Overview
Syllabus
Intro
What Is This Talk About?
Windows Rootkits: An Overview
Example: Treatment by Anti-Virus
Abuse Legitimate Drivers
Just Buy a Certificate!
Abuse Leaked Certificates
Beacon Out to a C2
Open a Port
Application Specific Hooking
Choosing a Communication Method
Abusing Legitimate Communication
Hooking the Windows Winsock Driver
Standard Methods of Intercepting Irps
Hook a Driver's Dispatch Function
Abusing the Network
Parsing Packets: Design
Parsing Packets: Pre-Processing
Parsing Packets: Processing
Parsing Packets: Dispatching
Packet Handlers: XorPacketHandler
Executing Commands: User-mode
Executing Commands: Kernel-mode
Introduction to Mini-Filters
Become a Mini-Filter
Hook a Mini-Filter: Code Hook
Example: Abusing a Mini-Filter
Taught by
Black Hat