Abstract image of a woman sitting on books and studying on a laptop

Windows Kernel & Driver Development

Marcus Botacin, profile picture
Marcus Botacin

The document discusses Windows kernel and driver development. It begins with introductions and an overview of the Windows kernel model. The presenter then discusses various topics related to Windows kernel and driver development like driver models, loading and debugging drivers, userland interaction, privileged instructions, and process monitoring. The document concludes by thanking the host and mentioning references like books and papers for further reading.

Science
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Introduction Windows Kernel Conclusions Windows Kernel & Driver Development Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Windows Model: Kernel Entering Figure: https://blogs.msdn.microsoft.com/hanybarakat/2007/ 02/25/deeper-into-windows-architecture/ Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Function Prototypes: Multiple Contexts Wrapper 1 HANDLE OpenProcess ( 2 DWORD dwDesiredAccess , 3 BOOL bInheritHandle , 4 DWORD dwProcessId ) ; Complete Version 1 k e r n e l e n t r y NTSYSCALLAPI NTSTATUS NtOpenProcess ( 2 PHANDLE ProcessHandle , 3 ACCESS MASK DesiredAccess , 4 POBJECT ATTRIBUTES ObjectAttributes , 5 PCLIENT ID C l i e n t I d ) ; Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Functions: Undocumented things Figure: http://undocumented.ntinternals.net/ Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions 64-bit Windows Kernel Patch Protection (KPP). Driver Signing. Session Isolation. API Changes (Ex versions) Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Requirements VCC + WDK You don’t need Visual Studio but You need Visual Studio SysInternals (DebugView) Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Basics Driver Models: FileFilter, WDK & NDIS. Basics: Loading and Unloading. Debugging: Printing debug messages. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Userland Interaction Loading Driver Object as a file. Writing IO routines. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions First Time Low Level Privileged instructions with intrinsics. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Monitoring My First Process Callback. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions References: Books Figure: https://blogs.msdn.microsoft.com/microsoft_press/2017/05/ 09/new-book-windows-internals-seventh-edition-part-1/ Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions References: Books Figure: https://www.amazon.com/ Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions References: Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. Windows Sandbox → The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Windows Kernel & Driver Development FAU @ Erlangen
Introduction Windows Kernel Conclusions Conclusions Thanks Thanks Tilo for hosting me. Thanks CTF guys for inviting me. Open to hear your questions. Contact mfbotacin@inf.ufpr.br https://github.com/marcusbotacin Windows Kernel & Driver Development FAU @ Erlangen

More Related Content

DOC
yogi
yoganand Doravari
 
PDF
Back to basics - PHPUnit
Sebastian Marek
 
PDF
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
PPTX
Cool .NET tools, techniques and libraries
Greg Sohl
 
PPTX
CI adventures in .NET
Serhiy Kalinets
 
PPT
Icsm2009 adams ph_d
SAIL_QU
 
PPTX
Test Driven Development
Software Infrastructure
 
PDF
Windows 2000 Performance Guide 1st Edition Mark Friedman
climechinie5
 
yogi
yoganand Doravari
 
Back to basics - PHPUnit
Sebastian Marek
 
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
Cool .NET tools, techniques and libraries
Greg Sohl
 
CI adventures in .NET
Serhiy Kalinets
 
Icsm2009 adams ph_d
SAIL_QU
 
Test Driven Development
Software Infrastructure
 
Windows 2000 Performance Guide 1st Edition Mark Friedman
climechinie5
 

Similar to Windows Kernel & Driver Development (20)

PDF
Explaining the WinBuilder framework
Nuno Brito
 
PDF
Modern IoT and Embedded Linux Deployment - Berlin
Djalal Harouni
 
PPTX
1 Win7 For Devs Fund Search
llangit
 
PPT
Overview of asp .net
Sajan Sahu
 
PDF
Decoder Open Research Webinar
Decoder Project
 
PPTX
Lecture 1 dev_environment
moduledesign
 
PDF
Why is .Net Technology Recognised for Software Development?
LOGINPHP360
 
DOC
report_barc
siontani
 
PPTX
Windows 8 and Phone App Development
Paul Gower
 
ODP
Analysis and Exploiting Windows and Linux Security
Shubham Dubey
 
PDF
Inptools Manual
Mawar 99
 
PPTX
Why is .Net Technology Recognised for Software Development?
LOGINPHP360
 
PPT
Introduction to Software Build Technology
Philip Johnson
 
PPTX
01 intro to programming in .net
Felisha Hosein
 
PPTX
Lecture 1 dev_environment
moduledesign
 
PPT
What's new in p2 (2009)?
Pascal Rapicault
 
PPTX
(WPF + WinForms) * .NET Core = Modern Desktop
Claire Novotny
 
PDF
CRAXweb: Automatic Exploit Generation for Web Applications
Aung Thu Rha Hein
 
PDF
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Priyanka Aash
 
PDF
Programming Microsoft SQL Server 2000 with Microsoft Visual Basic NET 1st edi...
qocqttfwy174
 
