Preparing for Windows Internals for Security Engineers

In mid of May I have the honor to participate in the Windows Internals 4-day training at OffensiveCon. Since I want to come prepared there are some things I will do beforehand. For anyone else going for the training or wanting to check out its topics this might come in handy.

General Preperation

I will go with a split process of reading the new Windows Internals Books and watching the videos on Plural Sight to Windows 11 from Pavel Yosifovich (payed content). They both have the same topic, the books have more depth, but are somewhat harder and more time consuming to go through.

The videos are very good, but sometimes lack on a certain topic. Everytime one option gets boring or I find myself not progressing I switch to the other method.

Specific Preperation

After that I go trough the description of the training and on every buzzword I don't know of, I will research about the contents.

The buzzwords per OS version are:

Windows 11:

  1. GRU bootkits
  2. PLA software supply chain implants
  3. NSA Backdoors
  4. Kernel Data Protection (KDP)
  5. eXtended Control Flow Guard (XFG)
  6. Kernel Control-flow Enforcement Technology (KCET)
  7. System Guard Runtime Assertions
  8. Secure Launch framework (Intel TXT and AMD SKINIT for new DRTM-based attestation)

Windows 10:

  1. Virtual Trust Levels (VTL)
  2. Virtualization Based Security (VBS)
  3. Hyper Visor Code Integrity (HVCI)
  4. Kernel Control Flow Guard (KCFG)
  5. Software Guard Extensions (SGX)

Windows 8.1:

  1. Protected Process Light
  2. Custome Code Signing Policies

Windows 8:

  1. AppContainer
  2. Secure Boot

Windows 7:

  1. Object Manager data structures

Resources to the Topics

GRU Rootkits seems to be made up or at least I can't find anything about it. I guess GRU is something russian... or the (good) villain from minions. Anyway, its a rootkit and therefore just a kernel malware.

Sadly again, no idea what PLA stands for. But its about supply chain attacks. I don't see how preparation for that would help me for the course.

NSA Backdoors is at least something known. So the text goes on to describe the above three as kernel and firmware malware.

My understanding is its about modified kernels or drivers. Therefore preparing would be to learn about offensive driver development (they run in the kernel). I took the course from here.

Also there is a book from Pavel about Windows Kernel Programming, which I will go through.

Next we have Kernel Data Protection (KDP). It is explained here. It is a mechanism to mark parts of kernel and driver as read only data. A copy or other way of attestation of the data is hold in the hypervisor through VBS (read on for VBS).

For eXtended Control Flow Guard (XFG) a good start is here, followed with that.

The Kernel Control-flow Enforcement Technology (KCET) seems to be very new. I just read about normal CET here to get a basic understanding. It uses a "Shadow Stack" which holds a copy of all return addresses used by the program. That way its not possible to overwrite the return address of a function without being noticed. I would assume that a shadow stack in a hypervisor will do the same for the kernel.

System Guard Runtime Attestation is written about here

Secure Launch framework seems to be for secure boot. I am not interested so much, but here is good information.

From here on everything is in the Windows Internals Books, which should be a very good reference.

By @gbaru in [ Windows ] Mo 08 Mai 2023
Tags : #OffensiveCon, #Windows Internals, #Yarden Shafir,