In the previous Volume 1 course we discussed some advanced user land techniques of malware development.
It's time to focus on Windows kernel land and its inner workings to see how one can leverage READ/WRITE access to kernel objects from user space on his/her advantage:
That includes:
discussing a difference between User vs Kernel Modes, how to communicate with kernel drivers and Direct Kernel Object Manipulations (DKOMs)
coding with 3rd-party Driver Interface
accessing kernel objects from user space
finding and abusing handles to bypass security measures
manipulating tokens for gaining higher privileges (changing users, integrity levels and unrestricting tokens)
becoming a fully protected process
using various strategies to locate ETW providers in Windows kernel
removing kernel callbacks for process, thread, image, handle and registry related events
preserving R+W primitives without kernel driver
reading and bypassing vulnerable driver blocklists
finding vulnerable drivers and kernel offsets
You will receive a virtual machine with complete environment for developing and testing your software, and a set of source code templates which will allow you to focus on understanding the essential mechanisms instead of less important technical aspects of implementation.
Talk to kernel drivers using 3rd-party Driver Interface
Access and manipulate kernel objects (including processes, handles and tokens) to your advantage
Find and modify kernel-level ETW providers to change telemetry flows
Make any process protected
Change kernel callbacks for various system objects
Preserve user-to-kernel R+W primitives without using a driver
Deal with driver blocklists
Find kernel offsets and vulnerable drivers
Recommended: taking Malware Development Advanced Vol.1 course
Solid understanding of operating system architecture
Good experience with Windows OS
Programming skills in C/C++
Computer with min. 4 GB of RAM + 30 GB of free disk space
VirtualBox 7.0+ installed
Strong will to learn and having fun
All videos are about 5h long.