Covering Windows 11 (25H2, 26H1), the upcoming Windows 11 26H2, and Server 2025, you’ll unravel how bootkits, software supply chain implants, backdoors, and other kernel and firmware malware work. You’ll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it!

You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage.

We’ll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), Kernel Control-flow Enforcement Technology (KCET), and Kernel Address Sanitizer (KASAN), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We’ll go inside the Enclave and learn about Runtime Attestation, Code Integrity and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.

Covering Windows 11 26H1, the upcoming Windows 11 26H2, and Server 2025, you’ll unravel the secrets of how bootkits, software supply chain implants, backdoors, and other kernel and firmware malware work. You’ll learn how they, and others, abuse various system functionality, obscure mechanisms, and data structures, in order to do their dirty work, and how you can too defend against it!

You’ll observe and experiment with how kernel-mode code operates and how it can be subject to compromise by user-mode attackers wishing to elevate their privileges, as well as how to detect, both live and forensically, such attempts. Finally, you’ll learn about how CPU architecture deeply ties into OS design, and how Intel’s and AMD’s mistakes can lead to more pwnage.

We’ll cover the new Windows 11 kernel changes, including Kernel Data Protection (KDP), Kernel Control-flow Enforcement Technology (KCET), and Kernel Address Sanitizer (KASAN), and explain how the Trusted Platform Module (TPM) is used for Measured Boot. We’ll go inside the Enclave and learn about Runtime Attestation, Code Integrity and the rewritten Secure Launch framework that leverages Intel TXT and AMD SKINIT for new DRTM-based attestation.

Of course, we’ll also discuss key Windows 10 fundamentals such as Virtual Trust Levels (VTL) combined with Virtualization Based Security (VBS), and how these technologies allow Hyper Visor Code Integrity (HVCI) and Kernel Control Flow Guard (KCFG) to prevent unsigned kernel code execution, even when faced with Ring 0 vulnerabilities. We’ll see how attackers can bypass some of these protections, and the solution offered by Hypervisor-managed Linear Address Translation (HLAT). We’ll explain how trustlets and VBS enclaves protect user mode code and data even from Ring 0 attackers, powering Biometric Isolation and Credential Guard, making pass-the-hash attacks virtually impossible.

Windows 10 builds upon many Windows 8.1 mechanisms such as Protected Process Light and custom Code Signing Policies, so we’ll review this as well, plus new Windows 8 kernel features (AppContainer, Secure Boot, and more) relevant to driver operation and exploitation techniques will be discussed, including an overview of over two dozen new security mitigations that have been added to the operating system. We’ll explain the problems with signed drivers, used in Bring Your Own Vulnerable Driver (BYOVD) attacks, and how the introduction of WHQL signatures in Windows 10 attempts to mitigate it.

We’ll see how these changes to the architecture have dramatically constrained exploit techniques.

Some exploit techniques can’t be fully mitigated from within the operating system and require improvements to the CPU. We’ll explore CPU security features such as Supervisor Mode Execution Prevention (SMEP) and Supervisor Mode Access Prevention (SMAP), Mode Based Execution Control (MBEC), Linear Address Space Separation (LASS) and Linear Address Masking (LAM), and see how the new Flexible Return and Event Delivery (FRED) redesigns legacy CPU mechanisms.

All while learning the theory, you will use tools such as WinDbg, SysInternals Tools and System Informer to analyze, poke, and prod kernel-mode Windows components, as well as write your own debugger commands leveraging the new NatVis/LINQ predicate and capabilities, as well as write some JavaScript (ECMAScript 6) scripts using their new debugger engine.

Throughout the class, we’ll focus on using various techniques and tools to inspect the Windows kernel for consistency, tracing its operation, and editing it, as well as ways in which offensive and defensive attackers can mess with the system’s state in unexpected, “clean” ways. We’ll also give several examples of malicious and/or buggy drivers in a typical Windows system, as well as architectural bugs over Windows’ lifetime.

Attendees will receive a physical handout of the entire course materials for future reference, plus a full set of 40+ WinDbg scripts that the instructors have written over their lifetime, and all commands/outputs that were used in the course. Live paste-board sharing will be available to facilitate learning.