2 - Communication with User Mode

2 - Communication with User Mode

2 - Communication with User Mode

Students will learn why an EDR often needs to hand off analysis decisions to user mode when kernel mode cannot safely or efficiently perform full processing. Students will learn practical design patterns for sending event data to a user-mode service and acting on a returned decision.

EDR Internals – Research & Development

Buy nowLearn more

Course Materials

Labs Deployment Guide

EDR_Research_and_Developmet.pdf

EDR_Internals_Research_and_Development_Labs.pdf2

EDR Research Methodology.pdf

EDR Assessment Report.pdf

Process Injection Poster - 1.pdf

Process Injection Poster - 2.pdf

Module 1: EDR Fundamentals

0 - Introduction to the Course

1 - Introduction to EDR Systems

2 - EDR Architecture

3 - The Static Engine

4 - The Dynamic Engine - Part 1

5 - The Dynamic Engine - Part 2

6 - The Heuristic Engine

7 - MDE Console Introduction

8 - The ATT&CK MITRE Framework

9 - Discovering the Static Engine Scanner Process

10 - Writing a Custom Detection Rule

11 - Windows Internals Overview

12 - The Registry

13 - Introduction to Services

14 - x64 Architecture and Assembly

15 - x64 Calling Convention

16 - Device Drivers

17 - More x64 Assembly

18 - Introduction to ETW

Module 2: EDR Research Methodology and Practical Analysis

1 - Introduction to EDR Research

2 - EDR Research Methodology

3 - OpenEDR Deployment

4 - OpenEDR Research Lead Gathering - Part 1

5 - OpenEDR Research Lead Gathering - Part 2

6 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 1

7 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 2

8 - MDE Configuration Overview

9 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 1

10 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 2

11 - EDR Testing Reports Overview - Part 1

12 - EDR Testing Reports Overview - Part 2

13 - EDR Testing Reports Overview - Part 3

14 - MDE EDR Component Reverse Engineering - Part 1

15 - MDE EDR Component Reverse Engineering - Part 2

16 - MDE EDR ETW Analysis using PerfView

17 - MDE EDR PPL Bypass & Reverse Engineering - Part 1

18 - MDE EDR PPL Bypass & Reverse Engineering - Part 2

Module 3: Building EDR: Foundations

1 - EDR Components

2 - Service and Driver Configuration

3 - Service Operation

4- Service Code Demo

5- More on Services

6- General Programming Guidelines

Module 4: Basic Kernel Driver

1 - Kernel Programming Basics

2 - Nt vs. Zw Functions

3 - Functions and Error codes

4 - Strings

5- Dynamic Memory Allocation

6- Dynamic Memory AllocationDemo

7 - Tagging Memory

8 - Driver Installation and Debugging

9 - Linked Lists

10 - Asserts and Tracing

11 - Handles and Objects

12 - Object Attributes

13 - Anatomy of a Driver

14 - Device and Driver Objects

15 - Creating a Device Object

16 - Securing Device Objects

17 - Symbolic Links

18 - A User Mode Client

19 - Completing the Driver

20 - Testing the Driver

21 - Debugging the Driver

22 - IRQLs

Module 5: Working with IRPs

1 - IRPs

2 - Dispatch Routines

3 - Referencing User Buffers

4 - DeviceIoControl Buffers

5 - DeviceIoControl Demo

Module 6: Kernel Notifications and Callbacks

1 - Process Notifications

2 - Communication with User Mode

3 - Process Notifications Demo

4 - Managing Proceses with Linked Lists

5 - Using an Event Object for User Kernel Notifications

6 - Tables

7 - Synchronization

8 - The Interlocked Functions

9 - Dispatcher Objects

10 - Using a Mutex

11 - Automatic Cleanup

12 - Fast Mutexes

13 - Events

14 - Executive Resources

15 - Spinlocks

16 - Thread Callbacks

17 - Image Load Callbacks

18 - Object Callbacks

19 - Q and A

20 - Registry Callbacks

Module 7: File System Mini-Filters

1 - Introduction to File System Mini-Filters

2 - Minifilter Registration

3 - Pre and Post Callbacks

4 - Filenames

5 - Contexts

6 - File Data and User Buffers

7 - Filter Communication Ports

8 - Debugging Minifilters

Module 8: EDR Bypass and Evasion

1 - Introduction to EDR Bypass & Evasion

2 - FUD Malware vs. Targeted EDR Bypass Malware

3 - Rename Obfuscation - Part 1

4 - Rename Obfuscation - Part 2

5 - Rename Obfuscation - Part 3

6 - Contrrol-flow Obfuscation - Part 1

7 - Control-flow Obfuscation - Part 2

8 - Code & Strings Runtime Decryption - Part 1

9 - Code & Strings Runtime Decryption - Part 2

10 - Dynamic API Resolve - Part 1

11 - Dynamic API Resolve - Part 2

12 - Dynamic API Resolve - Part 3

13 - Process Injection - Part 1

14 - Process Injection - Part 2

15 - APC Injection using Direct Syscalls

16 - Memory Bombing

17 - NTDS Stealer.mp4

Module 9: Detection Techniques

1 - Introduction

2 - Detection Engine

3 - Machine Learning and AI

4 - Kernel Callbacks

5 - Hooking

6 - Other Techniques

Module 10: The Future of EDRs

1 - Known DLL Q and A

2 - Hypervisors Overview

3 - The Rings

4 - Virtualization Based Security

5 - Hypervisor Power

6 - Other Ideas

7 - Final Thoughts and Summary