Windows Kernel Internals

4 DAY U_LONG 32 CPE HOUR TRAINING: FEBRUARY 2022 * WEEK 1: FEB 13-18

Pavel Yosifovich

Abstract

The Windows kernel is the heart of the Windows OS. It serves user-mode clients with system calls, provides a host of kernel object types that serve user-mode and kernel-mode clients, providing much of the functionality of Windows. This course will dive into the Windows kernel, expose many of its mechanisms and data structures. It would allow the student to gain a deeper understanding of Windows as a whole.

The course uses various tools to gain insight into a Windows system, including using a kernel debugger. Simple kernel driver writing will be demonstrated, showing the power of the kernel as compared to user-mode.

SUPPLEMENTARY READING MATERIAL AUTHORED/CO-AUTHORED BY THE INSTRUCTOR:

Buy a copy!

Buy a copy!

Buy a copy!

Buy a copy!

Objectives

  • Understand the Windows system architecture.
  • Inspect kernel (and user) data structures on a live system.
  • Understand how device drivers integrate with the kernel.
  • Write simple device drivers that take advantage of kernel power.

Target audience

The course is intended for developers, researchers, IR personnel, and anyone interested in understanding the workings of the Windows kernel.

Agenda

Module 1: System Architecture

  • Tools of the Trade
  • Processes
  • Virtual Memory
  • Threads
  • General System Architecture
  • User Mode vs. Kernel Mode
  • System Calls
  • NtDll.Dll
  • Introduction to WinDbg
  • User Mode Debugging
  • Kernel Mode Debugging
  • LABS: user and kernel debugging; Sysinternals tools;

Module 2: Kernel Mechanisms

  • Interrupts and Exceptions
  • Interrupt Request Levels (IRQLs)
  • Deferred Procedure Calls (DPCs)
  • System Crash
  • Analyzing Dump Files
  • Driver Verifier
  • Objects and Handles
  • Protecting Objects
  • Thread Synchronization
  • LABS: analyzing a crash; synchronization

Module 3: Memory Management

  • Overview
  • Page States
  • Virtual Memory Translation
  • Page Dynamics
  • Heaps
  • Other features (if time permits)
  • LABS: reserving and committing memory; address translation

Module 4: The I/O System

  • I/O System components
  • Device Drivers
  • Plug and Play
  • Driver and Device Objects
  • I/O Request Packets (IRPs)
  • IRP Processing
  • Software Drivers
  • User/Kernel Communications
  • LABS: Writing a kernel driver; looking at devices and drivers

Module 5: Miscellaneous Topics (if time permits)

  • Process Types
  • Jobs
  • Silos
  • Memory Mapped Files

Prerequisites

  • Power-user level working knowledge of a Windows system.
  • Some familiarity with OS concepts such as processes, threads, and virtual memory is recommended.

Software and Hardware Requirements

  • Any system running Windows 10 or Windows 11 with at least 16GB RAM
  • Sysinternals Tools
  • WinDbg Preview (install from the Microsoft Store)
  • Recommended: Visual Studio 2019 (the free community edition works) + include the C++ Workload when installing.
  • Recommended: Windows 11 Driver Kit (download and install the latest)
  • Recommended: A virtual machine (Hyper-V, VMWare or Virtual Box) running Windows 7, 8.1, 10 or 11
  • PDF Viewer