SlideShare a Scribd company logo

Windows Kernel & Driver Development

Marcus Botacin
Marcus Botacin

The document discusses Windows kernel and driver development. It begins with introductions and an overview of the Windows kernel model. The presenter then discusses various topics related to Windows kernel and driver development like driver models, loading and debugging drivers, userland interaction, privileged instructions, and process monitoring. The document concludes by thanking the host and mentioning references like books and papers for further reading.

Science
1 of 19
Download to read offline
Introduction Windows Kernel Conclusions Windows Kernel & Driver Development Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Windows Model: Kernel Entering Figure: https://blogs.msdn.microsoft.com/hanybarakat/2007/ 02/25/deeper-into-windows-architecture/ Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Function Prototypes: Multiple Contexts Wrapper 1 HANDLE OpenProcess ( 2 DWORD dwDesiredAccess , 3 BOOL bInheritHandle , 4 DWORD dwProcessId ) ; Complete Version 1 k e r n e l e n t r y NTSYSCALLAPI NTSTATUS NtOpenProcess ( 2 PHANDLE ProcessHandle , 3 ACCESS MASK DesiredAccess , 4 POBJECT ATTRIBUTES ObjectAttributes , 5 PCLIENT ID C l i e n t I d ) ; Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Functions: Undocumented things Figure: http://undocumented.ntinternals.net/ Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions 64-bit Windows Kernel Patch Protection (KPP). Driver Signing. Session Isolation. API Changes (Ex versions) Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Requirements VCC + WDK You don’t need Visual Studio but You need Visual Studio SysInternals (DebugView) Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Basics Driver Models: FileFilter, WDK & NDIS. Basics: Loading and Unloading. Debugging: Printing debug messages. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Userland Interaction Loading Driver Object as a file. Writing IO routines. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions First Time Low Level Privileged instructions with intrinsics. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Monitoring My First Process Callback. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions References: Books Figure: https://blogs.msdn.microsoft.com/microsoft_press/2017/05/ 09/new-book-windows-internals-seventh-edition-part-1/ Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions References: Books Figure: https://www.amazon.com/ Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions References: Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. Windows Sandbox → The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Conclusions Thanks Thanks Tilo for hosting me. Thanks CTF guys for inviting me. Open to hear your questions. Contact mfbotacin@inf.ufpr.br https://github.com/marcusbotacin Windows Kernel & Driver Development FAU @ Erlangen

Recommended

yogi
yogiyogi
yogiyoganand Doravari
 
Back to basics - PHPUnit
Back to basics - PHPUnitBack to basics - PHPUnit
Back to basics - PHPUnitSebastian Marek
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
Cool .NET tools, techniques and libraries
Cool .NET tools, techniques and librariesCool .NET tools, techniques and libraries
Cool .NET tools, techniques and librariesGreg Sohl
 
CI adventures in .NET
CI adventures in .NETCI adventures in .NET
CI adventures in .NETSerhiy Kalinets
 
Icsm2009 adams ph_d
Icsm2009 adams ph_dIcsm2009 adams ph_d
Icsm2009 adams ph_dSAIL_QU
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven DevelopmentSoftware Infrastructure
 
Explaining the WinBuilder framework
Explaining the WinBuilder frameworkExplaining the WinBuilder framework
Explaining the WinBuilder frameworkNuno Brito
 

Recommended

yogi
yogiyogi
yogiyoganand Doravari
 
Back to basics - PHPUnit
Back to basics - PHPUnitBack to basics - PHPUnit
Back to basics - PHPUnitSebastian Marek
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
Cool .NET tools, techniques and libraries
Cool .NET tools, techniques and librariesCool .NET tools, techniques and libraries
Cool .NET tools, techniques and librariesGreg Sohl
 
CI adventures in .NET
CI adventures in .NETCI adventures in .NET
CI adventures in .NETSerhiy Kalinets
 
Icsm2009 adams ph_d
Icsm2009 adams ph_dIcsm2009 adams ph_d
Icsm2009 adams ph_dSAIL_QU
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven DevelopmentSoftware Infrastructure
 
