Windows Kernel Rootkits (KERRKT)

Instructed by T. Roy

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques.

Classes are limited. Get registered!

This advanced course provides a comprehensive end-to-end view of the modus-operandi of rootkits by taking an in-depth look at behind the scenes working of the Windows kernel and how these mechanisms are exploited by malware through hands-on labs and real-world case studies. Kernel security enhancements that have been progressively added to Windows are discussed along with some circumvention techniques. Attendees will study key techniques used by rootkits to understand the real-world applicability of these concepts for offensive and defensive purposes.

Hands-on Labs

Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory.

Learning Objectives

  • Understand vulnerabilities in the Windows kernel and device drivers.
  • Be able to write and modify kernel-mode exploits.
  • Understand the security enhancements that have been added to the Windows kernel over time.
  • Be able to bypass some of the security mitigations in recent versions of Windows.
  • Understand the post-exploitation steps performed by kernel-mode rootkits.
  • Understand the techniques used by real-world rootkits.
  • Understand how rootkits hide their presence in the system.
  • Understand how rootkits intercept systemwide networking activity.
  • Be able to identify malicious behavior and defend against rootkits.


  • Kernel Attacks
  • Kernel Shellcoding
  • Kernel Hooking and Injection
  • Kernel Callbacks
  • Kernel Filtering
  • Kernel Networking
  • Virtualization Based Security



Live-Online & In-Person


July/August 2024 (Live-Online)


5 days


Anti-malware engineers, malware analysts, forensics examiners, security researchers who are responsible for detecting, analyzing, and defending against rootkits and other kernel post exploitation techniques.

  • Standard Rate


This is an advanced level course which requires attendees to be fluent in C/C++ programming, have a good knowledge of the Windows kernel internals/APIs and be able to use the kernel debugger (WinDBG) to debug Windows kernel modules.

Why choose the Center for Cyber Security Training

Interactive, classroom-based learning

Subject matter experts

Trusted by US government agencies


T.Roy, an author, instructor, and consultant, is the founder of CodeMachine. He has more than 20 years of experience in information security has been involved with Windows internals, development, debugging and security, since the inception of Windows NT in 1992. He has been involved in the development of some of the leading endpoint security solutions such as intrusion prevention, network firewalls, behavioral anti-malware, document security and data leak prevention systems. He has taught all over the world and has received many instructor recognition awards.

I really enjoyed the course! It was interesting to see a different perspective on penetration testing and ways of progressing from recon to initial access to escalating privilege and lateral movement.

- Robert L., Washington, DC

Want more information?

Download the Windows Kernel Rootkits course outline now.

Upcoming Training Sessions

July/August 2024 (Live-Online)

Classes are limited.

Enroll Now.

Related Courses

Our classroom delivers the most in-demand content from the highest profile subject matter experts. Intense and interactive, our courses prepare students with actionable insight and proven strategies.

windows internal architecture

Windows Internal Architecture

Whether you analyze malware, perform security research, conduct forensic investigations, engage in adversary simulation or prevent it, or build security solutions for Windows, understanding how Windows works internally is critical to be effective at your task.


Exploit Development Bootcamp & Advanced

Our three-day Bootcamp will teach both basic & advanced techniques from a leading exploit developer. In our Advanced course, experienced students will learn how to write exploits that bypass modern memory protections for the Win32 platform in a fast-paced, interactive learning environment.

Looking for a course that's not here? We'd love to hear your suggestions!

Are you fully prepared to deal with today's increasing cyber security risks? We can help you get the training you need.


*We respect your privacy