Kernel Mode Threats and Practical Defenses

Conference:  BlackHat USA 2018



The presentation discusses the evolution of Windows kernel security and the red team's offensive kernel-mode tradecraft.
  • Windows kernel security has improved over time in response to threats, but there are still gaps that need to be addressed
  • The red team conducted internal red vs. blue exercises to test their product and skills
  • The red team decided to up their game by using kernel mode techniques to evade detection
  • They used turlet driver loader to drop a VirtualBox driver and execute shellcode in kernel mode
  • The implant design had high-level goals of being kernel mode only, trigger oral inbound, and fully stealthy
  • They used wind socket kernel to enable kernel mode network sockets
The speaker shared their experience of starting from scratch in kernel development and the importance of having a good debugging setup to quickly triage blue screens


Recent advancements in OS security from Microsoft such as PatchGuard, Driver Signature Enforcement, and SecureBoot have helped curtail once-widespread commodity kernel mode malware such as TDL4 and ZeroAccess. However, advanced attackers have found ways of evading these protections and continue to leverage kernel mode malware to stay one step ahead of the defenders. We will examine the techniques from malware such as DoublePulsar, SlingShot, and Turla that help attackers evade endpoint defenses. We will also reveal a novel method to execute a fully kernel mode implant without hitting disk or being detected by security products. The method builds on publicly available tools which makes it easily within grasp of novice adversaries. While attacker techniques have evolved to evade endpoint protections, the current state of the art in kernel malware detection has also advanced to hinder these new kernel mode threats. We will discuss these new defensive techniques to counter kernel mode threats, including real-time detection techniques that leverage hypervisors along with an innovative hardware assisted approach that utilizes performance monitoring units. In addition, we will discuss on-demand techniques that leverage page table entry remapping to hunt for kernel malware at scale. To give defenders a leg up, we will release a tool that is effective at thwarting advanced kernel mode threats. Kernel mode threats will only continue to grow in prominence and impact. This talk will provide both the latest attacker techniques in this area, and a new tool to curtail these attacks, proving real-world strategies for immediate implementation.