Explaining the WinBuilder framework
Explaining the WinBuilder frameworkExplaining the WinBuilder framework
Explaining the WinBuilder frameworkNuno Brito
 
Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
1 Win7 For Devs Fund Search
1 Win7 For Devs Fund Search1 Win7 For Devs Fund Search
1 Win7 For Devs Fund Searchllangit
 
Overview of asp .net
Overview of asp .netOverview of asp .net
Overview of asp .netSajan Sahu
 
Decoder Open Research Webinar
Decoder Open Research WebinarDecoder Open Research Webinar
Decoder Open Research WebinarDecoder Project
 
Lecture 1 dev_environment
Lecture 1 dev_environmentLecture 1 dev_environment
Lecture 1 dev_environmentmoduledesign
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
report_barc
report_barcreport_barc
report_barcsiontani
 
Windows 8 and Phone App Development
Windows 8 and Phone App DevelopmentWindows 8 and Phone App Development
Windows 8 and Phone App DevelopmentPaul Gower
 
Analysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityAnalysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityShubham Dubey
 
Inptools Manual
Inptools ManualInptools Manual
Inptools ManualMawar 99
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
Introduction to Software Build Technology
Introduction to Software Build TechnologyIntroduction to Software Build Technology
Introduction to Software Build TechnologyPhilip Johnson
 
01 intro to programming in .net
01 intro to programming in .net01 intro to programming in .net
01 intro to programming in .netFelisha Hosein
 
Lecture 1 dev_environment
Lecture 1 dev_environmentLecture 1 dev_environment
Lecture 1 dev_environmentmoduledesign
 
What's new in p2 (2009)?
What's new in p2 (2009)?What's new in p2 (2009)?
What's new in p2 (2009)?Pascal Rapicault
 
(WPF + WinForms) * .NET Core = Modern Desktop
(WPF + WinForms) * .NET Core = Modern Desktop(WPF + WinForms) * .NET Core = Modern Desktop
(WPF + WinForms) * .NET Core = Modern DesktopOren Novotny
 
CRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web ApplicationsCRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web ApplicationsAung Thu Rha Hein
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
Overview of .Net Framework
Overview of .Net FrameworkOverview of .Net Framework
Overview of .Net FrameworkNeha Singh
 
Event Driven programming(ch1 and ch2).pdf
Event Driven programming(ch1 and ch2).pdfEvent Driven programming(ch1 and ch2).pdf
Event Driven programming(ch1 and ch2).pdfAliEndris3
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 

More Related Content

Similar to Windows Kernel & Driver Development

Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinDjalal Harouni
 
1 Win7 For Devs Fund Search
1 Win7 For Devs Fund Search1 Win7 For Devs Fund Search
1 Win7 For Devs Fund Searchllangit
 
Overview of asp .net
Overview of asp .netOverview of asp .net
Overview of asp .netSajan Sahu
 
Decoder Open Research Webinar
Decoder Open Research WebinarDecoder Open Research Webinar
Decoder Open Research WebinarDecoder Project
 
Lecture 1 dev_environment
Lecture 1 dev_environmentLecture 1 dev_environment
Lecture 1 dev_environmentmoduledesign
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
report_barc
report_barcreport_barc
report_barcsiontani
 
Windows 8 and Phone App Development
Windows 8 and Phone App DevelopmentWindows 8 and Phone App Development
Windows 8 and Phone App DevelopmentPaul Gower
 
Analysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityAnalysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityShubham Dubey
 
Inptools Manual
Inptools ManualInptools Manual
Inptools ManualMawar 99
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?LOGINPHP360
 
Introduction to Software Build Technology
Introduction to Software Build TechnologyIntroduction to Software Build Technology
Introduction to Software Build TechnologyPhilip Johnson
 
01 intro to programming in .net
01 intro to programming in .net01 intro to programming in .net
01 intro to programming in .netFelisha Hosein
 
Lecture 1 dev_environment
Lecture 1 dev_environmentLecture 1 dev_environment
Lecture 1 dev_environmentmoduledesign
 
