3-6 August 2019, Excalibur, Las Vegas

Bruce Dang


This course is tailored for malware analysts, system developers, forensic analysts, incident responders, or enthusiasts who want to analyze Windows kernel rootkits or develop software for similar tasks. It introduces the Windows architecture and how various kernel components work together at the lowest level. It discusses how rootkits leverage these kernel components to facilitate nefarious activities such as hiding processes, files, network connections, and other common objects. As part of the analytical process, we will delve into the kernel programming environment; we will implement some kernel-mode utilities to aid our understanding.

After this class, you should have a systematic understanding of Windows kernel to analyze rootkits and develop kernel-mode utilities (or even products!) for your job. In addition, you will be able read and understand research on Windows kernel and related subjects. You will no longer feel intimidated by the kernel.

In our experience, practically all students are able to analyze kernel rootkits and develop drivers on their own at the end of the course. Most students have never written a driver before in their life and felt comfortable doing it after the third day. Here are some examples of what some students accomplished: analyzed well-known kernel APTs, analyzed Windows PatchGuard, developed a driver to remap keys, researched into hypervisor development.

Key Learning Objectives

  • Machine architecture for kernel programmers
  • Virtual memory management
  • Interrupts and exceptions
  • CPU security features
  • Windows kernel architecture
  • Kernel components (Ps, Io, Mm, Ob, Se, Cm, etc.)
  • System mechanisms
  • Debugging with WinDbg
  • Rootkit techniques
  • Driver development


No prior experience with Windows is required. However, the course primarily focuses on the analysis and development of Windows malicious kernel drivers. In order to get the most out of it, you need to have some C/C++ programming experience (you will be developing kernel mode drivers). If you are not comfortable with that, you can still understand the material and apply it to your daily job, however you might need to work extra hard in class.

Hardware and Software Requirements

You are expected to bring a laptop running Windows (preferrably Windows 10) as the host OS. We will be using virtual machines and snapshotting so ideally it would have an SSD drive and at least 8GB of RAM. Please install VMWare Workstation (30-day trial version is fine) on it.

You will need 2 VMs:

  • Windows 7 RTM x86. The edition does not matter. If you have MSDN access, use the ISO with SHA1 5395DC4B38F7BDB1E005FF414DEEDFDB16DBF610. Give the VM 1GB of RAM. Do not install any updates.
  • Windows 10 RS3 RTM x64. The edition does not matter. If you have MSDN access, use the ISO with SHA1 1BBF886697A485C18D70AD294A09C08CB3C064AC. Give the VM 1GB of RAM. Do not install any updates.

The list of required software on the host is listed below. Make sure to install Visual Studio first, then SDK, then WDK.