Agenda

Part 1: Debug environment

• VMWare
• WinDbg
• Ghidra
• ret-sync
• Visual Studio
• Lab: Debug environment setup

Part 2: Binary diffing Microsoft updates

• Tools of the trade
• Efficient use of the IDA/Ghidra decompiler to analyze the root cause
• Lab: Basic binary diffing

Part 3: Kernel Transaction Manager (KTM) basics

• KTM objects and APIs
• KTM internals
• Use of public tools for finding data
• Lab: KTM experimentation

Part 4: Understanding CVE-2018-8611

• Root cause vs effect
• Planning exploitation strategy
• Tools of the trade
• Lab: Better binary diffing
• Lab: Reaching vulnerable code
• Lab: Triggering CVE-2018-8611 in a debugger

Part 5: Exploitation techniques

• Bypassing mitigations
• Windows non-paged pool manipulation
• Lab: Bad vs good feng shui
• Lab: Getting controlled UAF in a debugger

Part 6: More exploitation techniques

• Winning the race without a debugger
• Exploitation strategies
• Lab: Debugging tricks and race win detection
• Lab: Discovering a kernel leak
• Lab: Restoring cleaned execution

Part 7: How to escalate privileges

• Write primitive and privilege escalation strategy
• Lab: Arbitrary read and write primitives with write 0 and PreviousMode primitive
• Lab: Privilege escalation
• Arbitrary increment primitive and PreviousMode limitations
• Lab: Arbitrary read and write primitives with increment primitive

Pre-requisites

• Comfortable with x86/x64 assembly and reversing it
• C knowledge (reading/writing)
• Comfortable with disassemblers/decompilers (IDA, Ghidra, etc) and debuggers (WinDbg, x64dbg, gdb, etc)
• Familiarity with memory corruption exploitation on any OS
• Windows kernel internals basic knowledge

Hardware/Software Requirements

• Base OS: Windows (recommended) or Linux
• VMware virtualisation software
• At least 80GB of free disk space
• At least 8GB of RAM
• 2 VMs will be provided: debugger/development VM and target/vulnerable VM (the host can be used instead of the debugger VM if Windows-based)