BSides Oslo 2022 on May 25th, 2022 at Vulkan Arena - Life in the Windows Kernel for Red Teams

Life in the Windows Kernel for Red Teams

  • Length: 45 minutes.
  • Scheduled: 11:00 (UTC+2)

In this presentation, Andre will go through details of not only things to consider when developing in the kernel but, most importantly, things to consider when developing malware for the Windows kernel. He’ll explain synchronization when the Operating System is not cooperating with you, memory type usage considerations, Direct Kernel Object Manipulation (DKOM), and finally show a demo on a rootkit he’s constantly developing, doing the following:

  • Hide a process by PID
  • Hide a process by name (full name > 15 characters)
  • Hide a process by name whenever it’s created
  • Hide a driver/rootkit
  • Elevate privileges from any process given their PID

Finally, he’ll be giving tips on reverse engineering a malicious rootkit

Andre Lima

Andre Lima

Andre is Red Teamer since 2011, who has worked in Portugal, Australia, and now at PwC Norway in Oslo. An avid researcher he tries to publish as often as possible on his Youtube channel (search “0x4ndr3”), and blog (current: & old blog:

His main areas of expertise are reverse engineering, exploit development, and malware development with AV bypass.

Outside of cyber security, he enjoys spending it with his 2-year-old daughter, editing video and playing basketball or tennis.