Windows is the desktop operating system that provides the most amount of filtering and interception capabilities to 3rd party drivers, through documented, exposed, and supported interfaces. Everything from thread creation, to file access, to network I/O and even Remote Desktop connections and Wireless LAN SSID changes can be monitored by a properly written Windows driver, without resorting to hooking, patching, or other dangerous behaviors that will leave machines in unsafe states, or badly interacting with Windows Defender and PatchGuard/HyperGuard, up to and including blue screens of death.
In this course, attendees will learn how to write such a driver, while first going through a thorough overview of the Windows driver programming model (as it relates to virtual devices/loadable kernel modules, and not the traditional Plug-and-Play driver stack which most other references will attempt to teach). Attendees will learn the correct SAL 2.0 annotations and settings for correct static driver verification, using the right prototypes, #pragmas, #includes, and #defines to make a standard Windows driver, the creation and installation of an .inf file, as well as how to leverage kernel technologies such as WPP, PCW, ETW, TraceLogging, and tools such as TraceView or Driver Verifier. Additionally, kernel-mode debugging with the Windows Kernel Debugger, Visual Studio 2015 and the KDNET library will also be covered.
Once these basic concepts are sunk in, the course will proceed by offering theoretical and practical examples of how to implement monitoring (detect-only) policies, blocking policies, and deception policies by leveraging Windows filtering technologies, at the thread, process, registry, library, driver, file, and network layer. Additional monitoring and filtering capabilities will also be discussed, with potential applications. Windows 8+ ELAM drivers, and Windows 8.1 Secure Image Validation callback filter drivers will also be covered. Finally, we will take a look at new Windows 10 filtering technologies, such as Secure ETW Callbacks and Anti-Malware Scanning Interface (AMSI).
Filters Course Outline
- Basics of Windows Kernel Development
- Advanced Windows Technologies
- Simple Filters
- Advanced Filters
- Filtering Techniques
- Practical Filtering Applications
- Beyond Filtering
SAL 2 (ORCA)/OACR/PREfast for Drivers (PFD), Driver Verifier, Static Driver Verifier
Annotations & Code Style, Code Placement Pragmas, Headers & Macros, Tracing and Performance, Kernel Debugging
DriverEntry & DriverUnload, DeviceOpen & DeviceClose, DeviceControl, IOCTL and IRP communications
Process Filtering, Thread Filtering, Load Image Filtering
Object Filtering, Registry Filtering (and its Extensions)
File System Minifilters, Windows Filtering Platform Filters, NDIS Lightweight Filters
Early Launch Anti-Malware (ELAM) Callbacks, Image Validation Callbacks, Secure ETW Channel, Anti-Malware Scan Interface (AMSI), Session Callbacks, PnP and Power Notifications, WDM Filtering
Contexts, Cross-filter communication, Dealing with Recursion
Protecting a Process, Blocking a Process, Registry Deception, File Redirection