Explaining the WinBuilder framework
Nuno Brito
 
Modern IoT and Embedded Linux Deployment - Berlin
Djalal Harouni
 
1 Win7 For Devs Fund Search
llangit
 
Overview of asp .net
Sajan Sahu
 
Decoder Open Research Webinar
Decoder Project
 
Lecture 1 dev_environment
moduledesign
 
Why is .Net Technology Recognised for Software Development?
LOGINPHP360
 
report_barc
siontani
 
Windows 8 and Phone App Development
Paul Gower
 
Analysis and Exploiting Windows and Linux Security
Shubham Dubey
 
Inptools Manual
Mawar 99
 
Why is .Net Technology Recognised for Software Development?
LOGINPHP360
 
Introduction to Software Build Technology
Philip Johnson
 
01 intro to programming in .net
Felisha Hosein
 
Lecture 1 dev_environment
moduledesign
 
What's new in p2 (2009)?
Pascal Rapicault
 
(WPF + WinForms) * .NET Core = Modern Desktop
Claire Novotny
 
CRAXweb: Automatic Exploit Generation for Web Applications
Aung Thu Rha Hein
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Priyanka Aash
 
Programming Microsoft SQL Server 2000 with Microsoft Visual Basic NET 1st edi...
qocqttfwy174
 
Ad

More from Marcus Botacin (20)

PDF
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
PDF
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
PDF
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
PDF
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
PDF
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
PDF
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
PDF
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
PDF
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
PDF
Hardware-accelerated security monitoring
Marcus Botacin
 
PDF
How do we detect malware? A step-by-step guide
Marcus Botacin
 
PDF
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
PDF
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
PDF
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
PDF
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
PDF
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
PDF
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
Hardware-accelerated security monitoring
Marcus Botacin
 
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
Ad

Recently uploaded (20)

PPTX
2currentelectricity1-201006102815 (1).pptx
faisalahemd13
 
PPTX
Understanding the Circulatory System……..
Sibongokuhle1
 
PPTX
Presentation1 INTRODUCTION TO ENZYMES.pptx
JIBY2
 
PDF
Social preventive and pharmacy. Pdf
HarshithaK71
 
PPTX
Introcution to Microbes Burton's Biology for the Health
fliwertyfw154
 
PDF
5.Physics 8-WBS_Light.pdfFHDGJDJHFGHJHFTY
LynetteGaniron1
 
PPTX
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
PDF
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
PPT
Enhancing Laboratory Quality Through ISO 15189 Compliance
mdsgift
 
PDF
Integrative Oncology: Merging Conventional and Alternative Approaches (www.k...
publication11
 
PPTX
Substance Disorders- part different drugs change body
NizaAnne
 
PDF
CuO Nps photocatalysts 15156456551564161
hnamazovna2020
 
PPTX
perinatal infections 2-171220190027.pptx
PoojithaPotnuru1
 
PPT
Cell Structure Description and Functions
nctpcctv
 
PDF
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
PPTX
A powerpoint on colorectal cancer with brief background
lilmiceman
 
PPTX
gene cloning powerpoint for general biology 2
G17RodriguezJanelleA
 
PPTX
Platelet disorders - thrombocytopenia.pptx
AnnaMarie531858
 
PDF
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
PDF
7.Physics_8_WBS_Electricity.pdfXFGXFDHFHG
LynetteGaniron1
 
2currentelectricity1-201006102815 (1).pptx
faisalahemd13
 
Understanding the Circulatory System……..
Sibongokuhle1
 
Presentation1 INTRODUCTION TO ENZYMES.pptx
JIBY2
 
Social preventive and pharmacy. Pdf
HarshithaK71
 
Introcution to Microbes Burton's Biology for the Health
fliwertyfw154
 
5.Physics 8-WBS_Light.pdfFHDGJDJHFGHJHFTY
LynetteGaniron1
 
GREEN FIELDS SCHOOL PPT ON HOLIDAY HOMEWORK
GandharvaVerma
 
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
Enhancing Laboratory Quality Through ISO 15189 Compliance
mdsgift
 
