You know what really grinds my gears? Having everything thought out for a red team action, and then be detected by modern EDR. Especially when simulating APTs and staying unobtrusive in the network for extended periods of time. Over the years we’ve moved from PowerShell one-liners to LOLBINS, from LOLBINS to C#-malware, and finally we’ve utilised direct syscalls. Somehow it still feels like modern EDR is chewing the scenery.
Kernel driver abuse is an existing but less known technique that offers opportunity to remain undetected, while infiltrating organisations for extended periods of time. For example, InvisiMole actively abuses BYOVD in the war in Ukraine. If you manage to load or exploit a kernel driver, nothing but relaxation awaits you, with a beer in your left hand and your C2 in your right. But loading or exploiting one poses several technical challenges, apart from all the knowledge required to work with kernel drivers. Obtaining that knowledge seems difficult. However, the road to kernel driver exploitation is not that long.
This lan is for those we’ve heard about the Windows Kernel and want to learn more about it. We’ll dive into the concepts of computer architecture, drivers, user and kernel mode, and kernel exploits. The best part is that you’ll learn to exploit and develop your first malicious kernel driver.
For this lab, you will need:
- Windows 10 VM
- Sysinternal Suite (https://download.sysinternals.com/files/SysinternalsSuite.zip)
- WinDBG (https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools)
- Visual Studio Build Tools to compile C code. Select “Desktop Development with C++” on installation (https://visualstudio.microsoft.com/downloads/?q=build+tools#tools-for-visual-studio-2022-family)
- IDA free (https://hex-rays.com/ida-free/#download)
