14 - Device and Driver Objects

14 - Device and Driver Objects

14 - Device and Driver Objects

Students will learn the relationship between driver objects and device objects, and how they are used to represent kernel-mode functionality.

EDR Internals – Research & Development

Buy nowLearn more

Course Materials

Labs Deployment Guide

EDR_Research_and_Developmet.pdf

EDR_Internals_Research_and_Development_Labs.pdf2

EDR Research Methodology.pdf

EDR Assessment Report.pdf

Process Injection Poster - 1.pdf

Process Injection Poster - 2.pdf

Module 1: EDR Fundamentals

0 - Introduction to the Course

1 - Introduction to EDR Systems

2 - EDR Architecture

3 - The Static Engine

4 - The Dynamic Engine - Part 1

5 - The Dynamic Engine - Part 2

6 - The Heuristic Engine

7 - MDE Console Introduction

8 - The ATT&CK MITRE Framework

9 - Discovering the Static Engine Scanner Process

10 - Writing a Custom Detection Rule

11 - Windows Internals Overview

12 - The Registry

13 - Introduction to Services

14 - x64 Architecture and Assembly

15 - x64 Calling Convention

16 - Device Drivers

17 - More x64 Assembly

18 - Introduction to ETW

Module 2: EDR Research Methodology and Practical Analysis

1 - Introduction to EDR Research

2 - EDR Research Methodology

3 - OpenEDR Deployment

4 - OpenEDR Research Lead Gathering - Part 1

5 - OpenEDR Research Lead Gathering - Part 2

6 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 1

7 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 2

8 - MDE Configuration Overview

9 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 1

10 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 2

11 - EDR Testing Reports Overview - Part 1

12 - EDR Testing Reports Overview - Part 2

13 - EDR Testing Reports Overview - Part 3

14 - MDE EDR Component Reverse Engineering - Part 1

15 - MDE EDR Component Reverse Engineering - Part 2

16 - MDE EDR ETW Analysis using PerfView

17 - MDE EDR PPL Bypass & Reverse Engineering - Part 1

18 - MDE EDR PPL Bypass & Reverse Engineering - Part 2

Module 3: Building EDR: Foundations

1 - EDR Components

2 - Service and Driver Configuration

3 - Service Operation

4- Service Code Demo

5- More on Services

6- General Programming Guidelines

Module 4: Basic Kernel Driver

1 - Kernel Programming Basics

2 - Nt vs. Zw Functions

3 - Functions and Error codes

4 - Strings

5- Dynamic Memory Allocation

6- Dynamic Memory AllocationDemo

7 - Tagging Memory

8 - Driver Installation and Debugging

9 - Linked Lists

10 - Asserts and Tracing

11 - Handles and Objects

12 - Object Attributes

13 - Anatomy of a Driver

14 - Device and Driver Objects

15 - Creating a Device Object

16 - Securing Device Objects

17 - Symbolic Links

18 - A User Mode Client

19 - Completing the Driver

20 - Testing the Driver

21 - Debugging the Driver

22 - IRQLs

Module 5: Working with IRPs

1 - IRPs

2 - Dispatch Routines

3 - Referencing User Buffers

4 - DeviceIoControl Buffers

5 - DeviceIoControl Demo

Module 6: Kernel Notifications and Callbacks

1 - Process Notifications

2 - Communication with User Mode

3 - Process Notifications Demo

4 - Managing Proceses with Linked Lists

5 - Using an Event Object for User Kernel Notifications

6 - Tables

7 - Synchronization

8 - The Interlocked Functions

9 - Dispatcher Objects

10 - Using a Mutex

11 - Automatic Cleanup

12 - Fast Mutexes

13 - Events

14 - Executive Resources

15 - Spinlocks

16 - Thread Callbacks

17 - Image Load Callbacks

18 - Object Callbacks

19 - Q and A

20 - Registry Callbacks

Module 7: File System Mini-Filters

1 - Introduction to File System Mini-Filters

2 - Minifilter Registration

3 - Pre and Post Callbacks

4 - Filenames

5 - Contexts

6 - File Data and User Buffers

7 - Filter Communication Ports

8 - Debugging Minifilters

Module 8: EDR Bypass and Evasion

1 - Introduction to EDR Bypass & Evasion

2 - FUD Malware vs. Targeted EDR Bypass Malware

3 - Rename Obfuscation - Part 1

4 - Rename Obfuscation - Part 2

5 - Rename Obfuscation - Part 3

6 - Contrrol-flow Obfuscation - Part 1

7 - Control-flow Obfuscation - Part 2

8 - Code & Strings Runtime Decryption - Part 1

9 - Code & Strings Runtime Decryption - Part 2

10 - Dynamic API Resolve - Part 1

11 - Dynamic API Resolve - Part 2

12 - Dynamic API Resolve - Part 3

13 - Process Injection - Part 1

14 - Process Injection - Part 2

15 - APC Injection using Direct Syscalls

16 - Memory Bombing

17 - NTDS Stealer.mp4

Module 9: Detection Techniques

1 - Introduction

2 - Detection Engine

3 - Machine Learning and AI

4 - Kernel Callbacks

5 - Hooking

6 - Other Techniques

Module 10: The Future of EDRs

1 - Known DLL Q and A

2 - Hypervisors Overview

3 - The Rings

4 - Virtualization Based Security

5 - Hypervisor Power

6 - Other Ideas

7 - Final Thoughts and Summary