“In this course, we teach students how to: reverse engineer NSA rootkits, write their own rootkits, and build their own endpoint detection and response software for defence purposes”
- Bruce Dang, Instructor
Windows Kernel Rootkits Techniques and Analysis
This class is tailored for malware analysts, system developers, forensic analysts, incident responders, or
enthusiasts who want to analyze Windows kernel rootkits or develop software for similar tasks. It
introduces the Windows architecture and how various kernel components work together at the lowest
level. It discusses how rootkits leverage these kernel components to facilitate nefarious activities such
as hiding processes, files, network connections, and other common objects. As part of the analytical
process, we will delve into the kernel programming environment; we will implement some kernel-mode
utilities to aid our understanding.
Needless to say, the class will contain many hands-on labs and exercises using real-world rootkits.
There are no made-up examples in the class.
What You Should Expect
After this class, you should have a systematic understanding of Windows kernel to analyze rootkits and
develop kernel-mode drivers for your job. You will also understand and apply kernel concepts to carry
out forensic investigations on a Windows machine. In addition, you will be able read and understand research on Windows kernel and related subjects. You will no longer feel intimidated by the kernel after this class.
In previous classes, practically all students were able to analyse kernel rootkits and develop drivers on
their own at the end of the course. Many of these students have never written a driver before in their
life and they felt comfortable doing it after the third day. Here are some examples of what some
students accomplished after class: analyzed well-known kernel APTs, analyzed Windows Patchguard,
developed a driver to remap keys, researched into hypervisor development.
Malware analysts, systems programmer, forensic analysts, security engineers, network security
analysts, kernel enthusiasts.
About the Instructor
Bruce Dang is an information security researcher with interests in low-level systems. He is currently
working at Veramine trying to make the world a safer place. He previously worked as a senior security
development engineer lead at Microsoft; his team's focus spans all things product security related from
hardware, OS, and web services. He specialises in reverse engineering and Windows kernel-level
security projects. Before Microsoft, he worked as a developer in the financial sector. He was the first
person to publicly discuss techniques of analyzing file format based exploits and has patents in the area
of generic shellcode and exploit detection. His public research includes Microsoft Office exploit analysis, ROP
detection, shellcode detection, and kernel driver decompilation techniques; on the malware side, he is
known for first analyzing vulnerabilities in the Stuxnet worm. He has spoken at major security
conferences worldwide, i.e., REcon (Canada), Blackhat (Vegas and Tokyo), Chaos Computer Club
(Germany), Computer Antivirus Research Organization (Hungary), etc. In addition to sharing his
knowledge at public conferences, he has also provided private training and lectures to government
agencies. He is also the author of the bestselling reverse engineering textbook, Practical Reverse
Engineering: x86, x64, Windows kernel, and obfuscation, published by John Wiley and Sons in 2014.