Windows Internals for Reverse Engineers


Yarden Shafir


For the first time, join a purpose-built virtual edition of the class and learn the mysteries of Windows Internals from your own home. Take a deep dive into the internals of the Windows NT kernel architecture, covering the recently-shipped 20H2, and the upcoming 21H1 and 21H2 versions. Learn the dirty secrets behind both offensive and defensive work and see how rootkits and other kernel-mode malware abuse obscure mechanisms to persist and evade detection.

Topics covered

We will cover security features and changes in Windows 10, including

  • Virtualization Based Security (VBS)
  • Hypervisor Code Integrity (HVCI)
  • Kernel Data Protection (KDP)
  • eXtended Control Flow Guard (XFG)
  • and Intel Control-flow Enforcement Technology (CET).

These features, in addition to other mitigations covered in this class, make exploitation more difficult than ever before. With the addition of VBS, even gaining Ring 0 access is no longer enough to fully “own” a machine. We will also look into improvements made to past Windows features, such as expanding ASLR to the kernel and the secure kernel (KASLR and SKASLR), as well as adding KCFG to protect from kernel exploitation.

This class will also discuss Windows kernel tamper protection. PatchGuard is a well-known name, yet it is one of the most mysterious Windows features and barely any public research was done on it. We will understand the internal workings of this part of Windows and learn why it is so hard to get a definite answer to the eternal question “Does PatchGuard detect this?”. Afterwards, we will meet PatchGuard’s modern sibling – HyperGuard, which uses the benefits of VBS to add another layer of protection to the kernel. Finally, we’ll discuss how Secure LaunchDRTM, and System Guard Runtime Assertions attest the tampering state of modern Windows systems.

In addition to all of these, we will analyze capabilities that are meant for 3rd party security products. We will get to know features such as new ETW providers, which supply information previously available only through user-mode hooks, different callbacks that give drivers built-in detection and prevention abilities, and the Secure Pool, a unique feature that allows drivers to utilize VBS capabilities to protect their data from attacks. These different features all have their benefits and their limitations, and there are areas that are still blind spots for defenders but might already be used by attackers.

This class offers a lot of theory and knowledge, but also lots of hands-on experience: throughout the class you will use tools such as WinDbgSysinternals toolsWinObjEx64 and Process Hacker to view, analyze, trace, and edit kernel features. Attendees will get familiar with new debugger capabilities and gain scripting abilities that will significantly simplify complicated operations and allow insight into internal kernel mechanisms.

NOTE: Lectures shall NOT be recorded


IMPORTANT: It is helpful to understand x86/x64 assembly to take this course, but knowledge of obfuscation, packing, etc., is not required.

Basic knowledge of Windows, processor architecture, and operating systems is helpful - you should have some vague idea of what an interrupt is, and what is the difference between user and kernel mode (ring levels), a bit about virtual memory/paging, etc.

System Requirements

Note that a full class/software installation and preparation e-mail will be sent to you about 2 weeks before the class. That being said, in general, you should expect the following.

First, you should preferably have a Windows machine to attend, and you should have the Windows Driver Kit 10 release, which you can freely grab from the Windows Developer Center or MSDN.

A virtual machine (VirtualBox is strongly preferred - configured in UEFI + Hyper-V mode for best performance) is recommended with an installed version of Windows 10. You should install the Windows Driver Kit on your host - not the VM.

If you have a Linux or Mac device, that's fine, and then you may either install the Windows Driver Kit on the VM itself, or, better yet, use two separate virtual machines.

IDA/Hexrays or Ghidra helpful, but not required.