Description
This advanced level course provides comprehensive coverage of the key functional areas of Linux kernel post-exploitation techniques through a practical hands-on approach. It covers techniques used by malicious kernel-mode rootkits to abuse Linux kernel subsystems and their programming interfaces to achieve their goals. It also covers the security functionality and mitigations in the modern Linux kernels.
Attendees learn about low level access on the x86-64 CPU, code flow subversion, kernel security mitigations, evasion mechanisms, tampering mechanisms, covert communication, tools available to detect malicious kernel-mode activity and identify rootkit artifacts in the system.
In the hands-on labs attendees implement different components of Linux kernel rootkits as loadable kernel modules (LKM). Attendees build, deploy, test and debug these LKMs on the latest 64-bit Linux kernel. In addition, attendees use various tools to identify indicators of compromise.
This security-focused course does NOT cover aspects of the Linux kernel that are related to hardware driver development.
Duration
5 days
Target audience
This advanced course is designed for security researchers, malware/rootkit analysts, red-teamers, blue-teamers, and digital forensic analysts working with modern Linux systems.
Learning goals
Upon completion of this course, students should be able to:
- Identify kernel components and programming interfaces used to compromise a system.
- Author shellcode that executes in the kernel.
- Develop Linux kernel modules that provide offensive security functionality.
- Implement key components of a kernel rootkit.
- Analyze a Linux system to find and identify malicious activity.
- Access security related enhancements in the modern Linux kernel.
- Configure a Linux system to improve the system's security posture.
Prerequisites
To get the full benefit from this developer oriented training course attendees must be:
- Proficient in C programming language.
- Comfortable with Linux command line tools.
- Familiar with Linux development tools such as gcc and make.
- Working knowledgeable of pointers, structures, arrays, linked lists etc.
- Familiar with gdb commands.
- Knowledgeable of Linux kernel internals, kernel module development and debugging.
The Linux Kernel Internals and Development (LKID) course provides the prerequisite knowledge required to get full value from this course.
Technology requirements
- Virtualization capable host system running Linux or Windows.
- Visual Studio Code or any other code editor.
- VMWare Workstation 17.x.
- Students will be provided with a pre-configured Linux VM.
- All other software and tools are provided on the first day of class.
Topics
- Kernel Internals
- Low Level Access
- Hooking Mechanisms
- Kernel Callbacks
- Kernel Security Mitigations
- Evasion Techniques
- Network Communications
- Network Interception
- Detection and Case Studies