Kernel Karnage – Part 6 (Last Call)

With the release of this blogpost, we’re past the halfway point of my internship; time flies when you’re having fun. 1. Introduction - Status Report In the course of these 6 weeks, I’ve covered several aspects of kernel drivers and EDR/AVs kernel mechanisms. I started off strong by examining kernel callbacks and why EDR/AV products … Continue reading Kernel Karnage – Part 6 (Last Call)

Kernel Karnage – Part 5 (I/O & Callbacks)

After showing interceptor's options, it’s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. 1. Interceptor 2.0 Until now, I relied on the Evil driver to patch kernel callbacks while I attempted to tackle $vendor2, however the Evil driver only implements patching for … Continue reading Kernel Karnage – Part 5 (I/O & Callbacks)

Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

To make up for the long wait between parts 2 and 3, we're releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. 1. RTFM & W(rite)TFM! The past few weeks I spent a lot of time getting … Continue reading Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

Kernel Karnage – Part 3 (Challenge Accepted)

While I was cruising along, taking in the views of the kernel landscape, I received a challenge … 1. Player 2 has entered the game The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that … Continue reading Kernel Karnage – Part 3 (Challenge Accepted)

Kernel Karnage – Part 1

I start the first week of my internship in true spooktober fashion as I dive into a daunting subject that’s been scaring me for some time now: The Windows Kernel. 1. KdPrint(“Hello, world!\n”); When I finished my previous internship, which was focused on bypassing Endpoint Detection and Response (EDR) software and Anti-Virus (AV) software from … Continue reading Kernel Karnage – Part 1

All aboard the internship – whispering past defenses and sailing into kernel space

Previously, we have already published Sander's (@cerbersec) internship testimony. Since this post does not really contain any juicy technical details and Sander has done a terrific job putting together a walkthrough of his process, we thought it would be a waste not to highlight his previous posts again. In Part 1, Sander explains how he … Continue reading All aboard the internship – whispering past defenses and sailing into kernel space