for converting your skills to a Windows platform. If you have never coded a rootkit this will be a great opportunity to get started and you will leave the class with real skills you can put to use in the field.

Essentials:
Students need knowledge and experience with C programming.

  • Laptops should be 32-bit and installed with the following:
    • Network card
    • Windows XP (Windows 2000 is acceptable)
    • Windows Device Driver Development Kit (DDK)
    • Windbg, which is free from Microsoft
    • Working Microsoft Symbols for your OS which you can download from Microsoft
    • VM Player (free from VMWare)
    • SoftIce (Optional)

Note: A VmWare virtual machine with the above items installed is not only acceptable, but strongly encouraged.  Blue screens are common during the development of this kind of code and, in the worse cases, they can result in having to reinstall your Operating System. If you will not be using a VM, backups of your OS and tools are also strongly encouraged.

Students are encouraged to

  • Review the basic_* examples in Hoglund's vault on rootkit.com
  • Get the examples working on their laptop
  • Compile basic_3.zip with the DDK
  • Load the driver with InstDriver also in Hoglund's vault
  • Watch the messages in DebugView
  • Use the FU rootkit from rootkit.com to hide a process

Read chapters 4, 5, 7, and 9 from Rootkits: Subverting the Windows Kernel for a good foundation on rootkit techniques

Trainer:

Sherri Sparks is a PhD student at the University of Central Florida. She received her undergraduate degree in Computer Engineering and subsequently switched to Computer Science after developing an interest in reverse code engineering and computer security. She also holds a graduate certificate in Computer Forensics. Currently, her research interests include offensive / defensive malicious code technologies and related issues in digital forensic applications.

Black Hat Registration

Course Length: Two days. All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered. You must provide your own laptop.

Cost:

Early Bird:
Ends June 30, 2006

Regular:
Ends July 27, 2006

Onsite:
Begins July 28, 2006

$1800 USD

$2000 USD

$2100 USD

Black Hat Logo
(c) 1996-2007 Black Hat