Attend OSINT Summit for FREE on Feb 11-12 and enjoy expert talks on the latest techniques and tools for gathering and analysis.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code

  • Wednesday, September 23, 2020 at 10:30 AM EST (2020-09-23 14:30:00 UTC)
  • Jacob Williams, Tamas Boczan


  • VMRay

You can now attend the webcast using your mobile device!



The kernel-mode of Windows is a pathway to many abilities some consider to be unnatural.

For many malware developers, implementing kernel-mode code is too challenging. The required low-level development is not just time-consuming, but also error-prone and each error can lead to a full system crash, causing the attack to fail.

But threat actors who overcome these challenges get access to power which no user-mode application can wield.

Diving into kernel-mode allows attackers to exploit drivers and the system to escalate privileges, implement effective payloads, and hide malware from security products and incident responders.

In this webcast, attendees will learn:

  •    Attackers goals and techniques for implementing kernel-mode code
  •    The techniques used to execute that code and bypass existing OS security controls
  •    Tips for analyzing kernel-mode code with the goal of building better defenses

Speaker Bios

Jacob Williams

Jacob Williams is a SANS Analyst, certified SANS instructor, course author and designer of several NetWars challenges for use in SANS' popular, "gamified" information security training suite. Jake spent more than a decade in information security roles at several government agencies, developing specialties in offensive forensics, malware development, and digital counter-espionage. Jake is the founder of Rendition InfoSec, which provides penetration testing, digital forensics and incident response, expertise in cloud-data exfiltration and the tools and guidance to secure client data against sophisticated, persistent attack on-premises and in the cloud.

Tamas Boczan

Tamas is a Senior Threat Analyst at VMRay. He is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. Prior to VMRay, Tamas researched evasive malware and developed a malware analysis sandbox at an Anti-Virus company.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.