Integrative Oncology: Merging Conventional and Alternative Approaches (www.k...
publication11
 
Substance Disorders- part different drugs change body
NizaAnne
 
CuO Nps photocatalysts 15156456551564161
hnamazovna2020
 
perinatal infections 2-171220190027.pptx
PoojithaPotnuru1
 
Cell Structure Description and Functions
nctpcctv
 
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
A powerpoint on colorectal cancer with brief background
lilmiceman
 
gene cloning powerpoint for general biology 2
G17RodriguezJanelleA
 
Platelet disorders - thrombocytopenia.pptx
AnnaMarie531858
 
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
7.Physics_8_WBS_Electricity.pdfXFGXFDHFHG
LynetteGaniron1
 

Windows Kernel & Driver Development

  • 1. Introduction Windows Kernel Conclusions Windows Kernel & Driver Development Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Windows Kernel & Driver Development FAU @ Erlangen
  • 2. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 3. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 4. Introduction Windows Kernel Conclusions About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Windows Kernel & Driver Development FAU @ Erlangen
  • 5. Introduction Windows Kernel Conclusions Windows Model: Kernel Entering Figure: https://blogs.msdn.microsoft.com/hanybarakat/2007/ 02/25/deeper-into-windows-architecture/ Windows Kernel & Driver Development FAU @ Erlangen
  • 6. Introduction Windows Kernel Conclusions Function Prototypes: Multiple Contexts Wrapper 1 HANDLE OpenProcess ( 2 DWORD dwDesiredAccess , 3 BOOL bInheritHandle , 4 DWORD dwProcessId ) ; Complete Version 1 k e r n e l e n t r y NTSYSCALLAPI NTSTATUS NtOpenProcess ( 2 PHANDLE ProcessHandle , 3 ACCESS MASK DesiredAccess , 4 POBJECT ATTRIBUTES ObjectAttributes , 5 PCLIENT ID C l i e n t I d ) ; Windows Kernel & Driver Development FAU @ Erlangen
  • 7. Introduction Windows Kernel Conclusions Functions: Undocumented things Figure: http://undocumented.ntinternals.net/ Windows Kernel & Driver Development FAU @ Erlangen
  • 8. Introduction Windows Kernel Conclusions 64-bit Windows Kernel Patch Protection (KPP). Driver Signing. Session Isolation. API Changes (Ex versions) Windows Kernel & Driver Development FAU @ Erlangen
  • 9. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 10. Introduction Windows Kernel Conclusions Requirements VCC + WDK You don’t need Visual Studio but You need Visual Studio SysInternals (DebugView) Windows Kernel & Driver Development FAU @ Erlangen
  • 11. Introduction Windows Kernel Conclusions Basics Driver Models: FileFilter, WDK & NDIS. Basics: Loading and Unloading. Debugging: Printing debug messages. Windows Kernel & Driver Development FAU @ Erlangen
  • 12. Introduction Windows Kernel Conclusions Userland Interaction Loading Driver Object as a file. Writing IO routines. Windows Kernel & Driver Development FAU @ Erlangen
  • 13. Introduction Windows Kernel Conclusions First Time Low Level Privileged instructions with intrinsics. Windows Kernel & Driver Development FAU @ Erlangen
  • 14. Introduction Windows Kernel Conclusions Monitoring My First Process Callback. Windows Kernel & Driver Development FAU @ Erlangen
  • 15. Introduction Windows Kernel Conclusions Agenda 1 Introduction 2 Windows Kernel 3 Conclusions Windows Kernel & Driver Development FAU @ Erlangen
  • 16. Introduction Windows Kernel Conclusions References: Books Figure: https://blogs.msdn.microsoft.com/microsoft_press/2017/05/ 09/new-book-windows-internals-seventh-edition-part-1/ Windows Kernel & Driver Development FAU @ Erlangen
  • 17. Introduction Windows Kernel Conclusions References: Books Figure: https://www.amazon.com/ Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 Windows Kernel & Driver Development FAU @ Erlangen
  • 18. Introduction Windows Kernel Conclusions References: Papers Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. Windows Sandbox → The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Windows Kernel & Driver Development FAU @ Erlangen
  • 19. Introduction Windows Kernel Conclusions Conclusions Thanks Thanks Tilo for hosting me. Thanks CTF guys for inviting me. Open to hear your questions. Contact mfbotacin@inf.ufpr.br https://github.com/marcusbotacin Windows Kernel & Driver Development FAU @ Erlangen