(WPF + WinForms) * .NET Core = Modern Desktop
(WPF + WinForms) * .NET Core = Modern Desktop(WPF + WinForms) * .NET Core = Modern Desktop
(WPF + WinForms) * .NET Core = Modern DesktopOren Novotny
 
CRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web ApplicationsCRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web ApplicationsAung Thu Rha Hein
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
Overview of .Net Framework
Overview of .Net FrameworkOverview of .Net Framework
Overview of .Net FrameworkNeha Singh
 
Event Driven programming(ch1 and ch2).pdf
Event Driven programming(ch1 and ch2).pdfEvent Driven programming(ch1 and ch2).pdf
Event Driven programming(ch1 and ch2).pdfAliEndris3
 

Similar to Windows Kernel & Driver Development (20)

Modern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - BerlinModern IoT and Embedded Linux Deployment - Berlin
Modern IoT and Embedded Linux Deployment - Berlin
 
1 Win7 For Devs Fund Search
1 Win7 For Devs Fund Search1 Win7 For Devs Fund Search
1 Win7 For Devs Fund Search
 
Overview of asp .net
Overview of asp .netOverview of asp .net
Overview of asp .net
 
Decoder Open Research Webinar
Decoder Open Research WebinarDecoder Open Research Webinar
Decoder Open Research Webinar
 
Lecture 1 dev_environment
Lecture 1 dev_environmentLecture 1 dev_environment
Lecture 1 dev_environment
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
report_barc
report_barcreport_barc
report_barc
 
Windows 8 and Phone App Development
Windows 8 and Phone App DevelopmentWindows 8 and Phone App Development
Windows 8 and Phone App Development
 
Analysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux SecurityAnalysis and Exploiting Windows and Linux Security
Analysis and Exploiting Windows and Linux Security
 
Inptools Manual
Inptools ManualInptools Manual
Inptools Manual
 
Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?Why is .Net Technology Recognised for Software Development?
Why is .Net Technology Recognised for Software Development?
 
Introduction to Software Build Technology
Introduction to Software Build TechnologyIntroduction to Software Build Technology
Introduction to Software Build Technology
 
01 intro to programming in .net
01 intro to programming in .net01 intro to programming in .net
01 intro to programming in .net
 
Lecture 1 dev_environment
Lecture 1 dev_environmentLecture 1 dev_environment
Lecture 1 dev_environment
 
What's new in p2 (2009)?
What's new in p2 (2009)?What's new in p2 (2009)?
What's new in p2 (2009)?
 
(WPF + WinForms) * .NET Core = Modern Desktop
(WPF + WinForms) * .NET Core = Modern Desktop(WPF + WinForms) * .NET Core = Modern Desktop
(WPF + WinForms) * .NET Core = Modern Desktop
 
CRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web ApplicationsCRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web Applications
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
 
Overview of .Net Framework
Overview of .Net FrameworkOverview of .Net Framework
Overview of .Net Framework
 
Event Driven programming(ch1 and ch2).pdf
Event Driven programming(ch1 and ch2).pdfEvent Driven programming(ch1 and ch2).pdf
Event Driven programming(ch1 and ch2).pdf
 

More from Marcus Botacin

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About AntivirusesMarcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoringMarcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideMarcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisMarcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesMarcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareMarcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...Marcus Botacin
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Marcus Botacin
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyMarcus Botacin
 

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 

Recently uploaded

GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxAleenaTreesaSaji
 
Types of different blotting techniques.pptx
Types of different blotting techniques.pptxTypes of different blotting techniques.pptx
Types of different blotting techniques.pptxkhadijarafiq2012
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsAArockiyaNisha
 
Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Nistarini College, Purulia (W.B) India
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxPhysiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxAArockiyaNisha
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptMAESTRELLAMesa2
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Caco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorptionCaco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorptionPriyansha Singh
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeSatoshi NAKAHIRA
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...anilsa9823
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSarthak Sekhar Mondal
 

Recently uploaded (20)

GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptx
 
Types of different blotting techniques.pptx
Types of different blotting techniques.pptxTypes of different blotting techniques.pptx
Types of different blotting techniques.pptx
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
 
Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...Bentham & Hooker's Classification. along with the merits and demerits of the ...
Bentham & Hooker's Classification. along with the merits and demerits of the ...
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptxPhysiochemical properties of nanomaterials and its nanotoxicity.pptx
Physiochemical properties of nanomaterials and its nanotoxicity.pptx
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.ppt
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
Caco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorptionCaco-2 cell permeability assay for drug absorption
Caco-2 cell permeability assay for drug absorption
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real time
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatidSpermiogenesis or Spermateleosis or metamorphosis of spermatid
Spermiogenesis or Spermateleosis or metamorphosis of spermatid
 

Windows Kernel & Driver Development

  • 1. Introduction Windows Kernel Conclusions Windows Kernel & Driver Development Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Windows Kernel & Driver Development FAU @ Erlangen
  • 2. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 3. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 4. Introduction Windows Kernel Conclusions About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Windows Kernel & Driver Development FAU @ Erlangen
  • 5. Introduction Windows Kernel Conclusions Windows Model: Kernel Entering Figure: https://blogs.msdn.microsoft.com/hanybarakat/2007/ 02/25/deeper-into-windows-architecture/ Windows Kernel & Driver Development FAU @ Erlangen
  • 6. Introduction Windows Kernel Conclusions Function Prototypes: Multiple Contexts Wrapper 1 HANDLE OpenProcess ( 2 DWORD dwDesiredAccess , 3 BOOL bInheritHandle , 4 DWORD dwProcessId ) ; Complete Version 1 k e r n e l e n t r y NTSYSCALLAPI NTSTATUS NtOpenProcess ( 2 PHANDLE ProcessHandle , 3 ACCESS MASK DesiredAccess , 4 POBJECT ATTRIBUTES ObjectAttributes , 5 PCLIENT ID C l i e n t I d ) ; Windows Kernel & Driver Development FAU @ Erlangen
  • 7. Introduction Windows Kernel Conclusions Functions: Undocumented things Figure: http://undocumented.ntinternals.net/ Windows Kernel & Driver Development FAU @ Erlangen
  • 8. Introduction Windows Kernel Conclusions 64-bit Windows Kernel Patch Protection (KPP). Driver Signing. Session Isolation. API Changes (Ex versions) Windows Kernel & Driver Development FAU @ Erlangen
  • 9. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 10. Introduction Windows Kernel Conclusions Requirements VCC + WDK You don’t need Visual Studio but You need Visual Studio SysInternals (DebugView) Windows Kernel & Driver Development FAU @ Erlangen
  • 11. Introduction Windows Kernel Conclusions Basics Driver Models: FileFilter, WDK & NDIS. Basics: Loading and Unloading. Debugging: Printing debug messages. Windows Kernel & Driver Development FAU @ Erlangen
  • 12. Introduction Windows Kernel Conclusions Userland Interaction Loading Driver Object as a file. Writing IO routines. Windows Kernel & Driver Development FAU @ Erlangen
  • 13. Introduction Windows Kernel Conclusions First Time Low Level Privileged instructions with intrinsics. Windows Kernel & Driver Development FAU @ Erlangen
  • 14. Introduction Windows Kernel Conclusions Monitoring My First Process Callback. Windows Kernel & Driver Development FAU @ Erlangen
  • 15. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 16. Introduction Windows Kernel Conclusions References: Books Figure: https://blogs.msdn.microsoft.com/microsoft_press/2017/05/ 09/new-book-windows-internals-seventh-edition-part-1/ Windows Kernel & Driver Development FAU @ Erlangen
  • 17. Introduction Windows Kernel Conclusions References: Books Figure: https://www.amazon.com/ Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 Windows Kernel & Driver Development FAU @ Erlangen
  • 18. Introduction Windows Kernel Conclusions References: Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. Windows Sandbox → The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Windows Kernel & Driver Development FAU @ Erlangen
  • 19. Introduction Windows Kernel Conclusions Conclusions Thanks Thanks Tilo for hosting me. Thanks CTF guys for inviting me. Open to hear your questions. Contact mfbotacin@inf.ufpr.br https://github.com/marcusbotacin Windows Kernel & Driver Development FAU @ Erlangen